University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.

Slides:



Advertisements
Similar presentations
CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi –
Advertisements

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
BITS Pilani, Pilani Campus TA C252 Computer Programming - II Vikas Singh File Handling.
Files in C Rohit Khokher. Files in C Real life situations involve large volume of data and in such cases, the console oriented I/O operations pose two.
Chapter 11: Data Files & File Processing In this chapter, you will learn about Files and streams Creating a sequential access file Reading data from a.
FILES Files types and operations. Files Files are used to store data Data can be Text (ASCII only: 0  127) Binary (Full range: 0  256) Each file resides.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Chapter 10.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Guide To UNIX Using Linux Third Edition
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Console and File I/O - Basics Rudra Dutta CSC Spring 2007, Section 001.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.
Files COP3275 – PROGRAMMING USING C DIEGO J. RIVERA-GUTIERREZ.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
C Basic File Input/Output Manipulation C Programming – File Outline v File handling in C - opening and closing. v Reading from and writing to files.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
David Evans These slides: Introduction to Static Analysis.
Introduction to Programming Using C Files. 2 Contents Files Working with files Sequential files Records.
File IO and command line input CSE 2451 Rong Shi.
David Evans CS551/651: Dependable Computing University of Virginia Computer Science Static Analysis.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
David Evans The Bugs and the Bees Research in Swarm Programming and Security University of Virginia.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
1 File Handling. 2 Storage seen so far All variables stored in memory Problem: the contents of memory are wiped out when the computer is powered off Example:
8 th Semester, Batch 2008 Department Of Computer Science SSUET.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
(A Somewhat Self-Indulgent) Splint Retrospective David Evans University of Virginia 25 October 2010.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle and David Evans USENIX'01 David Larochelle and David Evans IEEE Software Jan/Feb.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C.
Chapter 11: Data Files and File Processing Files and streams Creating a sequential access file Reading data from a sequential access file Using fgetc()
Chapter 11 File Processing. Objectives In this chapter, you will learn: –To be able to create, read, write and update files. –To become familiar with.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
1 CSC103: Introduction to Computer and Programming Lecture No 27.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Lucas Bang Lecture 11: Pointers.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
Files A collection of related data treated as a unit. Two types Text
Web Page Designing With Dreamweaver MX\Session 1\1 of 9 Session 3 PHP Advanced.
 2007 Pearson Education, Inc. All rights reserved. 1 C File Processing.
Files. FILE * u In C, we use a FILE * data type to access files. u FILE * is defined in /usr/include/stdio.h u An example: #include int main() { FILE.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
C Programming Day 2. 2 Copyright © 2005, Infosys Technologies Ltd ER/CORP/CRS/LA07/003 Version No. 1.0 Union –mechanism to create user defined data types.
Real Numbers Device driver process within the operating system that interacts with I/O controller logical record 1 logical record 2 logical record 3.
Silberschatz and Galvin  C Programming Language Kingdom of Saudi Arabia Ministry of Higher Education Al-Majma’ah University College of Education.
Dynamic Allocation in C
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Chapter 4 File Processing
File I/O.
C Basics.
Secure Coding Rules for C++ Copyright © Curt Hill
File Input/Output.
High Coverage Detection of Input-Related Security Faults
File I/O We are used to reading from and writing to the terminal:
Improving Security Using Extensible Lightweight Static Analysis
Beginning C Lecture 11 Lecturer: Dr. Zhao Qinpei
File I/O in C Lecture 7 Narrator: Lecture 7: File I/O in C.
Text and Binary File Processing
Program Assertions in Security
File Input and Output.
File Handling.
Annotation-Assisted Lightweight Static Checking
Module 12 Input and Output
Semantic Type Qualifiers
C Language B. DHIVYA 17PCA140 II MCA.
File I/O We are used to reading from and writing to the terminal:
Presentation transcript:

University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O Streams Challenge Problem LCLint

14 August 2001Spec-n-Check2 Everyone Likes Types Easy to Understand Easy to Use Quickly Detect Many Programming Errors Useful Documentation …even though they are lots of work! –1/4 of text of typical C program is for types

14 August 2001Spec-n-Check3 Limitations of Standard Types Type of reference never changes Language defines checking rules One type per reference

14 August 2001Spec-n-Check4 Type of reference never changes State changes along program paths Language defines checking rules Programmer defines checking rules One type per reference Many attributes per reference Attributes Similar to Vault, linear types, typestates, etc. Limitations of Standard Types

14 August 2001Spec-n-Check5 LCLint Lightweight static analysis tool [FSE’94, PLDI’96] – “quick and dirty” Simple dataflow analyses Unsound and Incomplete Several thousand users…perhaps ¼ adding annotations to code: gradual learning curve Detects inconsistencies between code and specifications Examples: memory management (leaks, dead references), null dereferences, information hiding, undocumented modifications, etc. annotations documented assumptions

