dr checker
play

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind - PowerPoint PPT Presentation

Jul 27, 2023 •320 likes •995 views

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

  1. DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

  2. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 2 CSS, USENIX Security, 08/18/2017

  3. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  4. First, a story… $ mkdir driver_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 3 CSS, USENIX Security, 08/18/2017

  5. First, a story… $ mkdir dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 4 CSS, USENIX Security, 08/18/2017

  6. First, a story… seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 5 CSS, USENIX Security, 08/18/2017

  7. Why Drivers? seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  8. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 6 CSS, USENIX Security, 08/18/2017

  9. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  10. Why Drivers? $ ls linux /arch /block /certs /kernel /crypto /include /init /virt /ipc /samples /drivers /firmware /scripts /fs /net /tools /mm /usr /lib /sound /security $ find bugs seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 7 CSS, USENIX Security, 08/18/2017

  11. Why Drivers? CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  12. Why Drivers? 15% Drivers 85% Bugs in Windows XP (2003) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  13. Why Drivers? 15% Drivers 28% 72% Drivers 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  14. Why Drivers? 15% 15% Drivers 28% 72% Drivers Drivers 85% 85% Bugs in Windows XP (2003) Linux Kernel CVEs (2016-2017) Reported bugs in Android (2016) CVE - Common Vulnerability and Exposure seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 8 CSS, USENIX Security, 08/18/2017

  15. Motivation Only analyze the drivers! seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 9 CSS, USENIX Security, 08/18/2017

  16. Program Analysis for Bug Finding seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  17. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  18. Program Analysis for Bug Finding • Points-to Analysis: Determines all storage locations that a pointer can point to • Example bug: Kernel code pointer to user-controlled memory • Taint Analysis: Determines all of the locations that are a ff ected by user- supplied (tainted) data • Example bug: User provided data used as length in copy_from_user() seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 10 CSS, USENIX Security, 08/18/2017

  19. Program Analysis on Kernel Code • Pointers… Everywhere! • State explosion • Inter-procedural calls to core functions • State explosion seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 11 CSS, USENIX Security, 08/18/2017

  20. Precision vs. Soundness Precise Sound seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  21. Precision vs. Soundness Precise Sound False False True True True True False True False True True False True True False True True True True False Most of the things reported are true seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  22. Precision vs. Soundness Precise Sound False False False False True False True True True False True False False True False True False True True False False True False False False True False False True True True True True False True False False Most of the things reported are true Everything that is true is reported seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 12 CSS, USENIX Security, 08/18/2017

  23. Soundiness Sound Precise False False False False True False True True True False True False False True False False True True True False False True False False False False True False True True True True False True True False False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  24. Soundiness Soundy True Sound Precise False True False False False False False True True False True True True True False False False True False False False True True False False True True True True False False False True False False True False False True False True True True True True False True False True True False False True False Violate soundness to achieve higher precision and practical computational constraints seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 13 CSS, USENIX Security, 08/18/2017

  25. Dr. Checker: Assumptions (1) All non-driver code is implemented perfectly (2) Only evaluate loops until a reaching definition (3) All calls are traversed exactly once, even in loops seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 14 CSS, USENIX Security, 08/18/2017

  26. Dr. Checker: Design • Modular framework to enable flexible development • Simultaneously employ numerous vulnerability detectors • Open source: github.com/ucsb-seclab/dr_checker seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 15 CSS, USENIX Security, 08/18/2017

  27. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  28. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  29. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  30. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

  31. Dr. Checker: Design Soundy Driver Traversal Analysis Clients Driver Code 1 Points-to Analysis Global State 2 Taint Analysis Vulnerability Detectors Warnings Improper Tainted-Data Use Detector (ITDUD) Tainted Arithmetic Detector (TAD) Invalid Cast Detector (ICD) 3 Tainted Loop Bound Detector (TLBD) Tainted Pointer Dereference Detector (TPDD) Tainted Size Detector (TSD) Uninit Leak Detector (ULD) Global Variable Race Detector (GVRD) seclab Dr Checker: A Soundy Analysis of Linux Kernel Drivers 16 CSS, USENIX Security, 08/18/2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of Mozilla Sander van Geloven FOSDEM, Brussels February 1, 2020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

