bridging the semantic gap through static code analysis
play

Bridging the Semantic Gap Through Static Code Analysis Christian - PowerPoint PPT Presentation

Aug 25, 2022 •344 likes •632 views

Motivation Static Code Analysis Implementation Conclusion References Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia Eckert { schneidc,pfoh,eckertc } @in.tum.de Chair for IT Security

  1. Motivation Static Code Analysis Implementation Conclusion References Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia Eckert { schneidc,pfoh,eckertc } @in.tum.de Chair for IT Security Technische Universit¨ at M¨ unchen Munich, Germany April 10, 2012 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 1 / 28

  2. Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 2 / 28

  3. Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 3 / 28

  4. Motivation Static Code Analysis Implementation Conclusion References Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum(2003)] Monitored VM Static Static Library System Libraries & API Static Library Library VMI describes the act of examining, Guest OS monitoring and manipulating a virtual machine from the vantage point of a Virtual Hardware hypervisor. Hypervisor Operating System Hardware C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 4 / 28

  5. Motivation Static Code Analysis Implementation Conclusion References Semantic Gap [Chen and Noble(2001)] Struct A Struct B Struct C Struct D Struct E Struct F Struct G C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 5 / 28

  6. Motivation Static Code Analysis Implementation Conclusion References Bridging the Gap: Out-of-Band Delivery Common Approach: utilize kernel debugging symbols Use symbols for: Layout and size of kernel data structures Virtual address of global variables and functions Emulate virtual-to-physical address translation in software ⇒ Complex engineering task C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 6 / 28

  7. Motivation Static Code Analysis Implementation Conclusion References Introducing InSight [Schneider et al.(2011)]) Features: Stand-alone VMI tool to bridge the semantic gap Uses debugging symbols as foundation Shell-like interface for interactive inspection JavaScript engine for automated analysis Works for x86 32 bit (w/ PAE) and 64 bit Linux guests Supports any hypervisor providing guest memory access C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 7 / 28

  8. Motivation Static Code Analysis Implementation Conclusion References Introducing InSight (cont.) [Schneider et al.(2011)]) struct task_struct pid pid_t = 3412 real_parent parent struct timespec children time_t = 1271184192 tv_sec sibling Functionality so far tv_nsec start_time long = 391233 uid_t = 0 uid gid gid_t = 0 Read objects from known struct task_struct struct task_struct locations with known type pid_t = 8244 pid pid real_parent real_parent parent parent Follow typed pointer fields children children sibling sibling to further objects start_time start_time uid_t = 1001 uid uid struct task_struct gid gid gid_t = 100 pid But... real_parent parent children sibling start_time uid gid C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 8 / 28

  9. Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient struct list_head { 1 struct list_head *next, *prev; 2 }; 3 4 struct module { 5 struct list_head list; 6 char name[60]; 7 /* ... */ 8 }; 9 10 struct list_head modules; 11 12 struct module* find_module(const char *name) 13 { 14 struct module *mod; 15 list_for_each_entry(mod, &modules, list) 16 { 17 if (strcmp(mod->name, name) == 0) 18 return mod; 19 } 20 return NULL; 21 } 22 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 9 / 28

  10. Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient (cont.) 1 struct module* find_module(const char * name) 2 { 3 struct module * mod; 4 /* Original code: list_for_each_entry(mod, &modules, list) */ 5 for (mod = ({ 6 const typeof(((typeof(*mod) *) 0)->list) * __mptr = ((&modules)->next); 7 (typeof(*mod) *) ((char *) __mptr - __builtin_offsetof(typeof(*mod), list)); 8 }); 9 __builtin_prefetch(mod->list.next), &mod->list != (&modules); 10 mod = ({ 11 const typeof(((typeof(*mod) *) 0)->list) * __mptr = (mod->list.next); 12 (typeof(*mod) *) ((char *) __mptr - __builtin_offsetof(typeof(*mod), list)); 13 })) 14 { 15 if (strcmp(mod->name, name) == 0) 16 return mod; 17 } 18 return ((void *) 0); 19 } C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 10 / 28

  11. Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient (cont.) struct module struct module struct module modules: struct list_head struct list_head struct list_head struct list_head next next next next prev prev prev prev name name name C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 11 / 28

