program analysis for security two main classes
play

Program analysis for security Two main classes Static: Operates - PowerPoint PPT Presentation

Mar 28, 2024 •220 likes •726 views

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

  1. Program analysis for security

  2. Two main classes • Static: • Operates on source or binary at rest • Dynamic: • Operates at runtime • Also hybrids of the two

  3. Static: Examples • Code review • Grep • Taint analysis • Symbolic execution • Templates/specifications (metacompilation)

  4. Dynamic: Examples • Testing • Debugging • Log-tracing • Fuzzing

  5. Static: Pros and Cons • Analyze everything in the program • Not just what runs during this execution • Don’t need running environment (e.g. comms) • Can analyze incomplete programs (libraries) • If you have the source code • Everything could be a lot of stuff! • Scalability • Code that never runs in practice (or dead) • No side effects • Only find what you are looking for

  6. Dynamic: Pros and Cons • Concrete failure proves an issue • May aid fix • Computationally scalable • Coverage? • Resources/environment?

  7. Static Analysis Some material from Dave Levin, Mike Hicks, Dawson Engler, Lujo Bauer http://philosophyofscienceportal.blogspot.com/2013/04/van-de-graaff-generator-redux.html

  8. From here we mostly mean automated: in a sense, ask a computer to do your code review

  9. High-level idea • Model program properties abstractly • Set some rules/constraints and then check them • Tools from program analysis: • Type inference • Theorem proving • etc.

  10. • What kinds of properties are checkable this way? • What guarantees can we have? (FP/FN) • Resources/scalability?

  11. The Halting Problem register char *q; char inp[MAXLINE]; Always terminates? char cmdbuf[MAXLINE]; extern ENVELOPE BlankEnvelope; extern void help __P((char *)); extern void settime __P((ENVELOPE *)); extern bool enoughdiskspace __P((long)); extern int runinchild __P((char *, ENVELOPE *)); . . . program P analyzer • Can we write an analyzer that can prove, for any program P and inputs to it, P will terminate? • Doing so is called the halting problem • Unfortunately, this is undecidable: any analyzer will fail to produce an answer for at least some programs and/or inputs Some material inspired by work of Matt Might: http://matt.might.net/articles/intro-static-analysis/

  12. Check other properties instead? • Perhaps security-related properties are feasible • E.g., that all accesses a[i] are in bounds • But these properties can be converted into the halting problem by transforming the program • A perfect array bounds checker could solve the halting problem, which is impossible! • Other undecidable properties (Rice’s theorem) • Does this string come from a tainted source ? • Is this pointer used after its memory is freed ? • Do any variables experience data races ?

  13. So is static analysis impossible? • Perfect static analysis is not possible • Useful static analysis is perfectly possible , despite 1. Nontermination - analyzer never terminates, or 2. False alarms - claimed errors are not really errors, or 3. Missed errors - no error reports ≠ error free • Nonterminating analyses are confusing, so tools tend to exhibit only false alarms and/or missed errors

  14. Completeness Soundness If X is safe, then If analysis says that analysis says X is X is safe, then X is safe. safe. Safe programs I say programs are Things I say are safe safe if and only if they are safe Programs I say Safe things are safe Trivially Sound: Say nothing is safe Trivially Complete: Say everything is safe Sound and Complete : Say exactly the set of true things

  15. • Soundness : No error found = no error exists • Alarms may be false errors • Completeness : Any error found = real error • Silence does not guarantee no errors • Basically any useful analysis • is neither sound nor complete (def. not both ) • … usually leans one way or the other

  16. The Art of Static Analysis • Precision : Carefully model program, minimize false positives/negatives • Scalability : Successfully analyze large programs • Understandability : Actionable reports

  17. • Observation: Code style is important • Aim to be precise for “good” programs • OK to forbid yucky code in the name of safety • Code that is more understandable to the analysis is more understandable to humans