14 August 2001Spec-n-Check6 I/O Streams Challenge Many properties can be described in terms of state attributes –A file is open or closed fopen: returns an open file fclose: open  closed fgets, etc. require open files –Reading/writing – must reset between certain operations

14 August 2001Spec-n-Check7 Defining Openness attribute openness context reference FILE * oneof closed, open annotations open ==> open closed ==> closed transfers open as closed ==> error closed as open ==> error merge open + closed ==> error losereference open ==> error "file not closed" defaults reference ==> open end Cannot abandon FILE in open state Object cannot be open on one path, closed on another

14 August 2001Spec-n-Check8 Specifying I/O Functions FILE *fopen (const char *filename, const char *mode); int fclose FILE *stream) closed ; char *fgets (char *s, int n, FILE *stream);

14 August 2001Spec-n-Check9 Reading, ‘Riting, ‘Rithmetic attribute rwness context reference FILE * oneof rwnone, rwread, rwwrite, rweither annotations read ==> rwread write ==> rwwrite rweither ==> rweither rwnone ==> rwnone merge rwread + rwwrite ==> rwnone rwnone + * ==> rwnone rweither + rwread ==> rwread rweither + rwwrite ==> rwwrite transfers rwread as rwwrite ==> error "Must reset file between read and write." rwwrite as rwread ==> error "Must reset file between write and read." rwnone as rwread ==> error "File in unreadable state." rwnone as rwwrite ==> error "File in unwritable state." rweither as rwwrite ==> rwwrite rweither as rwread ==> rwread defaults reference ==> rweither end

14 August 2001Spec-n-Check10 Reading, ‘Righting FILE *fopen (const char *filename, const char *mode) ; int fgetc FILE *f) ; int fputc (int, FILE *f) ; /* fseek resets the rw state of a stream */ int fseek FILE *stream, long int offset, int whence) rweither ;

14 August 2001Spec-n-Check11 Checking Simple dataflow analysis Intraprocedural – except uses annotations to alter state around procedure calls Integrates with other LCLint analyses (e.g., nullness, aliases, ownership, etc.)

14 August 2001Spec-n-Check12 Example FILE *f = fopen (fname, “rw”); int i = fgetc (f); if (i != EOF) { fputc (i, f); fclose (f); } f:openness = open, f:rwness = rwread Attribute mismatch – passed read where write FILE * expected. Possibly null reference f passed where non-null expected f:openness = open f:rwness = rweither Branches join in incompatible states: f is closed on true branch,open on false branch f:openness = closed, f:rwness = rwnone

14 August 2001Spec-n-Check13 Results On my code…works great –Checked LCLint sources (178K lines, takes 240 seconds on Athlon 1.2GHz) –No annotations: 2 errors –Added 1 ensures clause static void loadrc (FILE *p_rcfile, cstringSList *) closed ; –No more warnings

14 August 2001Spec-n-Check14 Results – “Real” Code wu-ftpd (20K lines, ~4 seconds) No annotations: 7 warnings After adding ensures clause for ftpd_pclose –4 spurious warnings 1 used function pointer to close FILE 1 reference table 2 convoluted logic involving function static variables –2 real bugs (failure to close ftpservers file on two paths)

14 August 2001Spec-n-Check15 Taintedness attribute taintedness context reference char * oneof untainted, tainted annotations tainted reference ==> tainted untainted reference ==> untainted anytainted parameter ==> tainted transfers tainted as untainted ==> error merge tainted + untainted ==> tainted defaults reference ==> tainted literal ==> untainted null ==> untainted end

14 August 2001Spec-n-Check16 tainted.xh int fprintf (FILE *stream, char *format,...) ; char *fgets (char *s, int n, FILE *) tainted ; char *strcpy char *s1, char *s2) s1:taintedness = ; char *strcat char *s1, char *s2) s1:taintedness = s1:taintedness | ;

14 August 2001Spec-n-Check17 Buffer Overflows Most commonly exploited security vulnerability –1988 Internet Worm –Still the most common attack Code Red exploited buffer overflow in IIS >50% of CERT advisories, 23% of CVE entries in 2001 Finite-state attributes not good enough –Need to know about lengths of allocated buffers

14 August 2001Spec-n-Check18 Detecting Buffer Overflows More expressive annotations –e.g., maxSet is the highest index that can safely be written to Checking uses axiomatic semantics with simplification rules Heuristics for analyzing common loop idioms Detected known and unknown vulnerabilities in wu-ftpd and BIND Paper (with David Larochelle) in USENIX Security 2001

14 August 2001Spec-n-Check19 Will Programmers Add Annotations? C in 1974: char *strcpy (); C in 1978: char *strcpy (char *s1, char *s2); C in 1989: char *strcpy (char *s1, const char *s2); C in 1999: char *strcpy (char * restrict s1, const char * restrict s2); C in 20??: nullterminated char *strcpy (returned char *restrict s1, nullterminated const char *restrict s2) requires maxSet(s1) >= maxRead (s2) ensures s1:taintedness = s2:taintedness ensures maxRead(s1) = maxRead (s2);