static analysis basics ii
play

Static Analysis Basics II Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Apr 07, 2024 •248 likes •742 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics II Trent Jaeger Systems and Internet

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics II Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University September 19, 2011 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Outline • More background Pushdown Systems ‣ Boolean Programs ‣ Enable more refined dataflow analysis ‣ • Metacompilation • Control Flow and Data Flow Integrity Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Pushdown Systems • To encode ICFGs What are ICFGs? ‣ Why are they necessary for dataflow analysis? ‣ What is the major challenge in using ICFGs in ‣ dataflow? Other challenges? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Pushdown Systems • Consists of A finite set of states ‣ A finite set of stack symbols ‣ A finite set of rules ‣ Which define a transition relation • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Modeling Control Flow • One state • Each ICFG node is a stack symbol • Each ICFG edge is represented by a rule (p, e main )  (p, n 1 ) ‣ (p, n 3 )  (p, e f n 4 ) ‣ (p, n 12 )  (p, x f ) ‣ (p, x f )  (p, epsilon) ‣ • PDSs with a single control location are called context-free processes Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Pushdown Systems • A configuration is a pair (node, stack) Where we are currently and why ‣ Pre and post-configurations are important ‣ Backward and forward reachability over the transition relation • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Find All Reachable Configurations • Start with a set of configurations Can be used for assertion checking statically (Phil) ‣ • Number of configurations in a pushdown system is unbounded – use finite automata to describe regular sets of configurations • Why? Symbolic Reachability Analysis of Higher-Order ‣ Context-Free Processes – Bouajjani and Meyer http://igm.univ-mlv.fr/~ameyer/binaires/fsttcs04.pdf ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. Find All Reachable Configurations • Represent sets of configurations as • P-automaton (FSA) States (superset of PDS states) ‣ Stack symbols ‣ Transition relation ‣ Start and final states ‣ • What is it missing from the PDS representation? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. Find All Reachable Configurations • Compute post*(C) and pre*(C) • Take a P-automaton that accepts a set of configurations C Produces an automaton that accepts the pre and post ‣ configurations • Saturation procedures Add transitions to A until no more can be satisfied ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. Find All Reachable Configurations • Prestar If (p, v)  (p’, w) and p’  w q in A ‣ v in Stack, w in Stack* • Then add transition (p, v, q) ‣ • Why does this enable finding the backward reachable state for a configuration? Efficient algorithms for modeling pushdown systems, ‣ Esparza et al (ref 107) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Find All Reachable Configurations Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Find All Reachable Configurations • Poststar Phase 1: For each (p’, v’) s.t. P contains at least one rule (p, ‣ v)  (p’, v’, v’’) , add new state p’ v’ Phase II: ‣ If (p, v)  (p’, epsilon) in rules p  v q , then (p’, epsilon, q) • If (p, v)  (p’, v’) in rules p  v q , then (p’, v’, q) • If (p, v)  (p’, v’v’’) in rules p  v q , then (p’, v’, pv’) and (p’ v’ , v’’, q) • • Figure 2.7 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Find All Reachable Configurations • Fig 2.7 • Phase 1: Add states (p, n 3 )  (p, e f n 4 ) results in P ef ‣ (p, n 7 ) also – but same state ‣ • Phase 2: Add transitions (p, x f )  (p, epsilon)  (p, epsilon, p ef ) and (p, epsilon, q) ‣ (p, n 8 )  (p, n 9 )  (p, n 9 , q) ‣ (p, n 3 )  (p, e f n 4 ) and p  q ,  (p, e f , p ef ) and (p, n 4 , q) ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Boolean Programs • Program that only uses boolean data types and fixed-length vectors of booleans Finite set of globals and local variables ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Boolean Programs • Let G be the valuations of globals • Val i be the valuations of the locals in procedure i • L is local states Program counter ‣ Val i ‣ Stack ‣ • Assignment statement is binary relation that states how the values G and Val i (variables in scope) may change Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Encode Boolean Program in PDS • Why? • Changes Use P to encode globals ‣ Use stack alphabet to encode local vars ‣ • Model ( N i is control nodes in i th procedure) ‣ P is set to G ‣ Stack symbols are union of N i X Val i ‣ Rules for assignments, calls, returns ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. Vulnerability • How do you define computer ‘vulnerability’? Flaw ‣ Accessible to adversary ‣ Adversary has ability to exploit ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Vulnerability • How do you define computer ‘vulnerability’? Flaw – Can we find flaws in source code? ‣ Accessible to adversary – Can we find what is accessible? ‣ Adversary has ability to exploit – Can we find how to exploit? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Bugs • Known incorrect functions Dereference after free ‣ Double free ‣ • Often have known patterns Can we express and check ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Metacompilation A System and Language for Building System-Specific, Static Analyses Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler Stanford University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Metacompilation Overview • Goal: find as many bugs as possible – Allow users of our system to write the analyses • Implementation: tool with two parts – Metal - the language for writing analyses – xgcc - the engine for executing analyses • System design goals – Metal must be easy to use and flexible • we have written over 50 checkers, found 1000+ bugs in Linux, OpenBSD and still counting – xgcc must execute Metal extensions efficiently – xgcc must not restrict Metal extensions too much Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Metacompilation Overview • The goal of our research is to find as many bugs in real systems as possible • Insight: many rules are system-specific. – The number of rules that apply to all programs is very small; violations of these generic rules are hard to find. • E.g. memory errors, race conditions, etc. • Programmers know the rules their code obeys • A system that allows programmers to specify these rules will find lots of bugs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Metacompilation int contrived_caller (int *w, int x, int *p) { kfree (p); contrived (p, w, x); return *w; // deref after free 3 } int contrived (int *p, int *w, int x) { int *q; if (x) { kfree (w); q = p; p = 0; } if (!x) return *w; // safe 1 return *q; // deref after free 2 } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. Metacompilation System Overview Metal Source base extension (e.g. Linux) source code free.m gcc Metal compiler AST for each file (mcc) Emitter binary representation Emit dynamic library directory (free.so) emitted binaries xgcc deref-after-free, double-free errors Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

