static analysis for memory safety
play

Static Analysis for Memory Safety Salvatore Guarnieri - PowerPoint PPT Presentation

Mar 02, 2023 •746 likes •1.33k views

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

  1. Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu

  2. Papers • A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities – Using static analysis and integer range analysis to find buffer overflows • A Practical Flow-Sensitive and Context Sensitive C and C++ Memory Leak Detector – Identifying memory ownership with static analysis – Detecting double frees CSE 504 -- 2010-04-14 1

  3. A FIRST STEP TOWARDS AUTOMATED DETECTION OF BUFFER OVERRUN VULNERABILITIES CSE 504 -- 2010-04-14 2

  4. Problem char s[10]; strcpy(s, “Hello world!”); • “Hello world!” is 12 + 1 characters • s only holds 10 characters • How do we detect or prevent this buffer overflow? CSE 504 -- 2010-04-14 3

  5. “Modern” String Functions Don’t Fix the Problem • The strn*() calls behave dissimilarly • Inconsistency makes it harder for the programmer to remember how to use the “safe” primitives safely. • strncpy() may leave the target buffer unterminated. • strncat() and snprintf() always append a terminating ’ \ 0’ byte • strncpy() has performance implications: it zero-fills the target buffer • strncpy() and strncat() encourage off-by- one bugs (Null character) CSE 504 -- 2010-04-14 4

  6. CSE 504 -- 2010-04-14 5

  7. Insight • We care about when we write past the end of an array a[i] = ... Should be if (i < sizeof(a)) { a[i] = ... } else {error} CSE 504 -- 2010-04-14 6

  8. Basic Approach • Treat C strings as an abstract data type – Ignore everything but str* library functions • Model buffers as a pair integer ranges – l e n ( a ) is how far into the array the program accesses – a l l o c ( a ) is how large the array is • If len(a) > alloc(a) , there is a buffer overrun CSE 504 -- 2010-04-14 7

  9. char *array = malloc(10); array[1] = „h‟; array[9] = „ \ 0‟; strcpy(array, “0123456789012”); len(array) = alloc(array) = CSE 504 -- 2010-04-14 8

  10. char *array = malloc(10); array[1] = „h‟; array[9] = „ \ 0‟; strcpy(array, “0123456789012”); len(array) = 0 alloc(array) = 10 CSE 504 -- 2010-04-14 9

  11. char *array = malloc(10); array[1] = „h‟; array[9] = „ \ 0‟; strcpy(array, “0123456789012”); len(array) = 2 alloc(array) = 10 CSE 504 -- 2010-04-14 10

  12. char *array = malloc(10); array[1] = „h‟; array[9] = „ \ 0‟; strcpy(array, “0123456789012”); len(array) = 10 alloc(array) = 10 CSE 504 -- 2010-04-14 11

  13. char *array = malloc(10); array[1] = „h‟; len(dest) = len(src) array[9] = „ \ 0‟; strcpy(array, “0123456789012”); len(array) = 14 alloc(array) = 10 CSE 504 -- 2010-04-14 12

  14. char *array = malloc(10); array[1] = „h‟; len(dest) = len(src) array[9] = „ \ 0‟; strcpy(array, “0123456789012”); OVERRUN len(array) = 14 alloc(array) = 10 CSE 504 -- 2010-04-14 13

  15. It’s not that simple char *array = malloc(10); if (k == 7) { strcpy(array, “hello”); } else { free(array); array = malloc(3); strcpy(array, “world!”); } • What is len(array)? What is alloc(array)? CSE 504 -- 2010-04-14 14

  16. Use Ranges char *array = malloc(10); if (k == 7) { strcpy(array, “hello”); } else { free(array); array = malloc(3); strcpy(array, “world!”); } • len(array) = [5, 6], alloc(array) = [3,10] • 5>3 so we have a possible overrun CSE 504 -- 2010-04-14 15

  17. - - - - - MIN - MAX - len(a) b a - - - MIN - - - - MAX alloc(a) c d • If b <= c, no overrun • If a > d, definite overrun • Otherwise the ranges overlap and there may be an overrun CSE 504 -- 2010-04-14 16

  18. Implementation Overview CSE 504 -- 2010-04-14 17

  19. Constraint Generation s t r l e n ( s t r ) : : r e t u r n s l e n ( s ) – 1 L e n g t h o f t h e s t r i n g w i t h o u t i t s n u l l c h a r a c t e r s t r n c a t ( s , s u f f i x , n ) : : a d d s g i v e n c o n s t r a i n t l e n ( s ) – i n i t i a l l e n g t h o f s m i n ( l e n ( s u f f i x ) - 1 , n ) – m i n o f l e n g t h o f s u f f i x w i t h o u t n u l l o r m a x l e n g t h o f n p [ n ] = N U L L : : S e t s t h e n e w e f f e c t i v e l e n g t h o f p T h e m i n d o e s n ‟ t r e a l l y m a k e s e n s e h e r e CSE 504 -- 2010-04-14 18

