Research in Language-Based Methods

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.
TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.
#1 The Future of Software Security David Wagner U.C. Berkeley.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.
A Type System for Expressive Security Policies David Walker Cornell University.
August 2006Scott Stoller, Stony Brook University1 Research in Formal Methods, Concurrent & Distributed Systems, and Programming Languages at Scott D. Stoller.
High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.
#1 Pushdown model checking for security David Wagner U.C. Berkeley Work by Hao Chen, Ben Schwarz, and Drew Dean, Jeremy Lin, Geoff Morrison, David Schultz,
1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.
1 Reliable Adaptive Distributed Systems Armando Fox, Michael Jordan, Randy H. Katz, David Patterson, George Necula, Ion Stoica, Doug Tygar.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.
1 Hybrid-Formal Coverage Convergence Dan Benua Synopsys Verification Group January 18, 2010.
Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
Project 6 Unix File System. Administrative No Design Review – A design document instead 2-3 pages max No collaboration with peers – Piazza is for clarifications.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Introduction to Hardware Verification ECE 598 SV Prof. Shobha Vasudevan.
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
CS 5150 Software Engineering Lecture 21 Reliability 2.
The PLA Model: On the Combination of Product-Line Analyses 강태준.
Linux Filesystem Management
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Cyber Physical System Security
Software Dependability
Security Autodesk DevDays rEvolution
CSCE 548 Secure Software Development Risk-Based Security Testing
Types for Programs and Proofs
Large Scale Parallel Print Service
CSC 480 Software Engineering
Distributed Computing Systems
TRUST Area 3 Overview: Privacy, Usability, & Social Impact
CSE 374 Programming Concepts & Tools
Secure Software Development: Theory and Practice
Speaker’s Name, SAP Month 00, 2017
Verification and Validation
TRUST:Team for Research in Ubiquitous Secure Technologies
Countering Trusting Trust through Diverse Double-Compiling
Examining a Windows NT Infrastructure (2)
Design and Programming
TRUST: Security Education Program at Stanford
TRUST:Team for Research in Ubiquitous Secure Technologies
TRUST:Team for Research in Ubiquitous Secure Technologies
CS240: Advanced Programming Concepts
IPC144 Introduction to Programming Using C Week 4 – Lesson 1
Software Architecture
MOPS: an Infrastructure for Examining Security Properties of Software
Presentation transcript:

Research in Language-Based Methods Software Security: Research in Language-Based Methods David Wagner U.C. Berkeley

Software security today Even after large, extensive testing efforts, commercial software is shipped riddled with errors (“bugs”). — PITAC Report to the President, February 24, 1999 Trustworthy Computing is computing that is available, reliable, and secure as electricity, water services and telephony....No Trustworthy Computing platform exists today. — Bill Gates, January 15, 2002 (highest priority for Microsoft) [T]he national annual costs of an inadequate infrastructure for software testing is estimated to range from $22.2 to $59.5 billion. — NIST Planning Report 02-3, May 2002 In short: Software vulnerabilities are rampant.

Problem Statement Many security holes are due to buggy implementations The technical challenge: How do we reason about the security properties of software? Can we detect instances of common vulnerabilities? Can we prove our software is free of these holes? Can we build code that is “secure by construction”? This talk: Reasoning about temporal safety properties of legacy software

MOPS: Modelchecking Security Properties Pushdown model checking of C source code Security properties expressed as finite state automata Code is modelled as a pushdown automaton strncpy(d,s,n) other d[n-1] = ’\0’; Example: A simple FSA to detect misuse of strncpy( ). Error state indicates possible failure to null-terminate d. (Real property is much more complex: many ways to terminate; pre-termination vs. post-termination; delayed termination.)

TOCTTOU (time-of-check to time-of-use) Canonical example of a TOCTTOU vulnerability: if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY); Notice: not an atomic operation! Bug: Permissions may change between access() & open() Attacker can arrange for this to happen in an attack check(x) use(x) check = { access, lstat, stat, readlink, statfs } use = { chmod, open, remove, unlink, mount, link, mkdir, rmdir … }

Insecure temporary file creation/use Temporary file creation requires special care: 1) unguessable filename; 2) safe permissions; 3) file ops should use fd, not filename (TOCTTOU) mkstemp(x) fileop(x) { tmpnam(), tempnam(), mktemp(), tmpfile() } fileop(x) = { open(x), chmod(x), remove(x), unlink(x) … }

MOPS in the large Experiment: Analyze an entire Linux distribution Redhat 9, all C packages (732 pkgs, ~ 50 MLOC) Security analysis at an unprecedented scale Team of 4 manually examined 900+ warnings 1 grad student; 3 undergrads new to MOPS Exhaustive analysis of TOCTTOU, tmpfile, others; statistical sampling of strncpy Laborious: multiple person-months of effort Found 108 new security holes in Linux apps Security Property Warnings Real bugs Bug ratio TOCTTOU 790 41 5% temporary files 108 34 35% strncpy 1378 11+ ~ 5-10% Total 2333 108+

Bug #1: “zip” Pathname from cmd line d_exists = (lstat(d, &t) == 0); if (d_exists) { /* respect existing soft and hard links! */ if (t.st_nlink > 1 || (t.st_mode & S_IFMT) == S_IFLNK) copy = 1; else if (unlink(d)) return ZE_CREAT; } ... eventually writes new zipfile to d ...

Bug #2: “ar” exists = lstat (to, &s) == 0; if (! exists || (!S_ISLNK (s.st_mode) && s.st_nlink == 1)){ ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777); if (chown (to, s.st_uid, s.st_gid) >= 0) chmod (to, s.st_mode & 07777); }

Bug #3 static void open_files() { int fd; create_file_names(); if (input_file == 0) { input_file = fopen(input_file_name, "r"); if (input_file == 0) open_error(input_file_name); fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL) { if (fd >= 0) close(fd); open_error(action_file_name); } void open_error(char *f) { perror(f); unlink(action_file_name); exit(1);

Lessons & surprises from the MOPS effort Program analysis at scale is highly non-trivial Good UI, explanation of errors is critical Build integration so important — and so hard — that we re-implemented it no less than four times But worth it: Large-scale experiments incredibly valuable Tech. transfer: techniques being adopted in commercial security code scanning tools There is an enormous opportunity for better tools — but also enormous research challenges

TRUST Agenda Technical directions: Static code verification Dynamic analysis Multi-lingual security Software design Major themes: Program analysis System composition Participants: John Mitchell (area leader) Alex Aiken Ken Birman Dan Boneh Hector Garcia-Molina George Necula Mike Reiter Fred Schneider Gün Sirer Dawn Song Doug Tygar David Wagner Jeannette Wing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.