bug hunting with structural code search
play

Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond - PowerPoint PPT Presentation

Dec 03, 2023 •367 likes •1.03k views

Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond grep Regular expression search for plain text Good for bug hunting 2 grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); 3 [1]

  1. Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond

  2. grep ‣ Regular expression search for plain text ‣ Good for bug hunting � 2

  3. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 3 [1] https://papers.put.as/papers/macosx/2013/SyScan2013_Stefan_Esser_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale.pdf

  4. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 4

  5. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, The bug: attacker controlled alloc size => integer overflow � 5

  6. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 6

  7. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 7

  8. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); METASYNTAX (REPEAT) � 8

  9. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); TEXT (MULTIPLY OP) � 9

  10. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; TEXT TEXT if(session->userauth_kybd_num_prompts) { session->userauth_kybd_prompts = (MULTIPLY OP) (MULTIPLY OP) LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 10

  11. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 11

  12. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters � 12

  13. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters � 13

  14. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters ‣ Can we do better? � 14

  15. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 15

  16. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 16

  17. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); � 17

  18. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); HOLES BIND IDENTIFIERS TO SYNTAX � 18

  19. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); CONCRETE SYNTAX � 19

  20. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); BALANCED DELIMITERS � 20

  21. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); BALANCED NESTED CODE STRUCTURES. DELIMITERS LANGUAGE-AWARE. � 21

  22. comby supports ~all the languages Assembly, Bash, C/C++, C#, Clojure, CSS, Dart, Elm, Elixir, Erlang, Fortran, F#, Go, Haskell, HTML/XML, Java, Javascript, JSX, JSON, Julia, LaTeX, Lisp, Nim, OCaml, Pascal, PHP, Python, Reason, Ruby, Rust, Scala, SQL, Swift, Plain Text, TSX, Typescript � 22

  23. comby supports ~all the languages Assembly, Bash, C/C++, C#, Clojure, CSS, Dart, Elm, Elixir, Erlang, Fortran, F#, Go, Haskell, HTML/XML, Java, Javascript, JSX, JSON, Julia, LaTeX, Lisp, Nim, OCaml, Pascal, PHP, Python, Reason, Ruby, Rust, Scala, SQL, Swift, Plain Text, TSX, Typescript � 23

  24. comby on the command line Find video file at the link https://drive.google.com/open?id=1Ba-sOhmhRKCrUbdJVvh7mCyoj1aHMMZz � 24

  25. comby on the Linux Kernel � 25 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png

  26. comby on the Linux Kernel � 26 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures

  27. comby on the Linux Kernel � 27 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  28. comby on the Linux Kernel _ alloc workqueue is not getting checked � 28 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  29. comby on the Linux Kernel alloc_workqueue(:[args]); _ alloc workqueue is not getting checked � 29 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  30. comby on the Linux Kernel alloc_workqueue(:[args]); WON’T MATCH COMMENTS � 30

  31. comby on the Linux Kernel alloc_workqueue(:[args]); 274 CALLS � 31

  32. comby on the Linux Kernel alloc_workqueue(:[args]); ppd->hfi1_wq = alloc_workqueue( "hfi%d_%d", WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, HFI1_MAX_ACTIVE_WORKQUEUE_ENTRIES, dd->unit, pidx); if (!ppd->hfi1_wq) goto wq_error; USUALLY FOLLOWED BY AN ‘IF’ CHECK � 32

  33. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if” RULES PLACE CONSTRAINTS ON MATCHES � 33

  34. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if” cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); BUG_ON(!cgroup_destroy_wq); SOMETIMES A DIFFERENT FLAVOR � 34

  35. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” � 35

  36. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left � 36

  37. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes � 37

  38. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes drivers/scsi/lpfc/lpfc_init.c 45 /* The lpfc_wq workqueue for deferred irq use */ 46 phba->wq = alloc_workqueue("lpfc_wq", WQ_MEM_RECLAIM, 0); � 38

  39. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c 4500 adapter->priv_checkbt_wq = alloc_workqueue("sdio_wq", 0, 0); 4501 INIT_DELAYED_WORK(&adapter->checkbt_work, (void *)check_bt_status_work); � 39

  40. comby on the Linux Kernel logger->log_workqueue = create_singlethread_workqueue("cros_usbpd_log"); + if (!logger->log_workqueue) + return -ENOMEM; � 40 [1] https://lore.kernel.org/lkml/20190911201100.11483-1-navid.emamdoost@gmail.com/

  41. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] create_singlethread_workqueue(:[args]); logger->log_workqueue = create_singlethread_workqueue("cros_usbpd_log"); + if (!logger->log_workqueue) + return -ENOMEM; � 41 [1] https://lore.kernel.org/lkml/20190911201100.11483-1-navid.emamdoost@gmail.com/

  42. comby on cpython Modules/_io/winconsoleio.c ... 996 if (!wlen) 997 return PyErr_SetFromWindowsErr(0); 998 999 wbuf = (wchar_t*)PyMem_Malloc(wlen * sizeof(wchar_t)); 1000 1001 Py_BEGIN_ALLOW_THREADS 1002 wlen = MultiByteToWideChar(CP_UTF8, 0, b->buf, len, wbuf, wlen); 1003 if (wlen) { 1004 res = WriteConsoleW(self->handle, wbuf, wlen, &n, NULL); ... � 42 [1] https://commons.wikimedia.org/wiki/File:Python-logo-notext.svg