  20. Constraints char *array = malloc(10); if (k == 7) { strcpy(array, “hello”); } else { free(array); array = malloc(3); strcpy(array, “world!”); } len = [5,6] alloc = [3,10] CSE 504 -- 2010-04-14 19

  21. Limitations • Double pointer – Doesn’t fit in with their method • Function pointers and union types – Ignored • Structs – All structs of same “type” are aliased – Struct members are treated as unique memory addresses • Flow Insensitive CSE 504 -- 2010-04-14 20

  22. Pointer Alias Limitations char s[20], *p, t[10]; strcpy(s, “Hello”); p = s + 5; strcpy(p, “ world!”); strcpy(t, s); • What is len(s)? CSE 504 -- 2010-04-14 21

  23. Evaluation • Run tool on programs from ~3kloc to ~35kloc • Does it find new bugs? • Does it find old bugs? • What is the false positive rate? • Are there any false negatives in practice? • How long does it take to execute on CPU? • How long does it take the user to use the tool? CSE 504 -- 2010-04-14 22

  24. Linux nettools • Total 3.5kloc with another 3.5kloc in a support library • Recently hand audited • Found several serious new buffer overruns • They don’t talk about the bugs that they find CSE 504 -- 2010-04-14 23

  25. Sendmail • ~35 kloc • Found several minor bugs in latest revision • Found many already discovered buffer overruns in an old version • 15 min to run for sendmail – A few minutes to parse – The rest for constraint generation – A few seconds to solve constraint system CSE 504 -- 2010-04-14 24

  26. Sendmail findings • An unchecked sprintf() from the results of a DNS lookup to a 200- byte stack-resident buffer; exploitable from remote hosts with long DNS records. (Fixed in sendmail 8.7.6.) • An unchecked strcpy() to a 64-byte buffer when parsing stdin; locally exploitable by “echo /canon aaaaa... | sendmail - bt”. (Fixed in 8.7.6) • An unchecked copy into a 512- byte buffer from stdin; try “echo /parse aaaaa... | sendmail - bt”. (Fixed in 8.8.6.) • An unchecked strcpy() to a (static) 514-byte buffer from a DNS lookup; possibly remotely exploitable with long DNS records, but the buffer doesn’t live on the stack, so the simplest attacks probably wouldn’t work. • Several places where the results of a NIS network query is blindly copied into a fixed-size buffer on the stack; probably remotely exploitable with long NIS records. (Fixed in 8.7.6 and 8.8.6.) CSE 504 -- 2010-04-14 25

  27. Human Experience • 15 minutes to run… • 44 warnings to investigate • 4 real bugs • Without tool you would have to investigate 695 potentially unsafe call sites CSE 504 -- 2010-04-14 26

  28. CSE 504 -- 2010-04-14 27

  29. Improvements Improved Analysis False alarms that would be removed Flow-sensitive 19/40 ( 47% ) Flow-sensitive with pointer analysis 25/40 ( 62% ) Flow and context sensitive with linear invariants 28/40 ( 70% ) Flow and context sensitive with linear invariants and 38/40 ( 95% ) pointer analysis CSE 504 -- 2010-04-14 28

  30. IDENTIFYING MEMORY OWNERSHIP -- CLOUSEAU CSE 504 -- 2010-04-14 29

  31. From overruns to memory errors • Memory Leaks – Bloat – Slow performance – Crashes • Dangling pointers/Double free – Crashes – Unexpected behavior – Exploits CSE 504 -- 2010-04-14 30

  32. Double Free CSE 504 -- 2010-04-14 31

  33. After Normal Free CSE 504 -- 2010-04-14 32

  34. After Double Free CSE 504 -- 2010-04-14 33

  35. Alloc same size chunk again and get same memory. Write 8 bytes CSE 504 -- 2010-04-14 34

  36. Motivating Example CSE 504 -- 2010-04-14 35

  37. Motivating Example CSE 504 -- 2010-04-14 36

  38. Motivating Example CSE 504 -- 2010-04-14 37

  39. Motivating Example CSE 504 -- 2010-04-14 38

  40. Ownership • Introduce ownership to identify who is allowed and responsible to free memory • PROPERTY 1. There exists one and only one owning pointer to every object allocated but not deleted. • PROPERTY 2. A delete operation can only be applied to an owning pointer. CSE 504 -- 2010-04-14 39

  41. Key Design Choices • Ownership is connected with the pointer variable, not the object • Ownership is tracked as 0 (non-owning) or 1 (owning) – Partially to make solving the linear inequality constraints easier • Rank warnings with heuristics to minimize impact of false positives CSE 504 -- 2010-04-14 40

  42. System Overview CSE 504 -- 2010-04-14 41

  43. Flow Sensitive Analysis u = n e w i n t ; / / u i s t h e o w n e r z = u ; d e l e t e z ; / / r i g h t b e f o r e t h i s l i n e z i s t h e o w n e r • Order of instructions matters • Analysis identifies line 2 as a possible ownership transfer point CSE 504 -- 2010-04-14 42

