using smt solver in detection of buffer overflow bugs
play

Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujo - PowerPoint PPT Presentation

Jul 04, 2023 •162 likes •453 views

Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujo sevi cJani ci c Faculty of Mathematics, University of Belgrade Studentski trg 16, Belgrade, Serbia www.matf.bg.ac.yu/~milena Second Workshop on Formal and

  1. Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujoˇ sevi´ c–Janiˇ ci´ c Faculty of Mathematics, University of Belgrade Studentski trg 16, Belgrade, Serbia www.matf.bg.ac.yu/~milena Second Workshop on Formal and Automated Theorem Proving and Applications Belgrade, Serbia, January 30-31, 2009.

  2. Context • SAT and SMT solvers have many applications in software and hardware verification tasks. • One application of SMT solvers in detection of buffer over- flows will be presented. • This work was a main part of my MSc thesis (advisor: prof. Duˇ san Toˇ si´ c). • The work was presented at 3rd International Conference on Software and Data Technologies (ICSOFT, Porto, 2008). 1

  3. Roadmap • Buffer Overflows • Proposed Approach • The FADO Tool • Conclusions and Future Work 2

  4. Roadmap • Buffer Overflows • Proposed Approach • The FADO Tool • Conclusions and Future Work 3

  5. Buffer Overflows • A buffer overflow (or buffer overrun ) is a programming flaw which enables storing more data in a data storage area (i.e. buf- fer) than it was intended to hold. • Buffer overflows are the most frequent and the most critical flaws in programs written in C. • Buffer overflows are suitable targets for security attacks and source of serious programs’ misbehavior. Buffer overflows account for around 50% of all software vulnerabilities. • The problem of automated detection of buffer overflows has attracted a lot of attention over the last ten years. 4

  6. Buffer Overflows — Static Analysis Tools • Lexical analysis (ITS4 (2000), RATS (2001), Flawfinder (2001)) • Semantical analysis – BOON (Univ. of California, Berkeley, USA, 2000) – Splint (Univ. of Virginia, USA, 2001) – CSSV (Univ. of Tel-Aviv, Israel, 2003) – ARCHER (Stanford University, USA, 2003) – UNO (Bell Laboratories, 2001) – Caduceus (Univ. Paris-Sud, Orsay, France, 2007) – Polyspace C Verifier, AsTree, Parfait, Coverty, CodeSonar 5

  7. Roadmap • Buffer Overflows • Proposed Approach • The FADO Tool • Conclusions and Future Work 6

  8. Proposed Approach • The proposed approach belongs to the group of static anal- ysis methods based on semantical analysis of source code. • The goal is to make a system with a flexible architecture that enables easily changing of components of the system and simple communication with different external systems. • Correctness conditions are expressed in terms of first order logic and checked by an SMT solver for linear arithmetic. • Due to the nature of the pointer arithmetic, the theory of linear arithmetic is suitable for this purpose. 7

  9. C source code ↓ Parser and intermediate code generator – parsing – intermediate code generating Intermediate code Code transformer ↓ – eliminating multiple declarations – reducing all loops to do-while loops – eliminating all compound conditions – etc. Transformed code Database and conditions generator ↓ – unifying with a matching record in the database – generating conditions for individual commands – updating states for sequences of commands – evaluating ground expressions Hoare triples Generator and optimizer for correctness ↓ and incorrectness conjectures – resolving preconditions and postconditions of functions – eliminating irrelevant conjuncts – abstraction Conjectures SMT solver for LA ↓ – processing input formulae in smt-lib format – returning results Status of commands Results ↓ – providing explanations for status of the commands 8

  10. C source code ↓ Parser and intermediate code generator – parsing – intermediate code generating Intermediate code Code transformer ↓ – eliminating multiple declarations – reducing all loops to do-while loops – eliminating all compound conditions – etc. Transformed code Database and conditions generator ↓ – unifying with a matching record in the database – generating conditions for individual commands – updating states for sequences of commands – evaluating ground expressions Hoare triples Generator and optimizer for correctness ↓ and incorrectness conjectures – resolving preconditions and postconditions of functions – eliminating irrelevant conjuncts – abstraction Conjectures SMT solver for LA ↓ – processing input formulae in smt-lib format – returning results Status of commands Results ↓ – providing explanations for status of the commands 9

  11. C source code ↓ Parser and intermediate code generator – parsing – intermediate code generating Intermediate code Code transformer ↓ – eliminating multiple declarations – reducing all loops to do-while loops – eliminating all compound conditions – etc. Transformed code Database and conditions generator ↓ – unifying with a matching record in the database – generating conditions for individual commands – updating states for sequences of commands – evaluating ground expressions Hoare triples Generator and optimizer for correctness ↓ and incorrectness conjectures – resolving preconditions and postconditions of functions – eliminating irrelevant conjuncts – abstraction Conjectures SMT solver for LA ↓ – processing input formulae in smt-lib format – returning results Status of commands Results ↓ – providing explanations for status of the commands 10

