using static checking to find security vulnerabilities in
play

Using Static Checking To Find Security Vulnerabilities In The Linux - PowerPoint PPT Presentation

Sep 11, 2023 •184 likes •659 views

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

  1. Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1

  2. Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group and memory management Interested in many different subsystems of the Linux Kernel 2

  3. Agenda Overview of security issues in the Linux Kernel Static checking Static checking tools Automated checking Bonus 3

  4. Cause of the kernel bugs Data: Jan, 2014 to August, 2016 [cvedetails.com] 4

  5. Language-specific security issues Buffer overflow [stack and heap based] Use a�er free and double free Null pointer dereference and invalid pointer dereference String issues Incorrect/missing bound check, array overflow, out-of-bound errors etc Others Integer signedness, buffer over read, deadlock, array index value error etc 5

  6. General security issues Race conditions Memory corruption and memory consumption Divide by zero and off by one Integer overflow Information leak 6

  7. Linux kernel specific security issues Incorrect/missing initialization of data structure Calling sleeping functions under invalid context Missing permission check Uninitialized data Others Infinite looping, improper fault handling, copy pasted code, etc 7

  8. Static code checking 8

  9. Static code analysis Usually performed as part of a code review and is carried out at the implementation phase of a security development lifecycle (SDL). Performed without actually executing programs. Benefits: Find bugs early, cheaper to fix the bugs when they are caught at the early stage of so�ware development Things to care about: False positives 9

  10. Why static checkers? Example one: diff ­­git a/security/keys/key.c b/security/keys/key.c index bd5a272..346fbf2 100644 ­­­ a/security/keys/key.c +++ b/security/keys/key.c @@ ­597,7 +597,7 @@ int key_reject_and_link(struct key *key, mutex_unlock(&key_construction_mutex); ­ if (keyring) + if (keyring && link_ret == 0) __key_link_end(keyring, &key­>index_key, edit); /* wake up anyone waiting for a key to be constructed */ Commit 38327424b40bce by Dan Carpenter, reported by Smatch. Fixes CVE-2016-4470 10

  11. Why static checkers? Example one: int key_reject_and_link(...) ... if (keyring) { if (keyring­>restrict_link) return ­EPERM; link_ret = __key_link_begin(keyring, &key­>index_key, &edit); } ... if (keyring && link_ret == 0) __key_link_end(keyring, &key­>index_key, edit); Missing check? Potential uninitialized variable? What is so special about this? 11

  12. Why static checkers? Example one: security/keys/keyring.c int __key_link_begin(..., ... , struct assoc_array_edit **_edit) ... { struct assoc_array_edit *edit; ... edit = assoc_array_insert(&keyring­>keys, &keyring_assoc_array_ops, index_key, NULL); ... if (!edit­>dead_leaf) { ret = key_payload_reserve(keyring, keyring­>datalen + KEYQUOTA_LINK_BYTES); if (ret < 0) goto error_cancel; ... error_cancel: assoc_array_cancel_edit(edit); Failure of __key_link_begin = uninitialization of 'edit' = system crash by local users 12

  13. Failure of __key_link_begin = uninitialization of 'edit' = system crash by local users Why static checkers? Example two: ­­­ a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c @@ ­1790,6 +1790,7 @@void rtl88e_dm_watchdog(...) if (ppsc­>p2p_ps_info.p2p_ps_mode) fw_ps_awake = false; + spin_lock(&rtlpriv­>locks.rf_ps_lock); if ((ppsc­>rfpwr_state == ERFON) && ((!fw_current_inpsmode) && fw_ps_awake) && (!ppsc­>rfchange_inprogress)) { @@ ­1802,4 +1803,5 @@void rtl88e_dm_watchdog(...) rtl88e_dm_check_edca_turbo(hw); rtl88e_dm_antenna_diversity(hw); } + spin_unlock(&rtlpriv­>locks.rf_ps_lock); } Commit 204e2ab22e1e2d0 by Larry Finger, reported by LDV tools 13

  14. Why static checkers? Example two: drivers/net/wireless/rtlwifi/rtl8188ee/hw.c bool rtl88ee_gpio_radio_on_off_checking(...) { ... spin_lock(&rtlpriv­>locks.rf_ps_lock); if (ppsc­>rfchange_inprogress) { spin_unlock(&rtlpriv­>locks.rf_ps_lock); return false; } else { Potential race condition 14

  15. Why static checkers? Example two: drivers/net/wireless/rtlwifi/rtl8188ee/hw.c bool rtl88ee_gpio_radio_on_off_checking(...) { ... spin_lock(&rtlpriv­>locks.rf_ps_lock); if (ppsc­>rfchange_inprogress) { spin_unlock(&rtlpriv­>locks.rf_ps_lock); return false; } else { Similar code was present in 5 other files 15

