static analysis
play

Static Analysis Trent Jaeger Systems and Internet Infrastructure - PowerPoint PPT Presentation

Sep 18, 2023 •366 likes •885 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent Jaeger Systems and Internet Infrastructure

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University September 12, 2011 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Outline • Static Analysis Goals • Static Analysis Concepts • Abstract Interpretation • Interprocedural Dataflow Analysis Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Our Goal • In this course, we want to develop techniques to detect vulnerabilities and fix them automatically • What’s a vulnerability? • How to fix them? • Today we will start to develop some of the techniques that we will use Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Vulnerability • How do you define computer ‘vulnerability’? Flaw ‣ Accessible to adversary ‣ Adversary has ability to exploit ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Vulnerability • How do you define computer ‘vulnerability’? Flaw – Can we find flaws in source code? ‣ Accessible to adversary – Can we find what is accessible? ‣ Adversary has ability to exploit – Can we find how to exploit? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack What are the ways that this can be done? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ What are the ways that this can be done? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack How can an adversary change control? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ How can we prevent this? ROP conclusions ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. Static Analysis • Explore all possible executions of a program All possible inputs ‣ All possible states ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. A Form of Testing • Static analysis is an alternative to runtime testing • Runtime Select concrete inputs ‣ Obtain a sequence of states given those inputs ‣ Apply many concrete inputs (i.e., run many tests) ‣ • Static Select abstract inputs with common properties ‣ Obtain sets of states created by executing abstract inputs ‣ One run ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. Static Analysis • Provides an approximation of behavior • “Run in the aggregate” Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states ‣ • “Run in non-standard way” Run in fragments ‣ Stitch them together to cover all paths ‣ • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Static Analysis • Provides an approximation of behavior • “Run in the aggregate” Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states ‣ • “Run in non-standard way” Run in fragments ‣ Stitch them together to cover all paths ‣ • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Static Analysis Example • Descriptors represent the sign of a value Positive, negative, zero, unknown ‣ • For instruction, c = a * b If a has a descriptor pos ‣ And b has a descriptor neg ‣ • What is the descriptor for c after that instruction? • How might this help? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Descriptors • Choose a set of descriptors that Abstracts away details to make analysis tractable ‣ Preserves enough information that key properties hold ‣ Can determine interesting results • • Using sign as a descriptor Abstracts away specific integer values (billions to four) ‣ Guarantees when a*b = 0 it will be zero in all executions ‣ • Choosing descriptors is one key step in static analysis Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Precision • Abstraction loses some precision • Enables run in aggregate, but may result in executions that are not possible in the program (a <= b) when both are pos ‣ If b is equal to a at that point, then false branch is never ‣ possible in concrete executions • Results in false positives Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Soundness • The use of descriptors “over-approximates” a program’s possible executions • Abstraction must include all possible legal values May include some values that are not actually possible ‣ • The run-in-aggregate must preserve such abstractions Thus, must propagate values that are not really possible ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Implications of Soundness • Enables proof that a class of vulnerabilities are completely absent No false negatives in a sound analysis ‣ • Comes at a price Ensuring soundness can be complex, expensive, cautious ‣ • Thus, unsound analyses have gained in popularity Find bugs quickly and simply ‣ Such analyses have both false positives and false negatives ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. What Is Static Analysis? • Abstract Interpretation Execute the system on a simpler data domain ‣ Descriptors of the abstract domain • Rather than the concrete domain ‣ • Elements in an abstract domain represent sets of concrete states Execution mimics all concrete states at once ‣ • Abstract domain provides an over-approximation of the concrete domain Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Abstract Domain Example • Use interval as abstract domain b = [40, 41] ‣ • a = 2*b a = [x, y]? ‣ • What are the possible concrete values represented? Which concrete states are possible? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Joins • A join combines states from multiple paths Approximates set-union as either path is possible ‣ • Use Interval as abstract domain a = [36, 39], b = [40, 41] ‣ • If (a >= 38) a=2*b; /* join */ a = [x, y], b=[40, 41] – what are x and y? ‣ • What’s the impact of over-approximation? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Impact of Abstract Domain • The choice of abstract domain must preserve the over-approximation to be sound (no false negatives) • Integer arithmetic vs 2’s-complement arithmetic • a = [126, 127], b = [10, 12] What is c = a+b in an 32-bit machine? ‣ What is c = a+b in an 8-bit machine? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Successive Approximation • The abstract execution of a system can often be cast as a problem of solving a set of equations by means of successive approximation. • If constructed correctly, the execution of the system in the abstract domain over-approximates the semantics of the original system Any behavior not exhibited by the abstract domain cannot ‣ be exhibited during concrete system execution. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Abstract Interpretation • Patrick Cousot Class slides/notes from MIT ‣ http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/ ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Abstract Interpretation • Patrick Cousot Class slides/notes from MIT ‣ http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/ ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

