co444h
play

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding - PowerPoint PPT Presentation

Nov 27, 2022 •95 likes •701 views

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

  1. Datalog CO444H Pointer analysis Ben Livshits 1

  2. Approaches to Finding Reliability and Security Bugs • Static Analysis Tools • Black-box Testing/Fuzzing 2

  3. Coverity: a Static Analysis Company 3

  4. Bug Report From Coverity Actual bug Path conditions report and context 4

  5. Architecture of an Analysis Platform

  6. 6 Bugs Detected by Coverity • Uninitialized variables • Null pointer dereference • Invalid use of negative • Use after free values • Double free • Passing large parameters by • Array indexing errors value • Mismatched array • Under-allocations of new/delete dynamic data • Potential stack overrun • Memory leaks • Potential heap overrun • File handle leaks • Network resource leaks • Return pointers to local • Unused values variables • Unhandled return codes • Logically inconsistent code • Use of invalid iterators

  7. 7 Coverity Checkers • Some coding patterns and some vulnerabilities are specific to the code base • Issues that apply to the Linux kernel are unlikely to apply in application software

  8. Example Checker: Missing Optional Arguments • Prototype for open() syscall: int open(const char *path, int oflag, /* mode_t mode */...); • Typical mistake: fd = open(“file”, O_CREAT); • Force setting explicit file permissions ! • Check: Look for oflags == O_CREAT without mode argument 8

  9. Example: chroot Protocol Checker • Goal: confine process to a “jail” on the filesystem • chroot() changes filesystem root for a process • Problem • chroot() itself does not change current working directory chroot() chdir(“/”) open(“../file”,…) Error if open before chdir

  10. Taint Checkers 10

  11. Sanitize Integers Before Use Warn when unchecked integers from untrusted sources reach trusting sinks Network copyin(&v, p, len) Syscall packet param v.tainted v.clean Use(v) memcpy(p, q, v) array[v] copyin(p,q,v) while(i < v) copyout(p,q,v) … ERROR Linux: 125 errors, 24 false; BSD: 12 errors, 4 false

  12. Looking for Locking Function Calls 12

  13. Missed Lower-bound Check /* 2.4.5/drivers/char/drm/i810_dma.c */ if(copy_from_user(&d, arg, sizeof(arg))) return – EFAULT; if(d.idx > dma->buf_count) return – EINVAL; buf = dma->buflist[d.idx]; Copy_from_user(buf_priv->virtual, d.address, d.used); • d is read from the user • Signed integer d.idx is upper-bound checked but not lower-bound checked • d.used is unchecked , allowing 2GB of user data to be copied into the kernel 13

  14. Remote Exploit /* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd; ... while ((skb = skb_dequeue(&card->rcvq))) { msg = skb->data; ... memcpy(cmd.parm.setup.phone, msg->msg.connect_ind.addr.num, msg->msg.connect_ind.addr.len - 1); • msg points to arbitrary network data • This can be used to overflow cmd and write data onto the stack 14

  15. 15 Example Code with Functions and Calls • We would want to reason about the flow of the input ( size ) and name provided by the user

  16. Call Graph for the Program main atoi exit free malloc say_hello fgets printf 16

  17. Control Flow Graph char * buf[8]; Represent logical structure of code in graph form if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END 17

  18. Path Traversal Conceptually Conceptually: Analyze each path through control graph separately char * buf[8]; Actually Perform some checking Actually computation once per node; combine paths at merge nodes if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END 18

  19. Apply Checking Null ll po poin inters Use Us e aft fter fr free Arr rray over errun char * buf[8]; See how three checkers are run for this path if (a) • Checker !a if (a && b) • Defined by a state diagram, with state !(a && b) transitions and error states delete [] b; *b = ‘x’; • Run Checker • Assign initial state to each program variable *a = *b; • State at program point depends on state at previous point, program actions END • Emit error if error state reached 19

  20. Apply Checking Null pointers Use after free Array overrun char * buf[8]; “ buf is 8 bytes” if (a) !a if (a && b) !(a && b) delete [] b; *b = ‘x’; *a = *b; END 20

  21. Apply Checking Null pointers Use after free Array overrun char * buf[8]; “ buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; *b = ‘x’; *a = *b; END 21

  22. Apply Checking Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) Already knew !(a && b) a was null delete [] b; *b = ‘x’; *a = *b; END 22

  23. Apply Checking Null pointers Use after freeArray overrun char * buf[8]; “buf is 8 bytes” if (a) !a “a is null” if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; *a = *b; END 23