  16. Static checking tools 16

  17. scripts/checkpatch.pl Written by Andy Whitcro�, Joe Perches Checks for basic coding style issues and sometimes for incorrect API usuage Warns about a few errors that can trigger security bugs: Misuse of memsets, check for lockdep_set_novalidate_class, Prefixing 0x with decimal output, using weak declarations which can have unintended link defects Good to run it for new submissions 17

  18. scripts/checkpatch.pl Example output: scripts/checkpatch.pl --file --terse <path_to_directory> drivers/staging/media/bcm2048/radio­bcm2048.c:307: ERROR: Use 4 digit octal (0777) not decimal permissions drivers/staging/media/bcm2048/radio­bcm2048.c:1539: CHECK: Avoid crashing the kernel ­ try using WARN_ON & recovery code rather than BUG() or BUG_ON() drivers/staging/media/bcm2048/radio­bcm2048.c:1997: ERROR: Macros with complex values should be enclosed in parentheses drivers/staging/media/bcm2048/radio­bcm2048.c:2025: WARNING: Prefer 'unsigned int' to bare use of 'unsigned' drivers/staging/media/bcm2048/radio­bcm2048.c:2543: WARNING: struct v4l2_ioctl_ops should normally be const 18

  19. Sparse Written by Linus Torvalds, later maintained by Josh Triplett, Chris Li Provides a set of annotations designed to convey semantic information about types. For example, what address space pointers point to or what locks a function acquires or releases. More than 6000 patches accepted so far. Documentation: https://kernelnewbies.org/Sparse 19

  20. Sparse Can find the following security or related bugs: Warns about casts that add an address space to a pointer type and truncate const values Warns about unsupported operations or type mismatches with restricted integer types. Warns about any non-static variable or function definition that has no previous declaration. Warns about the use of 0 as a NULL pointer. 20

  21. Sparse Example output: make C=2 <path_to_directory> drivers/staging/wlan­ng/p80211conv.c:132:25: warning: cast to restricted __be16 drivers/staging/wlan­ng/p80211conv.c:154:38: warning: incorrect type in assignment (different base types) drivers/staging/wlan­ng/p80211conv.c:154:38: expected unsigned short [unsigned] [usertype] type drivers/staging/wlan­ng/p80211conv.c:154:38: got restricted __be16 [usertype] <noident> drivers/staging/wlan­ng/prism2fw.c:251:15: warning: memset with byte count of 120000 drivers/staging/lustre/lnet/selftest/rpc.c:764:9: warning: context imbalance in 'srpc_shutdown_service' ­ different lock contexts for basic block 21

  22. Smatch Written by Dan Carpenter More than 3000 bugs fixed by Smatch, mostly by Dan Uses sparse as a C parser Documentation: https://blogs.oracle.com/linuxkernel/entry/smatch_static_analysis_tool_overview 22

  23. Smatch Can find the following security or related bugs: Null pointer dereference, error pointer dereference, buffer overflow etc Off by one bugs Locking related bugs - Double locks/unlocks, missing unlock etc Unintialized variable/data and signedness related bugs Use a�er free, double free etc Information leak Unnecessary null check and missing null check 23

  24. Smatch Example output: <path_to_smatch>/smatch_scripts/kchecker --spammy ./ drivers/staging/xgifb/vb_setmode.c:3581 XGI_SetGroup2() warn: mask and shift to zero drivers/staging/xgifb/vb_setmode.c:5334 XGI_EnableBridge() warn: we tested 'pVBInfo­>VBInfo & 256' before and it was 'true' drivers/staging/vt6656/rf.c:876 vnt_rf_table_download() error: memcpy() 'addr1' too small (3 vs 48) drivers/staging/rts5208/ms.c:2736 ms_build_l2p_tbl() error: buffer overflow 'ms_start_idx' 17 <= s32max drivers/staging/rts5208/ms.c:2594 ms_build_l2p_tbl() error: we previously assumed 'ms_card­>segment' could be null(see line 2586) drivers/staging/rts5208/sd.c:4115 ext_sd_send_cmd_get_rsp() warn: masked condition '(*ptr + 3 & 30) != 3' is always true. 24

  25. Coccinelle Written by Julia Lawall Pattern matching and transformation tool Can warn you about bugs [report mode] or suggest a fix for the bugs [patch mode] More than 4000 patches fixed by Coccinelle Documentation: http://coccinelle.lip6.fr/ 25

  26. Coccinelle Some of the fault types found by Coccinelle 26

  27. Coccinelle Can find the following security or related bugs: Null pointer dereference Use a�er free Locking related bugs - Double locks/unlocks, missing unlock etc Use of sleeping functions or GFP_KERNEL flag under the lock Use a�er free, double free etc Protecting function pointers in data structures 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security Justin Smith (Lafayette College) smithjus@lafayette.edu Lisa Nguyen Quang Do (Google) lisanqd@google.com Emerson Murphy-Hill (Google)

