cs 527 software security
play

CS-527 Software Security Bug finding techniques Asst. Prof. Mathias - PowerPoint PPT Presentation

Jun 14, 2023 •339 likes •674 views

CS-527 Software Security Bug finding techniques Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Testing Table of Contents Testing

  1. CS-527 Software Security Bug finding techniques Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Testing Table of Contents Testing 1 Fuzzing 2 Static analysis 3 Symbolic execution 4 Formal verification 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 33

  3. Testing Software Testing Software testing (e.g., unit testing) uses a set of test cases to decide if the program conforms to a specification. Testing tests for the presence of functionality (and not the absence of security bugs). Involved security tests may run memory checkers like ASan, type safety checkers, or thread safety checkers. ... given specific input. Again, it does not test for generic errors or properties (like memory safety or type safety). Testing is a great to detect regressions or missing functionality. Newer software comes with large amounts of unit tests and other test cases to test macro and unit functionality. Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 33

  4. Testing Bug triangulation Given a failing test case, how do we detect the location of the bug? Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 33

  5. Testing Testing/tracing by printf 1 i n t max = 0; 2 f o r (p = head ; p ; p = p − > next ) { p r i n t f ( ” in loop \ n” ) ; 3 i f (p − > value > max) { 4 p r i n t f ( ”True branch \ n” ) ; 5 max = p − > value ; 6 } 7 8 } Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 33

  6. Testing Statistical Debugging Relies on a large pool of test cases (both failing and passing). Dynamic information from failing and passing test cases is aggregated to localize possible faulty statements. Output is often a list of ranked statements. Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 33

  7. Testing Test case reduction: Delta Debugging Minimize test-cases: if you change any thing in the test case the bug is no longer triggered 1 . Let’s use a smaller bug report as running example: < SELECT NAME="priority" MULTIPLE SIZE=7 > How can we simplify this input? Idea: remove parts of the input and see if the program still crashes (i.e., minimize the test case). For the above example assume that we remove characters of the input file and start the program with this new test case. 1 Andreas Zeller and Ralf Hildebrandt, Simplifying and Isolating Failure-Inducing Input, IEEE Trans. SE, 2002. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 33

  8. Fuzzing Table of Contents Testing 1 Fuzzing 2 Static analysis 3 Symbolic execution 4 Formal verification 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 33

  9. Fuzzing Fuzzing Fuzzing is an automated form of testing that runs code on (semi) random input. Mutation-based fuzzing generates test cases by mutating existing test cases. Generation-based fuzzing generates test cases based on a model of the input (i.e., a specification). Any inputs that crash the program are recorded. Crashes are then sorted, reduced, and bugs are extracted. Bugs are then analyzed individually (is it a security vulnerability). Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 33

  10. Fuzzing American Fuzzy Lop Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 33

  11. Fuzzing American Fuzzy Lop American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. Low-overhead and low initialization cost (i.e., fast forward to interesting points in binaries before you start fuzzing) Synthesizes complex file formats Employs different fuzzing strategies, switches them on demand Homepage: http://lcamtuf.coredump.cx/afl/ . Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 33

  12. Static analysis Table of Contents Testing 1 Fuzzing 2 Static analysis 3 Symbolic execution 4 Formal verification 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 33

  13. Static analysis Static Analysis Static analysis analyzes a program without executing it. Static analysis is widely used in bug finding, vulnerability detection, or property checking. “ Easier ” to apply compared to dynamic analysis (as long as you have code): analysis can be transparent to the user. Better scalability than to some dynamic analysis (e.g., tracing). Large success in recent years: findbug, coverity 2 , codesurfer. 2 Reading material: Al Bessey et al., A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World, CACM’10. Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 33

  14. Static analysis Static Analaysis: Syntax/Structure Focus on syntax and structure, not semantics. Look at CFG, dominator, post-dominator, loop detection Application: detect code copies (comparison based on text, AST, CFG) Application: Malware analysis Recover information about the program, serve as basis for further advanced static/dynamic analysis. Limitation: cannot reason about program semantics or state. Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 33

  15. Static analysis Static Analysis: Semantics Focus on program semantics. Reason about program meaning/logic. Evaluate meaning of syntactically legal strings defined by a programming language, reason about involved computation. (Illegal strings – according to the language definition – result in non-computation). Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 33