  24. Apply Checking Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; “b dereferenced!” *a = *b; END 24

  25. Apply Checking Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; “b dereferenced !” *a = *b; No more errors reported for b END 25

  26. False Positives • What is a bug? Something the user will fix. • Many sources of false positives • False paths • Idioms • Execution environment assumptions • Conditional compilation • “third party code” • Analysis imprecision • … 26

  27. A False Path char * buf[8]; if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END 27

  28. False Path Pruning Branch Disequality Integer Range char * buf[8]; if (a) !a if (a && b) a && b buf[8] = a; END 28

  29. False Path Pruning Branch Disequality Integer Range char * buf[8]; if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) a && b buf[8] = a; END 29

  30. False Path Pruning Branch Disequality Integer Range char * buf[8]; if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) “a != 0” a && b buf[8] = a; END 30

  31. False Path Pruning Branch Disequality Integer Range char * buf[8]; Impossible if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) “a != 0” a && b buf[8] = a; END 31

  32. Application to Security Bugs • Stanford research project • Ken Ashcraft and Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, IEEE Security and Privacy 2002 • Used modified compiler to find over 100 security holes in Linux and BSD 32

  33. Results for BSD and Linux Linux BSD Violation Bug Fixed Bug Fixed Gain control of system 18 15 3 3 Corrupt memory 43 17 2 2 Read arbitrary memory 19 14 7 7 Denial of service 17 5 0 0 Minor 28 1 0 0 Total 125 52 12 12 33

  34. Fuzzing Basics • A form of vulnerability analysis and testing • Many slightly anomalous test cases are input into the target application • Application is monitored for any sign of error 34

  35. Example of Fuzzed Input • Standard HTTP GET request • GET /index.html HTTP/1.1 • Anomalous requests • AAAAAA...AAAA /index.html HTTP/1.1 • GET ///////index.html HTTP/1.1 • GET %n%n%n%n%n%n.html HTTP/1.1 • GET /AAAAAAAAAAAAA.html HTTP/1.1 • GET /index.html HTTTTTTTTTTTTTP/1.1 • GET /index.html HTTP/1.1.1.1.1.1.1.1 • etc... 35

  36. Early Successes (1989 Fuzz Project) 36

  37. 37 IPhone Security Flaw: July 2007 Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device

  38. 38 Ultimately, Success • Within two weeks of • Notified Apple of the part time work, we had vulnerability and successfully proposed a patch. • discovered a • Apple subsequently vulnerability resolved the issue. • developed a tool chain • Released an advisory for working with the iPhone's architecture • created a proof-of- concept exploit capable of delivering files from the user's iPhone to a remote attacker

  39. CVE-2007-3944 Issued and Patched 39

  40. iPhone Attack • iPhone Safari downloads malicious web page • Arbitrary code is run with administrative privileges • Can read SMS log, address book, call history, etc. • Can transmit collected data to attacker • Can perform physical actions on the phone • system sound and vibrate the phone for a second • could dial phone numbers, send text messages, or record audio (as a bugging device) 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CO444H parallelism Ben Livshits 1 Why Parallelism? One way to speed up a computation is to

CO444H parallelism Ben Livshits 1 Why Parallelism? One way to speed up a computation is to

Loops and CO444H parallelism Ben Livshits 1 Why Parallelism? One way to speed up a computation is to use parallelism. Unfortunately, it is not easy to develop software that can take advantage of parallel machines. Dividing the

659 views • 54 slides
CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions

CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions

Dataflow Solutions CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions Direction D = forward. Domain V = set of all sets of definitions in the flow graph. = union. Functions F =

659 views • 54 slides
CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to

Static analysis CO444H Dataflow Dataflow frameworks Ben Livshits Masters Projects Available 1. Crashes to exploits 2. Pointer analysis for JavaScript 3. Private data management languages 4. Programming robots to assemble IKEA furniture

897 views • 57 slides
CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference

Datalog CO444H Pointer analysis Ben Livshits 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual calls:

1.01k views • 54 slides
CO444H Administrivia Overview of the Material Ben Livshits Two Primary Goals We Pursue

CO444H Administrivia Overview of the Material Ben Livshits Two Primary Goals We Pursue

Course Staff CO444H Administrivia Overview of the Material Ben Livshits Two Primary Goals We Pursue Optimisations Reliability Make programs run faster Find bugs before they make it into production We will see some traditional

772 views • 37 slides
CO444H Ben Livshits 1 Basic Instrumentation Insert additional code into the program This

CO444H Ben Livshits 1 Basic Instrumentation Insert additional code into the program This