  12. C source code ↓ Parser and intermediate code generator – parsing – intermediate code generating Intermediate code Code transformer ↓ – eliminating multiple declarations – reducing all loops to do-while loops – eliminating all compound conditions – etc. Transformed code Database and conditions generator ↓ – unifying with a matching record in the database – generating conditions for individual commands – updating states for sequences of commands – evaluating ground expressions Hoare triples Generator and optimizer for correctness ↓ and incorrectness conjectures – resolving preconditions and postconditions of functions – eliminating irrelevant conjuncts – abstraction Conjectures SMT solver for LA ↓ – processing input formulae in smt-lib format – returning results Status of commands Results ↓ – providing explanations for status of the commands 11

  13. Proposed Approach — Database of Conditions • The database of conditions is used for generating correctness conditions for individual commands. • The database stores triples (precondition, command, post- condition) . The semantics of a database entry ( φ, E, ψ ) is: – in order E to be safe, the condition φ must hold; – in order E to be flawed, the condition ¬ φ must hold; – after E , the condition ψ holds. • The database is external and open, the user can add or re- move entries. Initially, it stores reasoning rules about opera- tors and functions from the standard C library. 12

  14. Proposed Approach — Modelling Semantics of Programs • For defining correctness conditions we use meta-level func- tions: – value , returns a value of a given variable; – size , returns a number of elements allocated for a buffer; – used , relevant only for string buffers, returns a number of elements used by the given buffer (including ’\0’ ). • These functions have an additional argument called state or timestamp, which provides basis for flow-sensitive analysis and a form of pointer analysis. 13

  15. Proposed Approach — Generating Correctness Conditions • Examples of database entries: precondition command postcondition – size ( x, 1) = value ( N, 0) char x[N] – value ( x, 1) = value ( y, 0) x = y • For an individual command C , if there is a database entry ( φ, E, ψ ) such that there is a substitution σ such that C = Eσ , then precond ( C ) = φσ and postcond ( C ) = ψσ . • States are updated in order to take into account the wider context of the command. For example: code postcondition — int a,b; value ( a, 1) = value (1 , 0) a = 1; value ( b, 1) = value (2 , 0) b = 2; value ( a, 2) = value ( b, 1) a = b; 14

  16. Proposed Approach — Generating Correctness Conditions • Ground expressions are evaluated (for example, value (10 , 0) evaluates to 10). • Postcondition for an if command are constructed as follows: precondition command postcondition – if(p) – { p precond ( C 1) postcond ( C 1) C1; precond ( C 2) postcond ( C 2) C2; ... ...; – ( p ∧ postcond ( C 1) ∧ postcond ( C 2) ... ) } ∨ ( ¬ p ∧ update states ) • Currently, loops are processed in a limited manner — only the first iteration is considered. 15

  17. C source code ↓ Parser and intermediate code generator – parsing – intermediate code generating Intermediate code Code transformer ↓ – eliminating multiple declarations – reducing all loops to do-while loops – eliminating all compound conditions – etc. Transformed code Database and conditions generator ↓ – unifying with a matching record in the database – generating conditions for individual commands – updating states for sequences of commands – evaluating ground expressions Hoare triples Generator and optimizer for correctness ↓ and incorrectness conjectures – resolving preconditions and postconditions of functions – eliminating irrelevant conjuncts – abstraction Conjectures SMT solver for LA ↓ – processing input formulae in smt-lib format – returning results Status of commands Results ↓ – providing explanations for status of the commands 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

934 views • 74 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV

arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV

STRICHARTZ ESTIMATES FOR LONG RANGE arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV Abstract. We study local in time Strichartz estimates for the Schr odinger equa- tion associated to long

798 views • 41 slides
Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler,

Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler,

The economy: Our enemy? Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler, Swissveg-President Kurt Schmidinger, Founder Future Food Talk on Nov. 2017 for CARE in Vienna 1 Who we are Renato Pichler

541 views • 15 slides
Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Dual Execution and Comparison For Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17 Parfait T okponnon Marc Lobelle mahoukpego.tokponnon@uclouvain.be marc.lobelle@uclouvain.be Outline 2

406 views • 29 slides
MINCS - The Container in the Shell (script) - Masami Hiramatsu

MINCS - The Container in the Shell (script) - Masami Hiramatsu

MINCS - The Container in the Shell (script) - Masami Hiramatsu <masami.hiramatsu@linaro.org> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami Hiramatsu - Linux

911 views • 48 slides
Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam

Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam

Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam http://staff.science.uva.nl/michiell Aim and program aim: explain the use of computational logic in cognitive science the domain is language

472 views • 32 slides
CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials

CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials

CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer http://www.cs.washington.edu/331/ 1 Pattern: Prototype An object that serves as a basis for creation

717 views • 25 slides
(Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive

(Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive

UCL NEUROSCIENCE (Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive Neuroscience University College London SWC PhD program, October 2019 Abstract neural representations 1) Frames of reference for

897 views • 53 slides
Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15,

Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15,

Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15, 2018 0 Based on slides by Chris Williams. Version: January 15, 2018 1 / 27 Overview Neurobiology of Vision Computational Object Recognition:

403 views • 26 slides

More recommend