  18. Adding some depth: Dataflow (taint) analysis

  19. Tainted Flow Analysis • Cause of many attacks is trusting unvalidated input • Input from the user (network, file) is tainted • Various data is used, assuming it is untainted • Examples expecting untainted data • source string of strcpy ( ≤ target buffer size) • format string of printf (contains no format specifiers) • form field used in constructed SQL query (contains no SQL commands)

  20. Recall: Format String Attack • Adversary-controlled format string char *name = fgets(…, network_fd); printf(name); // Oops

  21. The problem, in types • Specify our requirement as a type qualifier int printf(untainted char *fmt, …); tainted char *fgets(…); • tainted = possibly controlled by attacker • untainted = must not be controlled by attacker tainted char *name = fgets(…,network_fd); printf(name); // FAIL : untainted <- tainted

  22. Analyzing taint flows • Goal : For all possible inputs, prove tainted data will never be used where untainted data is expected • untainted annotation: indicates a trusted sink • tainted annotation: an untrusted source • no annotation means: not specified (analysis must figure it out) • Solution requires inferring flows in the program • What sources can reach what sinks • If any flows are illegal , i.e., whether a tainted source may flow to an untainted sink • We will aim to develop a (mostly) sound analysis

  23. Legal Flow Illegal Flow void g(untainted int); void f(tainted int); tainted int b = …; untainted int a = …; g(b); f(a); f accepts tainted or untainted data g accepts only untainted data Define allowed flow as a untainted < tainted constraint: At each program step, test whether inputs ≤ policy (Read as: input less tainted (or equal) than policy

  24. Analysis Approach • If no qualifier is present, we must infer it • Steps: • Create a name for each missing qualifier (e.g., α , β ) • For each program statement, generate constraints • Statement x = y generates constraint q y ≤ q x • Solve the constraints to produce solutions for α , β , etc. • A solution is a substitution of qualifiers (like tainted or untainted ) for names (like α and β ) such that all of the constraints are legal flows • If there is no solution , we (may) have an illegal flow

  25. Example Analysis int printf(untainted char *fmt, …); tainted char *fgets(…); 1 α char *name = fgets(…, network_fd); 2 β char *x = name; printf(x); 3 Illegal flow! tainted ≤ α 1 α ≤ β 2 No possible solution for α and β β ≤ untainted 3 First constraint requires α = tainted To satisfy the second constraint implies β = tainted But then the third constraint is illegal: tainted ≤ untainted

  26. Taint Analysis: Adding Sensitivity

  27. But what about? int printf(untainted char *fmt, …); tainted char *fgets(…); → α char *name = fgets(…, network_fd); β char *x; x = name; x = “hello!”; printf(x); tainted ≤ α α ≤ β No constraint solution. Bug? untainted ≤ β False Alarm! β ≤ untainted

  28. Flow Sensitivity Our analysis is flow in sensitive • Each variable has one qualifier • Conflates the taintedness of all values it ever contains • Flow-sensitive analysis accounts for variables whose contents change • Allow each assigned use of a variable to have a different qualifier • • E.g., α 1 is x’s qualifier at line 1, but α 2 is the qualifier at line 2, where α 1 and α 2 can differ Could implement this by transforming the program to assign to a • variable at most once

  29. Reworked Example int printf(untainted char *fmt, …); tainted char *fgets(…); → α char *name = fgets(…, network_fd); γ β char *x 1 , *x 2 ; x 1 = name; x 2 = “%s”; printf(x 2 ); tainted ≤ α α ≤ β No Alarm untainted ≤ γ Good solution exists: γ ≤ untainted γ = untainted α = β = tainted

  30. Handling conditionals int printf(untainted char *fmt, …); tainted char *fgets(…); → α char *name = fgets(…, network_fd); β char *x; if (…) x = name; else x = “hello!”; printf(x); tainted ≤ α α ≤ β Constraints still unsolvable untainted ≤ β Illegal flow β ≤ untainted