611 views • 39 slides
Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla. Sander van Geloven FOSDEM, Brussels February 2, 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

327 views • 21 slides
Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html 1 Local Beam Search Run multiple searches to find the Run multiple searches to find the solution The best K states are selected. Like

636 views • 24 slides
The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision Group. UIB. SPAIN Julin Proenza. UIB. Oct 2008 The aim of this presentation Introduce the basic concepts of model checking from a practical

804 views • 68 slides
Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 31 Model-checker Specify the model of the system Specify the requirements Model-checker will automatically check if system

1.72k views • 112 slides
Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara

Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara

Using a Grammar Checker for Evaluation and Postprocessing of Statistical Machine Translation Sara Stymne and Lars Ahrenberg Link oping University, Sweden LREC May 20, 2010 Using a Grammar Checker for Evaluation and Postprocessing of

755 views • 29 slides
LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research

LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research

LIBIS/Aware conformance checker Agenda Functional analysis Technical design Research TIFF LIBIS/AWare conformance checker - Preforma Conformance checker Checks conformance with TIFF Embedded metadata TIFF files Every

349 views • 15 slides
Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and

Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and

Tizen Web Application Checker Xu Zhang (xu.u.zhang@intel.com) Agenda Tizen Compliance and Application Compatibility Tool Features Design Overview Checker Modules Getting Started Contributing to Tizen Web

521 views • 20 slides
Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1

Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1

Dedukti : A Universal Proof Checker Mathieu Boespflug 1 Quentin Carbonneaux 2 Olivier Hermant 3 1 McGill University 2 INRIA and ENPC 3 INRIA and ISEP PxTP 2012 Contents Introduction The -calculus modulo The Dedukti proof checker Better

517 views • 32 slides
Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity

Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity

CVC Circuit Validity Checker D. Mitch Bailey Shuhari System, Japan WOSET 2020 CVC: Circuit Validity Checker What is it? A system to pinpoint reliability errors that can lead to device failures or unintended current leakage. Similar

746 views • 6 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme

MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme

MediaConch implementation and policy checking on FFV1, Matroska, LPCM, and more Jrme Martinez MediaArea.net SARL What is MediaConch? A conformance checker Implementation checker Policy checker Reporter Fixer What is MediaConch? A

321 views • 13 slides
Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based Model Checker Game-Based Local Model Checking for the Coalgebraic -Calculus by Daniel Hausmann and Lutz Schrder [1] (CONCUR 2019)

474 views • 31 slides
Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan F. BROENINK Angelika MADER Robotics and Mechatronics, University of Twente, The Netherlands Contents Problem Statement & Approach

516 views • 24 slides
MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November

MPI-Checker Static Analysis for MPI Alexander Droste, Michael Kuhn, Thomas Ludwig November 15, 2015 Motivation Clang Static Analyzer MPI-Checker Limitations Evaluation Future Work Motivation 2 / 39 Motivation Clang Static Analyzer

535 views • 41 slides
BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit

BttrWrtr: a grammar checker for the web Luke Gotszling about.me/luke luke@about.me @lmgtwit Super Happy Dev House 45 1 Inspired by Matt Mights (@mattmight) collection of Bash and Perl: 3 shell scripts to improve your writing, or My

306 views • 6 slides
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

1.41k views • 65 slides
Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

992 views • 84 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = = untainted ! ( char *)*q = p; ! char *b = fgets(); ! = = tainted *q = b; " printf(*p); untainted Misses illegal flow! !

634 views • 13 slides
PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi (mnavaki@unm.edu) Geoffrey Alexander Jedidiah R. Crandall What is PII? Personally Identifiable Information (PII) is information that can

380 views • 20 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones MockDroid: Trading Privacy for Application Functionality on Smartphones

429 views • 38 slides

More recommend