  25. Metacompilation Analysis Overview: if (!x) branch contrived (p, w, x) contrived_caller (w, x, p) { p is freed} { } int *q; { p is freed} if (x) kfree (p); // don’t follow { p is freed} kfree (w); q = p; { p is freed} call contrived (p, w, x); p = 0; if (!x) { p is freed} return from contrived; 1 { p is freed} return *w; { p is freed} { p is freed} return *w; return *q; { p is freed} { p is freed} exit from contrived_caller exit from contrived Systems and Internet Infrastructure Security (SIIS) Laboratory Page 25

  26. Metacompilation Analysis Overview: if (x) branch contrived (p, w, x) contrived_caller (w, x, p) { p is freed} { } int *q; { p is freed} if (x) { p is freed} kfree (p); // don’t follow { p is freed} kfree (w); q = p; call contrived (p, w, x); p = 0; { q and w if (!x) are freed} return from contrived; { q and w { w is freed} return *w; are freed} 3 { w is freed} return *w; 2 return *q; { } { w is freed} exit from contrived_caller exit from contrived Systems and Internet Infrastructure Security (SIIS) Laboratory Page 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Oil Oil Anal Analysis ysis Basics Basics Pr Presenta esentatio tion: n: How oil analysis

Oil Oil Anal Analysis ysis Basics Basics Pr Presenta esentatio tion: n: How oil analysis

Oil Oil Anal Analysis ysis Basics Basics Pr Presenta esentatio tion: n: How oil analysis reports will show Wear metals, Oil, Water & Fuel patterns or information improved engine maintenance & performance or product comparison.

377 views • 20 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
many others LLVM Developers Meeting, San Jose, October 2017 spcl.inf.ethz.ch @spcl_eth

many others LLVM Developers Meeting, San Jose, October 2017 spcl.inf.ethz.ch @spcl_eth

spcl.inf.ethz.ch @spcl_eth Scalable, Robust, and Regression - Free Loop Optimizations for Scientific Fortran and Modern C++ Michael Kruse, Tobias Grosser Albert Cohen, Sven Verdoolaege, Oleksandre Zinenko Polly Labs, ENS Paris Johannes

1.03k views • 80 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
A technical introduction to Bitcoin and crypto-currencies Organised by Steven Gordon Room RS410

A technical introduction to Bitcoin and crypto-currencies Organised by Steven Gordon Room RS410

Free Technology Workshop A technical introduction to Bitcoin and crypto-currencies Organised by Steven Gordon Room RS410 9am - 12noon Friday 4 July 2014 http://ict.siit.tu.ac.th/moodle/ Sources bitcoin.org bitcoin.it coindesk.com

653 views • 16 slides
File Systems: Fundamentals 1 Files What is a file? A named collection of related information

File Systems: Fundamentals 1 Files What is a file? A named collection of related information

File Systems: Fundamentals 1 Files What is a file? A named collection of related information recorded on secondary storage (e.g., disks) File attributes Name, type, location, size, protection, creator, creation time, last- modified-time,

487 views • 29 slides
12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann

12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann

12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann (co-organizer) Giles Reger (co-organizer) Tjark Weber (chair) Outline Main changes over last competition Benchmarks with unknown

565 views • 45 slides
Sources 1/2 Model 634 Deuterium source (side on, MgF2 window, 30 W) for vacuum ultraviolet

Sources 1/2 Model 634 Deuterium source (side on, MgF2 window, 30 W) for vacuum ultraviolet

Sources 1/2 Model 634 Deuterium source (side on, MgF2 window, 30 W) for vacuum ultraviolet and UV range 115 to 300nm Sources 2/2 Model 621 universal chimney-type lamp housing with forced air cooling, safety interlock, 150 W Xenon Arc

688 views • 21 slides
A tale of two schedulers Noah Evans, Richard Barrett, Stephen Olivier, George Stelle

A tale of two schedulers Noah Evans, Richard Barrett, Stephen Olivier, George Stelle

A tale of two schedulers Noah Evans, Richard Barrett, Stephen Olivier, George Stelle nevans@sandia.gov 6/26/17 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of

478 views • 24 slides
Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me

Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me

Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me - @adamotonete Adamo Tonete Senior Technical Engineer Brazil Agenda What is MongoDB? The good side of MongoDB with details.

715 views • 26 slides

More recommend