  25. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 25

  26. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 26

  27. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 27

  28. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 28

  29. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 29

  30. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 30

  31. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 31

  32. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 32

  33. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 33

  34. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 34

  35. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang &amp; Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
05/01/2019 Dr William Sterling Site of Temple of Artemis www.williamsterling.co.uk 1 2 Dr

05/01/2019 Dr William Sterling Site of Temple of Artemis www.williamsterling.co.uk 1 2 Dr

05/01/2019 Dr William Sterling Site of Temple of Artemis www.williamsterling.co.uk 1 2 Dr William Sterling Dr William Sterling Model of Temple of Artemis Miniaturk Istanbul Model of Temple of Artemis Miniaturk Istanbul

497 views • 18 slides
D ISTRACTION O STEOGENESIS Shelby Marks, Kijeon Choi, Taylor Tebano, Stanley Gelin, and Sarah

D ISTRACTION O STEOGENESIS Shelby Marks, Kijeon Choi, Taylor Tebano, Stanley Gelin, and Sarah

D ISTRACTION O STEOGENESIS Shelby Marks, Kijeon Choi, Taylor Tebano, Stanley Gelin, and Sarah Bradner L EARNING O BJECTIVES To understand the advancement of bone elongation techniques that lead to modern day practice. Be able to

781 views • 62 slides
Interlinking source text collections a Norwegian example Christian-Emil Ore Charter by king

Interlinking source text collections a Norwegian example Christian-Emil Ore Charter by king

Interlinking source text collections a Norwegian example Christian-Emil Ore Charter by king Hkon Hkonsson 1225 Collection 1 more recent transcripts Collection 1 more recent transcripts Transcripts from manuscripts

394 views • 23 slides
600,000 In t e r n a l S le e v e F ib e r g la s s S h e ll E le c t r o n ic s H o u s in g

600,000 In t e r n a l S le e v e F ib e r g la s s S h e ll E le c t r o n ic s H o u s in g

600,000 In t e r n a l S le e v e F ib e r g la s s S h e ll E le c t r o n ic s H o u s in g In t e r n a l S le e v e F ib e r g la s s S h e ll E le c t r o n ic s H o u s in g C o n n e c t o r &amp; t u b e f itt in g s 1 6 h r s

925 views • 47 slides
Joints muscles contract. Some joints are fixed while Joints in the body (wrist, shoulder,

Joints muscles contract. Some joints are fixed while Joints in the body (wrist, shoulder,

The place where two bones meet is called a joint. Your joints allow your body to move when your Joints muscles contract. Some joints are fixed while Joints in the body (wrist, shoulder, others move. thigh) can be compared with

40 views • 3 slides
Image gradients and edges Thurs Sept 3 Prof. Kristen Grauman UT-Austin Last time Various

Image gradients and edges Thurs Sept 3 Prof. Kristen Grauman UT-Austin Last time Various

9/2/2015 Image gradients and edges Thurs Sept 3 Prof. Kristen Grauman UT-Austin Last time Various models for image noise Linear filters and convolution useful for Image smoothing, remov ing noise Box filter Gaussian

259 views • 24 slides
CS 188: Artificial Intelligence HMMs, Particle Filters, and Applications Instructors: Dan Klein

CS 188: Artificial Intelligence HMMs, Particle Filters, and Applications Instructors: Dan Klein

CS 188: Artificial Intelligence HMMs, Particle Filters, and Applications Instructors: Dan Klein and Pieter Abbeel University of California, Berkeley [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley.

560 views • 33 slides
Object Detection with Discriminatively Trained Part Based Models Pedro F . Felzenszwalb, Ross B.

Object Detection with Discriminatively Trained Part Based Models Pedro F . Felzenszwalb, Ross B.

Object Detection with Discriminatively Trained Part Based Models Pedro F . Felzenszwalb, Ross B. Girshick, David McAllester and Deva Ramanan Presented by Amy Bearman and Amani Peddada Roadmap 1. Introduction 2. Related Work 3. Model Overview

906 views • 59 slides

More recommend