SLIDE 1
Homework 1 – due Friday Lab1 – due next Wednesday Section
- will talk about gdb, etc.
Approaches to Fin inding Security Bugs
2
Assignments Homework 1 due Friday Lab1 due next Wednesday - - PowerPoint PPT Presentation
Assignments Homework 1 due Friday Lab1 due next Wednesday - - PowerPoint PPT Presentation
Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk about gdb, etc. Approaches to Fin inding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis From Coverity 3
SLIDE 2
SLIDE 3
From Coverity
3
SLIDE 4
Architecture of an Analysis Platform
SLIDE 5
Bugs Detected by Coverity
- Crash
ash Causing using Defects ects
- Null
l pointer nter der eref efere erence nce
- Use
e after er free ee
- Double
uble free ee
- Array
ray index dexing ing error rors
- Mismatc
smatched ed arr rray ay new/ w/delete delete
- Po
Potent ential ial stack ack over errun un
- Potent
ential ial heap ap ove verrun run
- Return
urn point inters ers to lo loca cal var ariables iables
- Logically
gically inconsistent consistent code de
- Uninit
nitial ialized ized var ariables iables
- Inva
valid id use e of negat gative ive values lues
- Pa
Pass ssing ing large ge param rameters eters by value lue
- Under
der-all allocat
- cation
ions s of dynam namic ic data
- Memo
mory ry leaks aks
- File hand
ndle e leaks ks
- Netwo
work k res esourc
- urce
e leak aks
- Unused
used values lues
- Unhand
handled led retur urn codes des
- Use
e of inva valid id itera rators
- rs
5
SLIDE 6
Coverity Checkers
Some coding patterns and
some vulnerabilities are specific to the code base
Issues that apply to the Linux
kernel are unlikely to apply in application software
6
SLIDE 7
Example Checker: Mis issin ing Optio ional Arguments
7 Prototype for open() syscall: Typical mistake: Force setting explicit file perm
rmissions!
Check: Look for oflags == O_CREAT without mode
argument
int open(const char *path, int oflag, /* mode_t mode */...);
fd = open(“file”, O_CREAT);
SLIDE 8
Example: chroot Protocol Checker
Goal: confine process to a “jail” on the filesystem
chroot() changes filesystem root for a process
Problem
chroot() itself does not change current working
directory
chroot() chdir(“/”)
- pen(“../file”,…)
Error if open before chdir
SLIDE 9
Tainting Checkers
9
SLIDE 10
Sanitize In Integers Before Use
Linux: 125 errors, 24 false; BSD: 12 errors, 4 false
array[v] while(i < v) … v.clean
Use(v)
v.tainted Syscall param Network packet copyin(&v, p, len) memcpy(p, q, v) copyin(p,q,v) copyout(p,q,v)
ERROR
Warn when unchecked integers from untrusted sources reach trusting sinks
SLIDE 11
Looking for Blocking Function Calls
11 11
SLIDE 12
Missed Lower-bound Check
12 12
d is read from the user Signed integer d.idx is upper-bound checked but not lower-bound checked d.used is unchecked, allowing 2GB of user data to be copied into the kernel
/* 2.4.5/drivers/char/drm/i810_dma.c */ if(copy_from_user(&d, arg, sizeof(arg))) return –EFAULT; if(d.idx > dma->buf_count) return –EINVAL; buf = dma->buflist[d.idx]; Copy_from_user(buf_priv->virtual, d.address, d.used);
SLIDE 13
Remote Exploit
13 13
msg points to arbitrary network data This can be used to overflow cmd and write data
- nto the stack
/* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd; ... while ((skb = skb_dequeue(&card->rcvq))) { msg = skb->data; ... memcpy(cmd.parm.setup.phone, msg->msg.connect_ind.addr.num, msg->msg.connect_ind.addr.len - 1);
SLIDE 14
Example Code with Functions and Calls
We would want to
reason about the flow of the input (si size) and name provided by the user
15 15
SLIDE 15
atoi main exit free malloc printf fgets say_hello