605 views • 15 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

The Three Faces of DevSecOps Guy Podjarny (@guypod) @guypod About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since 1997 DevOps

1.29k views • 107 slides
About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

Developer as a Malware Distribution Vehicle Guy Podjarny (@guypod) @guypod About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since

1.41k views • 119 slides
Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event Embedded Linux Conference Static code checking in the Linux kernel 1. Overview 2. Randconfig issues 3. Checking tools 4. Automated checking

586 views • 48 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam Lanning @samlanning @samlanning A story of many bugs (CVE-2017-8046) 7 September 2017 22 September 2017 27 September 2017 Mo

426 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member Programming lover qazbnm456 @boik_su Agenda Brief introduction to CodeQL CodeQLs Tricks Replicate CVEs to find you CVEs More

2.1k views • 63 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
ProxySQL hand-on Ren Canna Ren Canna ProxySQL ProxySQL Frankfurt, 5 th Nov 2018

ProxySQL hand-on Ren Canna Ren Canna ProxySQL ProxySQL Frankfurt, 5 th Nov 2018

ProxySQL hand-on Ren Canna Ren Canna ProxySQL ProxySQL Frankfurt, 5 th Nov 2018 Frankfurt, 5 th Nov 2018 A bit about ProxySQL LLC We provide services to help build, support We provide services to help build, support as well as

1.5k views • 121 slides
Multi-Party Computation: Second year Eduardo Soria Vzquez October 11, 2017 A Year in a slide

Multi-Party Computation: Second year Eduardo Soria Vzquez October 11, 2017 A Year in a slide

Multi-Party Computation: Second year Eduardo Soria Vzquez October 11, 2017 A Year in a slide 1. Conferences attended : 1. Flagship: TCC 2016-B, Eurocrypt 2017. 2. Domain-specific: TPMPC. 3. Smaller Meetings: ECRYPT collaborative writing

351 views • 32 slides
Rapidmind Background on GPGPU GPU Tutorial Goal: 3-D image -&gt; 2-D image 2 main stages:

Rapidmind Background on GPGPU GPU Tutorial Goal: 3-D image -&gt; 2-D image 2 main stages:

Rapidmind Background on GPGPU GPU Tutorial Goal: 3-D image -&gt; 2-D image 2 main stages: Convert 3-D coordinates to 2-D windows Vertex processing Fill in 2-D windows Fragment processing GPU Hardware Pipeline Graphics

751 views • 63 slides
TOS Arno Puder 1 Objectives Introduce the x86 interrupt handling model Explain the

TOS Arno Puder 1 Objectives Introduce the x86 interrupt handling model Explain the

TOS Arno Puder 1 Objectives Introduce the x86 interrupt handling model Explain the functionality of the Interrupt Controller Explain how TOS handles interrupts 2 Review: Segmentation All x86 memory references go through

537 views • 27 slides
Interrupts and System Next Thursdays class has a reading assignment Lab 1 due Friday

Interrupts and System Next Thursdays class has a reading assignment Lab 1 due Friday

9/7/12 Housekeeping Welcome TA Amit Arya Office Hours posted Interrupts and System Next Thursdays class has a reading assignment Lab 1 due Friday Calls All students should have VMs at this point Email Don

520 views • 9 slides
CS 333 Introduction to Operating Systems Class 16 Secondary Storage Management Jonathan

CS 333 Introduction to Operating Systems Class 16 Secondary Storage Management Jonathan

CS 333 Introduction to Operating Systems Class 16 Secondary Storage Management Jonathan Walpole Computer Science Portland State University Disks Disk geometry Disk head, surfaces, tracks, sectors Comparison of (old) disk

672 views • 63 slides
Intoduction to Python - Part 2 Marco Chiarandini Department of Mathematics &amp; Computer Science

Intoduction to Python - Part 2 Marco Chiarandini Department of Mathematics &amp; Computer Science

DM545 Linear and Integer Programming Intoduction to Python - Part 2 Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark [ Based on booklet Python Essentials ] Exception Handling File Input and

743 views • 52 slides
PAST Scalable Ethernet for Data Centers Brent Stephens , Alan Cox , Wes Felter , Colin

PAST Scalable Ethernet for Data Centers Brent Stephens , Alan Cox , Wes Felter , Colin

PAST Scalable Ethernet for Data Centers Brent Stephens , Alan Cox , Wes Felter , Colin Dixon , and John Carter Rice University IBM Research December 11th, 2012 Brent Stephens PAST: Scalable Ethernet for Data Centers

752 views • 53 slides

More recommend