MOPS: an Infrastructure for Examining Security Properties of Software

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

Software Security David Wagner University of California at Berkeley.

Operating Systems Recitation 11, June 9-10, 2002.

1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Introduction to Computer Technology

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

COMP313A Programming Languages Introduction. More Housekeeping Stuff Reading Material Textbook –Programming Languages: Principles and Practice by Kenneth.

A Conservative Algorithm for Computing the Flow of Permissions in Java Programs Gleb Naumovich Polytechnic University Brooklyn, USA Presented by David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.

Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Today’s Topics Introducing process: the basic mechanism for concurrent programming –Process management related system calls Process creation Process termination.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

University of Toronto Department of Computer Science © Steve Easterbrook. This presentation is available free for non-commercial use with attribution.

CS426Fall 2010/Lecture 91 Computer Security CS 426 Lecture 9 Unix Access Control.

Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy.

Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

A Framework on Synchronization Verification in System-Level Design Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita Fujita Laboratory University.

Generating Tests from Counterexamples Jinseong Jeon ARCS, KAIST.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Formal Verification of Synchronization Issues of SpecC Description with Automatic Abstraction Thanyapat Sakunkonchak Masahiro Fujita Department of Electronics.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

Secure Systems Research Group - FAU Model Checking Techniques for Security Systems 5/6/2009 Maha B Abbey PhD Candidate.

Race conditions and synchronization issues Exploiting UNIX.

1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

WP4 Models and Contents Quality Assessment

Content Coverity Static Analysis Use cases of Coverity Examples

Lab 7 Control-Flow Testing

Let’s look at an example

CS703 - Advanced Operating Systems

Path-Based Fault Correlations

Configuration Fuzzing for Software Vulnerability Detection

Formally Specified Monitoring of Temporal Properties

runtime verification Brief Overview Grigore Rosu

Unix Access Control Basic CE 2

Operating Systems 15 - security

Information Security CS 526

Verification of Software Security Properties

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

PPT1: How failures come to be

Effective Debugging.

Introduction to Static Analyzer

Information Security CS 526

A Refinement Calculus for Promela

CS5123 Software Validation and Quality Assurance

Information Security CS 526

Operating System Concepts

Model Checking and Its Applications

Set-UID Privileged Programs

Presentation transcript:

MOPS: an Infrastructure for Examining Security Properties of Software Authors: Hao Chen, David Wagner University of California at Berkeley Publish: ACM Computer and Communication Security 02 Presenter: Xingbo Gao

Outline Problem Definition and Motivation Introduction of Temporal Safety Properties Formal Models and Framework Feasible Applications Strengths, Weakness and Improvements

Problem Definition and Motivation // now in directory “/var/ftp” chroot(“/var/ftp/pub”); -----> confines the root priv. in new dir. chdir(“/var/ftp/pub”); filename=read_from_network(); fd=open(filename, O_RDONLY); root / /var /etc /var/ftp /etc/passwd filename = “../../etc/passwd” ?? /var/ftp/pub

Contribution A New idea to examine security properties of software: verify whether temporal safety properties are obeyed Propose a formal model to automate this verification process

Temporal Safety Property Dictates the order of a sequence of security-relevant operations Can be used to describe many rules for security programs Violating such properties often render the program vulnerable to attack Detecting violations or verifying the satisfaction significantly helps to reduce the software vulnerabilities Manual checking cannot scale to large programs

Formal Model : the set of security-relevant operations : all sequences of security operations that violate the security property : the set of all feasible paths is a regular language: ( : FSA) is a context free language: ( :PDA)

Another Example Before making certain system calls that run untrusted programs, a privileged process must first drop all privileges

Brief Review of ruid, euid and suid Each Unix process has three user ids: ruid: real user id euid: effective user id suid: saved user id real-uid = tom effective-uid = tom saved-uid = root real-uid = tom effective-uid = root saved-uid = root syscall passwd -> seteuid(0)

Temporal Safety Property Example int main(int argc, char *argv[]) { // start with root privilege do_something_with_privilege(); drop_privilege(); execl(“/bin/sh”, “/bin/sh”, NULL); risky syscall } void drop_privilege() { struct passwd *passwd; if ((passwd=getpwuid(getuid())) == NULL) return; fprintf(log, “drop priv for %s”, passwd->pw_name); seteuid(getuid());

Formal Model Cont. ∑={execl(), seteuid(0), seteuid(!0)} (set of security operations) T={[seteuid(!0), execl()], [execl()]} (all feasible traces) T ∩ L(M) = [execl()] An FSA describing Property “Dropping Privileges”

Modular Implementation

Applications Checking proper dropping privilege sendmail 8.10.1 fails to drop root privilege in user IDs sendmail 8.12.0 fails to drop privilege in group IDs Verifying success of system calls OpenSSH 2.5.2 no uid-setting syscalls may fail Checking privilege flow in non-local control flow wu-ftpd 2.4 beta 11 has offending path wu-ftpd 2.4 beta 12 fixed this vulnerability

Strengths and Weakness proposed a novel formal approach to model checking security properties in large programs efficient algorithm and good scalability sound modeling Weakness can raise some false alarms due to approximated modeling reduced precision because of very limited data flow analysis e.g. if-then-else

Possible Improvements Investigate how much data flow analysis can be incorporated into MOPS Improve MOPS while experimenting with checking more security properties in more programs

Questions ?