  43. comby on kubernetes � 43 [1] https://en.wikipedia.org/wiki/Kubernetes#/media/File:Kubernetes_logo_without_workmark.svg

  44. comby on kubernetes � 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Learning objectives Understand rationale for structural testing How structural (code-based

Learning objectives Understand rationale for structural testing How structural (code-based

Learning objectives Understand rationale for structural testing How structural (code-based or glass-box) testing complements functional (black-box) testing Structural Testing Recognize and distinguish basic terms Adequacy, coverage

560 views • 10 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda Whats happening in the property market now? Future trends Consumer protection What do people need? What do people need?

396 views • 26 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

618 views • 51 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

607 views • 43 slides
Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the words that target what youre Place screenshot here looking for. Include job title, skill or company name. Include city, state or zip code.

296 views • 18 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130,

Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130,

Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130, Naval Research Laboratory, Washington D.C. USA (On contract from SFA Inc. Crofton, Maryland, USA) NIST Colloquium: March 28, 2006 Saikat Dey: Code

775 views • 51 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin McAbee Problem Statement Lots of open-source code is available for use. Instead of rewriting code that already exists, can we search to

444 views • 23 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach & 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb

The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb

DRUPALCAMP GHENT 2016 GROW SOME IDEAS The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb http://drupalcamp.be/node/86 Search API Search API Solr Facets More addon modules Custom code Search

778 views • 64 slides
OpenPrinting Summit 2009 San Francisco, CA April 8 10, 2009 Glen Petrie Senior Software

OpenPrinting Summit 2009 San Francisco, CA April 8 10, 2009 Glen Petrie Senior Software

OpenPrinting Summit 2009 San Francisco, CA April 8 10, 2009 Glen Petrie Senior Software Architect Epson Imaging Technology Center 2580 Orchard Parkway, Suite 200 San Jose, California 95131 glen.petrie@eitc.epson.com 408.576.4131 OpenPrinting

519 views • 29 slides
Estimation, Probability Bounds, and Complexity of Algorithms Cheryl E Praeger Aachen, July, 2019

Estimation, Probability Bounds, and Complexity of Algorithms Cheryl E Praeger Aachen, July, 2019

Estimation, Probability Bounds, and Complexity of Algorithms Cheryl E Praeger Aachen, July, 2019 Briefly: aim of lecture Link: estimation/randomisation Two simple examples for estimation and algorithms in Permutation groups in

402 views • 28 slides
scintillator CAL for Linear Collider Tohru Takeshita (Shinshu) for CALICE-ASIA scintillator

scintillator CAL for Linear Collider Tohru Takeshita (Shinshu) for CALICE-ASIA scintillator

LC physics requires a fine granular CAL. Scintillator strip detector make it possible with good timing resolution. Shinshu University scintillator CAL for Linear Collider Tohru Takeshita (Shinshu) for CALICE-ASIA scintillator strip for

560 views • 27 slides
MBA/ Executive Module Chris Marsden 1. What do you need to know & understand about Human

MBA/ Executive Module Chris Marsden 1. What do you need to know & understand about Human

Business and Human Rights MBA/ Executive Module Chris Marsden 1. What do you need to know & understand about Human Rights? Awareness of business impact on human rights Why is this part of a company director s responsibility?

380 views • 34 slides
World Bank Group Establishing effective state- business relations and measuring impact on

World Bank Group Establishing effective state- business relations and measuring impact on

World Bank Group Establishing effective state- business relations and measuring impact on governance & competitiveness Title goes here Subtitle goes here UNU WIDER Conference on LC2 Learning to compete: Industrial Development and

359 views • 20 slides
Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop

Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop

Department of Homeland Security Science & Technology Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop on S&T Innovations in Hurricane Sandy Research Dr. Mitchell Erickson Interagency Office

397 views • 21 slides
The Sustainability of State and Local Government Pensions: A Public Finance Approach Jamie

The Sustainability of State and Local Government Pensions: A Public Finance Approach Jamie

The Sustainability of State and Local Government Pensions: A Public Finance Approach Jamie Lenney, Bank of England Byron Lutz, Federal Reserve Board of Governors Louise Sheiner, Brookings Institution September 2019 Disclaimers Federal Reserve

551 views • 29 slides
INFORMATION SHARING IN THE ELECTRICITY SUB-SECTOR SEPTEMBER 20, 2013 SCOTT R. MIX, CISSP CIP

INFORMATION SHARING IN THE ELECTRICITY SUB-SECTOR SEPTEMBER 20, 2013 SCOTT R. MIX, CISSP CIP

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 INFORMATION SHARING IN THE ELECTRICITY SUB-SECTOR SEPTEMBER 20, 2013 SCOTT R. MIX, CISSP CIP TECHNICAL MANAGER, NERC TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

197 views • 19 slides

More recommend