cmpsc 497 static analysis
play

CMPSC 497: Static Analysis Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Dec 27, 2023 •172 likes •580 views

CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  1. CMPSC 497: � Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Our Goal • In this course, we want to develop techniques to detect vulnerabilities before they are exploited automatically ‣ What ’ s a vulnerability? ‣ How to find them? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Static Analysis • Provides an approximation of behavior • “ Run in the aggregate ” ‣ Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states • “ Run in non-standard way ” ‣ Run in fragments ‣ Stitch them together to cover all paths • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. Static Analysis • A challenge is that static analysis is a bit of an art form ‣ Which analysis technique do you use to answer which question? ‣ That is not so easy Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. Static Analysis • A challenge is that static analysis is a bit of an art form ‣ Why is it hard? ‣ Rice’s Theorem states that all non-trivial questions about the semantic properties of programs from a universal program language are undecidable. (1953) • Syntatic properties (e.g., does program have an if-then-else) are possible to answer • But, the sort of questions we want to answer are often about semantic properties ‣ Thus, static analysis uses approximate program models Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Correctness • How does this impact proving a program is correct? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Correctness • Soundness : ‣ Predicted results must apply to every system execution • Overapproximate the effect of every program statement ‣ Absolutely mandatory for trustworthiness of analysis results! • Completeness : ‣ Behavior of every system execution caught by analysis ‣ Prove any true statement in program is really true • Usually not guaranteed due to approximation ‣ Degree of completeness determines quality of analysis • Correctness : Soundness ^ Completeness (rare) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Soundness • Soundness : ‣ All executions are represented ‣ Implication 1: no false negatives, as static analysis model represents all executions possible • However, unlikely that model is a correct representation of the program semantics ‣ Implication 2: Sound model is not complete ‣ Implication 3: A sound static analysis will produce some false positives ‣ The number of false positives determines the quality of the analysis Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  9. Static Analysis Approaches • A challenge is that static analysis is a bit of an art form ‣ Which analysis technique do you use to answer which question? • How about for control flows, type-based analysis, and taint analysis? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Static Analysis Approaches • Control flow ‣ Does a program execute one statement (e.g., security check) before another statement (e.g., security-sensitive operation)? Ordering of statements • Type-based analysis ‣ Does a program use data lacking properties (e.g., security check) in a statement (e.g., security-sensitive operation)? Label data using types • Taint analysis ‣ Does a program statement use a tainted value, and what is the impact of executing the statement on its variables? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. CFG Analysis • Does your program have a double free? • Can control flow analysis detect this? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. CFG Analysis • Does your program have a double free? • What does the CFG look like? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

  13. CFG Analysis • Does your program have a double free? • What is the property of the CFG that indicates violation? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. CFG Analysis • Does your program have a double free? • Can we identify the exploitation in this analysis? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

  15. CFG Analysis • Does your program have a double free? • What about this code? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15

  16. CFG Analysis • Does your program have a double free? • What about this code? False positive? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  17. CFG Analysis • Does your program have a double free? • How do we change the property to detect more accurately (with fewer false positives)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  18. CFG Analysis • Does your program have a double free? • Does our new rule work for the following? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); bar(&buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 18

  19. CFG Analysis • Does your program have a double free? • What would need to be done to check? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); bar(&buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 19

  20. CFG Analysis • Does your program have a double free? • What about this one? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf3R1 = buf2R1; buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf3R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  21. Type-based Analysis • Does your program have a double free? • Can we express the rule with types (type-based)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22

  22. Type-based Analysis • Does your program have a double free? • Can we express the rule with types (type-based)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); DEF buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1), FREE x1 = buf2R1; DEF y = x1, y = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(y), FREE x2 = y; free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver

Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver

Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver Uncompromised Cost, Schedule, Performance ARE ONLY EFFECTIVE IN A SECURE ENVIROMENT 2 Delivered Uncompromised by Mitre 5 Key Structural Challenges 15

227 views • 11 slides
TIRA: Configuring, Executing, and Disseminating Information Retrieval Experiments Tim Gollub

TIRA: Configuring, Executing, and Disseminating Information Retrieval Experiments Tim Gollub

TIRA: Configuring, Executing, and Disseminating Information Retrieval Experiments Tim Gollub Benno Stein Steven Burrows Dennis Hoppe Webis Group www.webis.de Bauhaus-Universitt Weimar TIRA: Configuring, Executing, and Disseminating

363 views • 34 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Protein quantitation I: Overview (Week 6) Proteomic Bioinformatics Quantitation Sample i C ij

Protein quantitation I: Overview (Week 6) Proteomic Bioinformatics Quantitation Sample i C ij

Protein quantitation I: Overview (Week 6) Proteomic Bioinformatics Quantitation Sample i C ij Protein j Lysis p L Peptide k p ij Fractionation Pr p MS ij p ik D Digestion ijk p Pep MS k I ik LC-MS ik p LC ik

937 views • 54 slides
Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book:

Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book:

Principles of Program Analysis: Data Flow Analysis Transparencies based on Chapter 2 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag 2005. c Flemming Nielson & Hanne

546 views • 42 slides
rs s rs rs

rs s rs rs

rs s t r r rst rs s rs rs

415 views • 14 slides
Efficient Scientific Data Management on Supercomputers Suren Byna Staff Scientist Scientific

Efficient Scientific Data Management on Supercomputers Suren Byna Staff Scientist Scientific

Efficient Scientific Data Management on Supercomputers Suren Byna Staff Scientist Scientific Data Management Group Data Science and Technology Department Lawrence Berkeley National Laboratory Scientific Data - Where is it coming from?

838 views • 54 slides
AIRS CO 2 data assimilation with Ensemble Kalman filter: preliminary results Junjie Liu 1 Eugenia

AIRS CO 2 data assimilation with Ensemble Kalman filter: preliminary results Junjie Liu 1 Eugenia

AIRS CO 2 data assimilation with Ensemble Kalman filter: preliminary results Junjie Liu 1 Eugenia Kalnay 2 and Inez Fung 1 1 UC Berkeley; 2 University of Maryland Many thanks to Edward Olsen and Moustafa Chahine for kindly providing us their AIRS

216 views • 19 slides

More recommend