  16. Static analysis Static Analysis: Requirements Abstract domain: contains the results we want to compute by static analysis. Transfer function: how the abstract values are computed/updated at each relevant instruction. (We must consider the instruction semantics for the transfer function!) Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 33

  17. Static analysis Static Analysis: Loops When shall we terminate a loop path? How many iterations should we consider? Is the loop bound? How to infer possible values? Observation: we are interested in the aggregation of abstract values along paths. If the aggregation stabilizes, we can terminate. Assumption: monotonic growth. Assumption: abstract domain is finite. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 33

  18. Static analysis Static Analysis: Use-cases Optimization: Global Common Subexpression Optimization: Copy Propagation Optimization: Dead-Code Elimination Optimization: Code Motion Optimization: Strength Reduction All these optimizations depend on data-flow analysis! Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 33

  19. Symbolic execution Table of Contents Testing 1 Fuzzing 2 Static analysis 3 Symbolic execution 4 Formal verification 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 33

  20. Symbolic execution What is symbolic execution? An abstract interpretation of code (values are symbolic, not concrete) Agnostic to concrete values (values turn into formulas, constraints make formulas concrete) Finds concrete input (triggers “interesting” conditions) Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 33

  21. Symbolic execution Using symbolic execution Define a set of conditions at code locations. Symbolic Execution then determines triggering input. Testing: finding bugs in applications Step 1: Infer pre/post conditions and add assertions Step 2: Use symbolic execution to negate conditions Exploit generation: generate PoC input (vulnerability condition is predefined) Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 33

  22. Symbolic execution SAT Solver Find satisfying valuations to a propositional formula. Develop a systematic approach to test all possible valuations to find a satisfiable valuation. SAT solving is NP-complete, so the worst-case complexity will always be exponential. ... but good heuristics exist. Speed improvements in SAT solving enable Symbolic Execution Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 33

  23. Symbolic execution Symbolic execution tools FuzzBALL: Works on binaries, generic SE engine. Used to, e.g., find PoC exploits given a vulnerability condition. KLEE: Instruments through LLVM-based pass, relies on source code. Used to, e.g., find bugs in programs. S2E: Selective Symbolic Execution: automatic testing of large source base, combines KLEE with an concolic execution. Used to, e.g., test large source bases (e.g., drivers in kernels) for bugs. Efficiency of SE tool depends on the search heuristics and search strategy. As search space grows exponentially, a good search strategy is crucial for efficiency and scalability. Mathias Payer (Purdue University) CS-527 Software Security 2017 23 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel Perez The University of Tokyo January 29, 2018 Static analyzers Writing a static analyzer is hard JavaScript points-to sample global.length = 4;

299 views • 15 slides
Background Program must be brought into memory and placed within a process for it to be run.

Background Program must be brought into memory and placed within a process for it to be run.

Background Program must be brought into memory and placed within a process for it to be run. Storage Allocation Input queue collection of processes on the disk that are waiting to be brought into memory to run the program.

225 views • 9 slides
Project 1: -allocator Computation structures October 9, 2018 Memory allocation Static

Project 1: -allocator Computation structures October 9, 2018 Memory allocation Static

Project 1: -allocator Computation structures October 9, 2018 Memory allocation Static allocation : size must be known at compile-time, handled by compilers in high-level languages. In -assembly: | static allocation on the stack |

261 views • 9 slides
CS 309 Autonomous Intelligent Robotics Guest Instructor: Justin W. Hart http://justinhart.net

CS 309 Autonomous Intelligent Robotics Guest Instructor: Justin W. Hart http://justinhart.net

CS 309 Autonomous Intelligent Robotics Guest Instructor: Justin W. Hart http://justinhart.net Reading responses are still due before Thursday ..but the discussion will happen after Jivko returns Facebook Group

424 views • 8 slides
Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is static analysis What are the tools Analysis of the OpenAFS code base What is static analysis Static analysis is performed by analysing

556 views • 20 slides
Static Analyzer Non-Comprehensive Overview Dr Christopher Jones HOW 2019 21 March 2019 This

Static Analyzer Non-Comprehensive Overview Dr Christopher Jones HOW 2019 21 March 2019 This

FERMILAB-SLIDES-19-035-CD Static Analyzer Non-Comprehensive Overview Dr Christopher Jones HOW 2019 21 March 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of

566 views • 12 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides

More recommend