  12. Motivation Static Code Analysis Implementation Conclusion References Example: lsmod in JavaScript Manually apply expert knowledge function lsmod() 1 { 2 // type of variable "modules" is list_head 3 var head = new Instance("modules"); 4 var m = head.next; 5 m.ChangeType("module"); 6 // offset for address correction 7 var offset = m.MemberOffset("list"); 8 m.AddToAddress(-offset); 9 // correct head as well for loop terminaten 10 head.AddToAddress(-offset); 11 // iterate over all modules 12 do { 13 print(m.name + " " + m.args); 14 m = m.list.next; 15 m.ChangeType("module"); 16 m.AddToAddress(-offset); 17 } while (m && m.Address() != head.Address()); 18 } 19 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 12 / 28

  13. Motivation Static Code Analysis Implementation Conclusion References Summary Problems Runtime pointer and type manipluations are not reflected in the debugging symbols: type casts from void* pointers type casts from integer types pointer arithmetic variable length arrays Possible solution Static analysis of the kernel’s source code to detect such runtime operations and augment the debugging symbols C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 13 / 28

  14. Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 14 / 28

  15. Motivation Static Code Analysis Implementation Conclusion References Static Code Analysis Questions our code analysis can answer: 1 Is a global variable or structure field used as a type that differs from its declaration? 2 How to transform a source value (field/variable) to derive the next object’s address? Our approach: Type centric analysis Captures arbitrary pointer arithmetic Over-approximation of possible pointer types → Increase object coverage at cost of type uncertainty We call this the used-as analysis. C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 15 / 28

  16. Motivation Static Code Analysis Implementation Conclusion References Used-As Analysis Prerequisites: Kernel debugging symbols Pre-processed source code Involves two steps: 1 Points-To Analysis Detects memory aliasing between symbols (variables/pointers) Reveals indirect type usages through local (pointer) variables 2 Establishing used-as relations Find type usages contradicting their declaration → type casts Record how value is transformed to target address → pointer arithmetic C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 16 / 28

  17. Motivation Static Code Analysis Implementation Conclusion References Step 1: Points-to Analysis Characteristics: structure/union field sensitive intra-procedural control-flow insensitive works on complete C expressions: x = y + 8 * sizeof(int); z = x & ~0xFF; z �→ { ( y + 8 · sizeof( int )) & ˜0xFF } Result: transitive closure of points-to map C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 17 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs

Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs

Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs association between definitions and applied occurrences of variables and other names scope and visibility of names, escaping names types

661 views • 20 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Statically vs. Dynamically typed languages

251 views • 9 slides
Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is static analysis What are the tools Analysis of the OpenAFS code base What is static analysis Static analysis is performed by analysing

556 views • 20 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of compilation Key data structure during semantic analysis, code generation afterwards comes synthesis half of compilation Stores info about names

215 views • 5 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1 Optimization And Analysis Improving efficiency of generated code Correctness: optimized code must preserve meaning of the original program

467 views • 31 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR Generation Low-level IR code Optimizations Optimized Low-level IR code Assembly code Assembly code generation cmp $0,%rcx cmovz %rax,%rdx 1 Low IR

777 views • 42 slides
Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring break (was one on schedule, but) likely harder than tricky will count for more 2 exam format around 20 question parts mostly multiple choice

634 views • 41 slides
FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud

FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud

FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud Computing Department Fermilab ISGC2011 Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Cloud

512 views • 26 slides
3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D Laser Scanning? LIDAR = Light Detecting and Ranging Real-Time, Ground Based, 360 Degree Collection of Three Dimensional Data Using

572 views • 46 slides
3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG

3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG

3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG before DL Age Recent Hype of 3D DL Acquire Knowledge of 3D World by Learning Core Algorithms Invented Classification Volumetric CNN, OctNet,

1.42k views • 108 slides
Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University

Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University

MIN Faculty Department of Informatics Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics Technical

332 views • 32 slides
Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn

Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn

Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn Questions? C. Porciani Estimation & forecasting 2 Cosmological parameters A branch of modern cosmological research focuses on

1.11k views • 65 slides
Polyhedral Volumes Visual Techniques T. V. Raman & M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman & M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman & M. S. Krishnamoorthy Polyhedral Volumes p.1/43 Outline Identities of the golden ratio. Polyhedral Volumes p.2/43 Outline Identities of the golden ratio. Locating coordinates of

936 views • 60 slides
Bounds for the volume ratio of convex bodies DANIEL GALICER (Joint work with Mariano Merzbacher

Bounds for the volume ratio of convex bodies DANIEL GALICER (Joint work with Mariano Merzbacher

The volume ratio Lower estimates Upper bounds: some particular cases Future/Recent work Bounds for the volume ratio of convex bodies DANIEL GALICER (Joint work with Mariano Merzbacher and Dami an Pinasco) University of Buenos Aires and

1.23k views • 104 slides

More recommend