  44. Constraint Solving Problem u = n e w i n t ; / / u i s t h e o w n e r z = u ; d e l e t e z ; / / r i g h t b e f o r e t h i s l i n e z i s t h e o w n e r • Constructors indicate ownership • Deletion indicates desired/intended ownership • Generate all other constraints from assignments • Solve to identify owners CSE 504 -- 2010-04-14 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class means variable persists through static allocation: for globals and any static the life of the program variables in functions automatic storage

569 views • 9 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis [POPL'19]

Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis [POPL'19]

Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis [POPL'19] Roland Meyer and Sebastian Wol ff TU Braunschweig, Germany Lock-free Queue (Michael&amp;Scott) void dequeue() { Head a while (true) { head =

838 views • 46 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
Automatic Memory Management Storage Allocation Static Allocation Bind names at compile

Automatic Memory Management Storage Allocation Static Allocation Bind names at compile

Automatic Memory Management Storage Allocation Static Allocation Bind names at compile time Pros: Fast (no run time allocation, no indirection) Safety : memory requirements known in advance Cons: Sizes must be

417 views • 14 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static Transformation for Heap Layout Using Memory Access Patterns Jinseong Jeon Computer

Static Transformation for Heap Layout Using Memory Access Patterns Jinseong Jeon Computer

Static Transformation for Heap Layout Using Memory Access Patterns Jinseong Jeon Computer Science, KAIST Static Transformation computing user compiler machine + static transformation Compilers can transform program memory layout.

745 views • 33 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin Bogolyubov Institute for Theoretical Physics, Kyiv, Ukraine of the National Academy of Sciences of Ukraine Conference on Modern Concepts and New Materials

277 views • 25 slides
On linear cellular automata (with special focus on rule 90) Silvio Capobianco Institute of

On linear cellular automata (with special focus on rule 90) Silvio Capobianco Institute of

On linear cellular automata (with special focus on rule 90) Silvio Capobianco Institute of Cybernetics at TUT September 25, 2014 Revision: September 25, 2014 S. Capobianco (IoC-TUT) Linear CA (esp. rule 90) September 25, 2014 1 / 25

498 views • 25 slides
Metric and differentiable structures with Ricci lower bounds Luigi Ambrosio Scuola Normale

Metric and differentiable structures with Ricci lower bounds Luigi Ambrosio Scuola Normale

Metric and differentiable structures with Ricci lower bounds Luigi Ambrosio Scuola Normale Superiore, Pisa luigi.ambrosio@sns.it http://cvgmt.sns.it Luigi Ambrosio (SNS) Ricci lower bounds Bristol, March 2016 1 / 26 Introduction In the

1.22k views • 110 slides
The arrow of time and quantum physics: difficulties and resolutions Detlev Buchholz Quantum

The arrow of time and quantum physics: difficulties and resolutions Detlev Buchholz Quantum

The arrow of time and quantum physics: difficulties and resolutions Detlev Buchholz Quantum physics meets mathematics Syposium on the occasion of Klaus Fredenhagen s 70th birthday Universitt Hamburg, December 8th 2017 1 / 24 Arrow of time

494 views • 24 slides
Development of Advanced Monolithic Pixel Detector May 11, 2017 TYL-FJPPL@Strasbourg Yasuo Arai

Development of Advanced Monolithic Pixel Detector May 11, 2017 TYL-FJPPL@Strasbourg Yasuo Arai

New Proposal D_RD_16 Development of Advanced Monolithic Pixel Detector May 11, 2017 TYL-FJPPL@Strasbourg Yasuo Arai KEK INPS yasuo.arai@kek.jp 1 Collaboration Members Name Title Lab./Organis. Marc Winter* Researcher IPHC/IN2P3

636 views • 16 slides
Practical aspects of medical application of FFAG (in case of PAMELA) Takeichiro Yokoi (JAI,

Practical aspects of medical application of FFAG (in case of PAMELA) Takeichiro Yokoi (JAI,

Practical aspects of medical application of FFAG (in case of PAMELA) Takeichiro Yokoi (JAI, Oxford University, UK) Medical aspect of PAMELA, 29 Oct 2010 @ FFAG10 T.Yokoi Introduction PAMELA is a design study of particle therapy facility

566 views • 19 slides
Chapter 6: Surface Integrals Roberto S. Costas-Santos May 2013 http://rscosan.com/docencia.html

Chapter 6: Surface Integrals Roberto S. Costas-Santos May 2013 http://rscosan.com/docencia.html

Parameterized Surfaces Chapter 6: Surface Integrals Roberto S. Costas-Santos May 2013 http://rscosan.com/docencia.html Chapter 6: Surface Integrals Parameterized Surfaces Outline Parameterized Surfaces 1 The Basics The tangent and normal

1.08k views • 12 slides
Surfaces, surface area and surface integrals Our main objective here is the construction of surface

Surfaces, surface area and surface integrals Our main objective here is the construction of surface

Surfaces, surface area and surface integrals Our main objective here is the construction of surface integrals . Surface integrals are essential for stating in completely general terms the basic laws of electromagnetism. Also, the theorems of

472 views • 43 slides

More recommend