SOFTWARE ENGINEERING INSTITUTE

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Static Analysis for Security

This research is funded in part the U. S. National Science Foundation grant CCR DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Introducing BLAST Software Verification John Gallagher CS4117.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Software Engineering: Where are we? And where do we go from here? V Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.

Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Program analysis Mooly Sagiv html://

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.

Domain Testing Based on Character String Predicate Ruilian Zhao Computer Science Dept. Beijing University of Chemical Technology Michael R. Lyu Computer.

Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003.

Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.

Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.

Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

XML Grammar and Parser for WSOL Kruti Patel, Vladimir Tosic, Bernard Pagurek Network Management & Artificial Intelligence Lab Department of Systems & Computer.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

B UFFER O VERFLOW V ULNERABILITIES Prudhviraj Karumanchi Vijay Venugopalan Vijaya Raghavan CPSC 620 Presentation 12/3/2009.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

Overview of Compilation Prepared by Manuel E. Bermúdez, Ph.D. Associate Professor University of Florida Programming Language Principles Lecture 2.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Content Coverity Static Analysis Use cases of Coverity Examples

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Improving the quality of PLC programs

Modular Alternatives to Testing

Testing and Debugging PPT By :Dr. R. Mall.

Context-Sensitive Analysis

runtime verification Brief Overview Grigore Rosu

Dynamic Memory Allocation

High Coverage Detection of Input-Related Security Faults

Program Slicing Baishakhi Ray University of Virginia

SUDS: An Infrastructure for Creating Bug Detection Tools

Mathematical Reasoning

Institute of Computing Tech.

Abstraction, Verification & Refinement

CUTE: A Concolic Unit Testing Engine for C

Presentation transcript:

SOFTWARE ENGINEERING INSTITUTE Automated Detection of Vulnerabilities Based on Program Analysis and Model Checking Wang L., Zhang Q., Zhao P. SYSTEM SOFTWARE RESEARCH GROUP SOFTWARE ENGINEERING INSTITUTE

Outline Why choose model checking How we do it Static analysis Prototype - CodeAuditor Demo example Experiment result Related work Conclusion & future work

Why choose model checking Dynamic Be efficient Depend on special input data Static General static method Program analysis Efficient, but imprecise Formal verification method Model checking (abstract-verify-refine paradigm) Emphasizing precision explore an abstract tree which stores all reachability paths information.

How we do it Model Checking Program analysis Model checker - BLAST Can NOT automatically build the vulnerability model State space explosion Program analysis Constraint-based analysis Model the buffers in source code Pointer alias analysis - to improve precision Slicing - to improve efficiency …… char name[5]; if(true) name[9] = 'c';

Static analysis Constraint-based analysis Code instrumentation Model string buffers as pairs of integer {max_length ,used_length} Model the statement and function as attributes transfer and constraints. Be described in an XML configuration file Code instrumentation Traverse the AST of GCC, parse configuration file and execute instrumentation Convert the instrumented AST to original code

Static analysis (cont.) Alias analysis Compute pointer alias at every program location Update attributes of aliased pointers

Prototype - CodeAuditor

More details Several buffer operations and their constraints/assertions Dangerous function call strcpy(dst, src) Interprocedual analysis char * foo (char *s); C Code constraints and assertions char *p 0  p.max ; 0  p.used char a[n] n  a.max; 0  a.used p = malloc(n) n p.max; 0  p.used strcpy(dst, src) assert(dst.max >= src.used); src.used  dst.used strcat(s,t) assert(s.max >= s.used + t.used); t.used + s.used  s.used strncat(s,t, n) assert(s.max >= s.used + n); s.used + n  s.used scanf(“%ns”,str) assert(str.max >= n); n  str.used sprintf(dst, “%s”, str) assert(dst.max >= str.used);str.used  dst.used sprintf(dst, “%d”, n) assert(dst.max >= 20); 20  dst.used assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; int foo_ret_length_max = 0; int foo_ret_length_used = 0; int foo_s_length_max = 0; int foo_s_length_used = 0;

Demo example

Experiment results Vulnerability detection 1 Minicom: http://alioth.debian.org/projects/minicom/ 2 Corehttp: http://corehttp.sourceforge.net/ 3 Monkey: http://sourceforge.net/projects/monkeyd/ Software LOC Total Alarms True False New Bugs Before After minicom-1.80 6000 18080 3 2 1 corehttp-alpha 5008 13020 9 8 7 monkey0.11 443 1200 5

Program slicing Program slicing – to reduce state space Slicing criterion : SC(L)=(L,V) L: Location of buffer relate statements V: variables of buffer related # No. of predicates Trace length Time (ms) Perf. Improve % result Assert_1 4126 165 time out ---- No result Assert_1_slice 43 44 2530 safe Assert_2 4140 305 Assert_2_slice 33 36 Assert_3 507 47 3409 19.5 % unsafe Assert_3_slice 11 2743 Assert_4 915 126 2315 15.7 % Assert_4_slice 15 6 1950 Assert_5 715 76 12765 33.1 % Assert_5_slice 23 8550

Related work Static ATOM Pin Cascade CCured … Dynamic Cred

Conclusion & future work The tool is precise and effective Future work The efficiency remains to improve Apply it to other new vulnerabilities replace model checking with other tech.

Q&A