Call Graph for the Program
16 16
SLIDE 16
char * buf[8]; if (a) b = new char [5]; if (a && b) buf[8] = a; delete [] b; *b = ‘x’; END *a = *b; a !a a && b !(a && b)
Control Flow Graph
17 17
Represent logical structure of code in graph form
SLIDE 17
char * buf[8]; if (a) b = new char [5]; if (a && b) buf[8] = a; delete [] b; *b = ‘x’; END *a = *b; a !a a && b !(a && b)
Path Traversal
18 18
Conceptually: Analyze each path through control graph separately Actually Perform some checking computation once per node; combine paths at merge nodes Conceptually Actually
SLIDE 18
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
19 19
Null ll po poin inters Use Use aft fter fr free Arr Array over errun
See how three checkers are run for this path
- Defined by a state diagram, with state
transitions and error states Checker
- Assign initial state to each program var
- State at program point depends on state at
previous point, program actions
- Emit error if error state reached
Run Checker
SLIDE 19
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
20 20
Null pointers Use after free Array overrun “buf is 8 bytes”
SLIDE 20
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
21 21
Null pointers Use after free Array overrun “buf is 8 bytes” “a is null”
SLIDE 21
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
22 22
Null pointers Use after free Array overrun “buf is 8 bytes” “a is null” Already knew a was null
SLIDE 22
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
23 23
Null pointers Use after freeArray overrun “buf is 8 bytes” “a is null” “b is deleted”
SLIDE 23
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
24 24
Null pointers Use after free Array overrun “buf is 8 bytes” “a is null” “b is deleted” “b dereferenced!”
SLIDE 24
char * buf[8]; if (a) if (a && b) delete [] b; *b = ‘x’; END *a = *b; !a !(a && b)
Apply Checking
25 25
Null pointers Use after free Array overrun “buf is 8 bytes” “a is null” “b is deleted” “b dereferenced!”
No more errors reported for b
SLIDE 25
False Positives
26 26 What is a bug? Something the user will fix. Many sources of false positives
False paths Idioms Execution environment assumptions Killpaths Conditional compilation “third party code” Analysis imprecision …
SLIDE 26
char * buf[8]; if (a) b = new char [5]; if (a && b) buf[8] = a; delete [] b; *b = ‘x’; END *a = *b; a !a a && b !(a && b)
A False Path
27 27
SLIDE 27
char * buf[8]; if (a) if (a && b) buf[8] = a; END !a a && b
False Path Pruning
28 28
Integer Range Disequality Branch
SLIDE 28
char * buf[8]; if (a) if (a && b) buf[8] = a; END !a a && b
False Path Pruning
29 29
“a in [0,0]” “a == 0 is true” Integer Range Disequality Branch
SLIDE 29
char * buf[8]; if (a) if (a && b) buf[8] = a; END !a a && b
False Path Pruning
30 30
“a in [0,0]” “a == 0 is true” “a != 0” Integer Range Disequality Branch
SLIDE 30
char * buf[8]; if (a) if (a && b) buf[8] = a; END !a a && b
False Path Pruning
31 31
“a in [0,0]” “a == 0 is true” “a != 0”
Impossible
Integer Range Disequality Branch
SLIDE 31
Application to Security Bugs
32 32
Stanford research project Ken Ashcraft and Dawson Engler, Using
Programmer-Written Compiler Extensions to Catch Security Holes, IEEE Security and Privacy 2002
Used modified compiler to find over 100 security
holes in Linux and BSD
SLIDE 32
Results for BSD and Linux
33 33
Gain control of system 18 15 3 3 Corrupt memory 43 17 2 2 Read arbitrary memory 19 14 7 7 Denial of service 17 5 0 0 Minor 28 1 0 0 Total 125 52 12 12 Linux BSD Violation Bug Fixed Bug Fixed
SLIDE 33
CSE484/CSE584 THREAT MODELING
- Dr. Benjamin Livshits