Runtime monitoring CO444H Ben Livshits 1 Basic Instrumentation Insert additional code into the program This code is designed to record important events as they occur at runtime Some examples A particular function is being hit or

688 views • 29 slides
Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for

Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for

Mutable data Basic operations like cons, car, cdr can construct list structure and select its parts, but cannot modify. Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for pairs: set-car! And

460 views • 8 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 29, 2013 Testing

964 views • 50 slides
Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism -

Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism -

Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism - Europython 2018 Alec MacQueen - @macqueenism - Europython 2018 vs Alec MacQueen - @macqueenism - Europython 2018 Maintainability Coupling

875 views • 36 slides
To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms

Taking Browsers Fuzzing To The Next (DOM) Level (or How to leverage on W3C specifications to unleash a can of worms ) Rosario Valotta Agenda Browser fuzzing: state of the art Memory corruption bugs: an overview Fuzzing

792 views • 40 slides
Web applications are used extensively in many areas: We will rely on web applications more in

Web applications are used extensively in many areas: We will rely on web applications more in

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech Web applications are used extensively in many areas: We will rely on web applications more in

872 views • 47 slides
An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component co-Lead OCL Project Lead QVTd Project Lead QVTo Committer OMG (Model Driven Solutions) OCL 2.3, 2.4, 2.5 RTF Chair QVT 1.2, 1.3, 1.4 RTF Chair OCL

553 views • 7 slides
Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Color Scheme Color Scheme 52 29 89 89 89 89 55 32 89 89 40 68 121 37 121 200 208 200 226 194 194 153 153 255 153 153 150 153 153 0 Text Formatting Text Formatting Everybody be Cool, This is a Robbery! Normal:

766 views • 57 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -&gt; growing number of bugs

387 views • 27 slides
Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin VirtualHealth About me Working with MySQL for 10-15 years Started at MySQL AB 2006 - Sun Microsystems, Oracle (MySQL Consulting) - Percona since

644 views • 50 slides
Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add

Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add

by Mario Fusco mario.fusco@gmail.com twitter: @mariofusco Monadic Imperatjve languages C# Java C / C++ Fortran Subtract abstractjons Scala Add abstractjons F# Hybrid languages Algol Lisp ML Haskell Functjonal languages new

1.71k views • 73 slides
What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont

What is fuzzing? A kind of random testing Goal : make sure certain bad things dont happen, no matter what ! Crashes, thrown exceptions, non-termination ! All of these things can be the foundation of security vulnerabilities

1.57k views • 14 slides
One-Slide Summary Programming The substitution model for evaluating Scheme does with not

One-Slide Summary Programming The substitution model for evaluating Scheme does with not

One-Slide Summary Programming The substitution model for evaluating Scheme does with not allow us to reason about mutation. In the environment model : State A name is a place for storing a value. define , cons and function application

361 views • 11 slides
Pregelix: Big(ger) Graph Analytics on A Dataflow Engine Yingyi Bu (UC Irvine) Joint work with:

Pregelix: Big(ger) Graph Analytics on A Dataflow Engine Yingyi Bu (UC Irvine) Joint work with:

Pregelix: Big(ger) Graph Analytics on A Dataflow Engine Yingyi Bu (UC Irvine) Joint work with: Vinayak Borkar (UC Irvine) , Michael J. Carey (UC Irvine), Tyson Condie (UCLA), Jianfeng Jia (UC Irvine) Outline Introduction Pregel Semantics

1.5k views • 38 slides
Maximum Likelihood properties Maximum parsimony Maximum likelihood Experimental design

Maximum Likelihood properties Maximum parsimony Maximum likelihood Experimental design

N. Salamin c Sept 2007 Lecture outline Maximum likelihood in phylogenetics Definition Phylogenetics and bioinformatics for evolution Maximum likelihood and models Likelihood of a tree Computational complexity Statistical Maximum

697 views • 30 slides
VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses

VIRUSES AND MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Viruses Intrusion detection Behavioral detection Firewalls Virus/antivirus Application firewalls coevolution paper discussed

551 views • 40 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Sequence Alignment: Scoring Schemes COMP 571 Luay Nakhleh, Rice University 2 Scoring Schemes

Sequence Alignment: Scoring Schemes COMP 571 Luay Nakhleh, Rice University 2 Scoring Schemes

1 Sequence Alignment: Scoring Schemes COMP 571 Luay Nakhleh, Rice University 2 Scoring Schemes Recall that an alignment score is aimed at providing a scale to measure the degree of similarity (or difference) between two sequences and thus

687 views • 14 slides

More recommend