  31. Multiple Conditionals int printf(untainted char *fmt, …); tainted char *fgets(…); void f(int x) { α char *y; → if (x) y = “hello!”; else y = fgets(…, network_fd); if (x) printf(y); } untainted ≤ α No solution for α . Bug? tainted ≤ α False Alarm! α ≤ untainted (and flow sensitivity won’t help)

  32. Path Sensitivity • Consider path feasibility . E.g., f(x) can execute path • 1 - 2 - 4 - 5 - 6 when x ≠ 0 , or void f(int x) { • 1 - 3 - 4 - 6 when x == 0 . But, char *y; 1 if (x) 2 y = “hello!”; • path 1 - 3 - 4 - 5 - 6 infeasible else 3 y = fgets(…); 4 if (x) 5 printf(y); 6 } • A path sensitive analysis checks feasibility, e.g., by qualifying each constraint with a path condition • x ≠ 0 ⟹ untainted ≤ α (segment 1-2) • x = 0 ⟹ tainted ≤ α (segment 1-3) • x ≠ 0 ⟹ α ≤ untainted (segment 4-5)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NOO - } Oxygen singlet Ref: E.Rock-INRA France 2009 Energy OH Yellow Blue Red Green

NOO - } Oxygen singlet Ref: E.Rock-INRA France 2009 Energy OH Yellow Blue Red Green

Main class of anti-oxydant ( Polyphenols and catotenoids) of Indogenous fruits Stress antioxydant Polyphenols chemistry and poyphenols classes &amp; Aspects of analysis and main problems Carotenoids chemistry and carotenoids classes

454 views • 8 slides
Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring 10 Instructor: Ben Livshits Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam

743 views • 34 slides
1 Electronic Pearl Harbor Is this just scare-mongering? Slammer worm took down Bank of

1 Electronic Pearl Harbor Is this just scare-mongering? Slammer worm took down Bank of

Website: http://www.richmond.edu/~dszajda/classes/cs334/ Fall_2008/main.html Fall 2008 Fall 2008 CS 334 Computer Security 1 Fall 2008 CS 334 Computer Security 2 Text: Security in Computing by Charles P. Thanks to Anthony Joseph, Doug and

278 views • 6 slides
Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01

Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01

July 14th, 2017 Part II: - What are my main use cases? Security Level: - What IETF work is in progress? Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01 draft-qiang-netslices-gap-analysis-01 www.huawei.com

457 views • 14 slides
Beyond the Single main() Method } Many classes can be written using only one method: main(),

Beyond the Single main() Method } Many classes can be written using only one method: main(),

Beyond the Single main() Method } Many classes can be written using only one method: main(), containing all of the code } Many classes will have more than one method } Some classes we write wont have a main() method } Much code you have written

354 views • 4 slides
Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01

Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01

July 7 th , 2017 version Part II: - What are my main use cases? Security Level: - What IETF work is in progress? Main Use Cases and Gap Analysis for Network Slicing draft-netslices-usecases-01 draft-qiang-netslices-gap-analysis-01

197 views • 16 slides
Designing classes How to write classes in a way that they are easily understandable,

Designing classes How to write classes in a way that they are easily understandable,

Objects First With Java A Practical Introduction Using BlueJ Designing classes How to write classes in a way that they are easily understandable, maintainable, and reusable 2.0 Main concepts to be covered Responsibility-driven design

606 views • 27 slides
For Friday Finish Becker, chapter 7 Program 5 Any questions? Testing Classes Why

For Friday Finish Becker, chapter 7 Program 5 Any questions? Testing Classes Why

For Friday Finish Becker, chapter 7 Program 5 Any questions? Testing Classes Why test? Whats involved in testing? Why try to automate testing? Testing Is Important Write a main in each class that tests that classs

519 views • 17 slides
Further abstraction techniques Abstract classes and interfaces 2.0 Main concepts to be covered

Further abstraction techniques Abstract classes and interfaces 2.0 Main concepts to be covered

Objects First With Java A Practical Introduction Using BlueJ Further abstraction techniques Abstract classes and interfaces 2.0 Main concepts to be covered Abstract classes Interfaces Multiple inheritance Idea: Enhance class

616 views • 37 slides
A voluntary program aimed to enhance the security of the international supply chain The

A voluntary program aimed to enhance the security of the international supply chain The

A voluntary program aimed to enhance the security of the international supply chain The program is based on the main building blocks of the WCO SAFE Framework of Standards AEOs will benefit the facilitation in Israel's foreign trade

454 views • 16 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
CSE 501: Compiler Construction Course outline Main focus: program analysis and transformation

CSE 501: Compiler Construction Course outline Main focus: program analysis and transformation

CSE 501: Compiler Construction Course outline Main focus: program analysis and transformation Models of compilation how to represent programs? how to analyze programs? what to analyze? Standard transformations how to transform

503 views • 6 slides
LEE COUNTY LIFELONG LEARNING CLASSES PROGRAM OVERVIEW Classes offered Locations

LEE COUNTY LIFELONG LEARNING CLASSES PROGRAM OVERVIEW Classes offered Locations

LEE COUNTY LIFELONG LEARNING CLASSES PROGRAM OVERVIEW Classes offered Locations Number of students FINANCIALS Cost to student ($4 per hour plus fees) Minimum number of students required for class Our school district does

396 views • 20 slides
STATS 507 Data Analysis in Python Lecture 5: Files, Classes, Operators and Inheritance

STATS 507 Data Analysis in Python Lecture 5: Files, Classes, Operators and Inheritance

STATS 507 Data Analysis in Python Lecture 5: Files, Classes, Operators and Inheritance Persistent data So far, we only know how to write transient programs Data disappears once the program stops running Files allow for persistence Work

1.35k views • 69 slides
THE MAIN STREET PROGRAM OVERVIEW OF FOUR MAIN PRINCIPLES DUBLIN MARCH 3, 2020 heritageohio.org

THE MAIN STREET PROGRAM OVERVIEW OF FOUR MAIN PRINCIPLES DUBLIN MARCH 3, 2020 heritageohio.org

THE MAIN STREET PROGRAM OVERVIEW OF FOUR MAIN PRINCIPLES DUBLIN MARCH 3, 2020 heritageohio.org || Our Mission is to: Save the places that matter Build community Live better Revitalization Technical Assistance Ohio Main Street Program

1.27k views • 95 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift

Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift

Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift in Perspective Understanding the meaning of Purpose Lotttts of homework to get to know your soul! Purposely Divine - Danielle Paige

555 views • 23 slides
How the Timed Automaton Lost its Tail (and Clocks) Oded Maler Joint work with Jean-Francois

How the Timed Automaton Lost its Tail (and Clocks) Oded Maler Joint work with Jean-Francois

How the Timed Automaton Lost its Tail (and Clocks) Oded Maler Joint work with Jean-Francois Kempf and Marius Bozga CNRS - VERIMAG Grenoble, France FORMATS Aalborg 2011 Returning to the Scene of the Crime I am happy to present this work

458 views • 41 slides
ProtoDUNE TPC data: TPC coherent noise ProtoDUNE data David Adams BNL July 24, 2019 Updated

ProtoDUNE TPC data: TPC coherent noise ProtoDUNE data David Adams BNL July 24, 2019 Updated

ProtoDUNE TPC data: TPC coherent noise ProtoDUNE data David Adams BNL July 24, 2019 Updated 11:10 EDT History I have been studying TPC pedestals and noise Current reco Pedestal evaluated for each events using pedestal fitter Removes

732 views • 61 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory Stanford University The Computer Security Crisis More systems are online, vulnerable Banking, Power, Water, Government

673 views • 56 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an

689 views • 43 slides

More recommend