October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Static Analysis for Memory Safety Salvatore Guarnieri
1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Program analysis Mooly Sagiv html://
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
Program analysis Mooly Sagiv html://
Static Detection of Buffer Overrun In C Code Lucas Silacci CSE 231 Spring 2000 University of California San Diego.
Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.
Overview of program analysis Mooly Sagiv html://
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
From last class. The above is Click’s solution (PLDI 95)
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.
© 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY Tel: Verifying.
Linear programming Lecture (4) and lecture (5). Recall An optimization problem is a decision problem in which we are choosing among several decisions.
Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim
The Center for Advanced Research In Software Engineering (ARISE) The University of Texas at Austin Reengineering of Large-Scale Polylingual Systems Mark.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
5.3 Machine-Independent Compiler Features
February 2001OASIS --- Norfolk1 Dependence Graphs for Information Assurance Paul Anderson GrammaTech, Inc. Ithaca, NY
TAJ: Effective Taint Analysis of Web Applications
PRESTO Research Group, Ohio State University Interprocedural Dataflow Analysis in the Presence of Large Libraries Atanas (Nasko) Rountev Scott Kagan Ohio.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
A Logic Meta-Programming Approach to support the Co-Evolution of Object-Oriented Design and Implementation Roel Wuyts , PROG.
1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.
Adapting Side-Effects Analysis for Modular Program Model Checking M.S. Defense Oksana Tkachuk Major Professor: Matthew Dwyer Support US National Science.
By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.
Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke Presented by: Xia Cheng.
An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.
High Confidence Software and Systems HCMDSS Workshop Brad Martin June 2, 2005.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on.
Code Motion for MPI Performance Optimization The most common optimization in MPI applications is to post MPI communication earlier so that the communication.
Pruning Dynamic Slices With Confidence Original by: Xiangyu Zhang Neelam Gupta Rajiv Gupta The University of Arizona Presented by: David Carrillo.
LINEAR PROGRAMMING 3.4 Learning goals represent constraints by equations or inequalities, and by systems of equations and/or inequalities, and interpret.
ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Linear Programming McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Linear programming Lecture (4) and lecture (5). Recall An optimization problem is a decision problem in which we are choosing among several decisions.
1 Supporting a Volume Rendering Application on a Grid-Middleware For Streaming Data Liang Chen Gagan Agrawal Computer Science & Engineering Ohio State.
Data Flow Analysis Suman Jana
Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Points-to Analysis for Java Using Annotated Constraints
Topic 17: Memory Analysis
Symbolic Implementation of the Best Transformer
High Coverage Detection of Input-Related Security Faults
Program Slicing Baishakhi Ray University of Virginia
University Of Virginia
SUDS: An Infrastructure for Creating Bug Detection Tools
Pointer analysis.
CSC-682 Advanced Computer Security
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Presentation transcript:

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha University of Wisconsin-Madison David Chandler, David Melski, David Vitek Grammatech Inc., Ithaca, New York

October 30, 2003CCS Vinod Ganapathy2 The Problem: Buffer Overflows Highly exploited class of vulnerabilities –Legacy programs in C are still vulnerable –“Safe” functions can be used unsafely Need: –Automatic techniques that will assure code is safe before it is deployed

October 30, 2003CCS Vinod Ganapathy3 The Solution Use static program analysis Produce a list of possibly vulnerable program locations Couple buffer overrun warnings with code understanding techniques Source Code Source Code Possible Buffer Overrun s Possible Buffer Overrun s Static Analysis Code Understanding

October 30, 2003CCS Vinod Ganapathy4 Our Contributions Program Analysis : –Incorporated buffer overrun detection in a program understanding tool Program slicing, Data predecessors,… –Use of procedure summaries to make buffer overrun analysis context- sensitive Constraint Resolution: –Use of linear programming to solve a range analysis problem

October 30, 2003CCS Vinod Ganapathy5 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

October 30, 2003CCS Vinod Ganapathy6 Tool Architecture C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy7 CodeSurfer C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy8 CodeSurfer Commercial tool from Grammatech Inc. Code understanding framework –Inter-procedural slicing, chopping… Internally constructs: –Control Flow Graph (CFG) –Program Dependence Graphs (PDG) –System Dependence Graph (SDG) Incorporates results of pointer analysis –Helps reduce the number of warnings

October 30, 2003CCS Vinod Ganapathy9 The Role of CodeSurfer Program Analysis Framework: –Use internal data structures to generate constraints Detection Front-end: –Link each warning to corresponding lines of source code through the System Dependence Graph –Interactive front-end

October 30, 2003CCS Vinod Ganapathy10 Constraint Generation C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy11 Constraint Generation Four kinds of program points result in constraints: –Declarations –Assignments –Function Calls –Function Return

October 30, 2003CCS Vinod Ganapathy12 Constraint Generation Four variables for each string buffer buf_len_max, buf_len_min buf_alloc_max, buf_alloc_min Operations on a buffer strcpy (tgt, src) tgt_len_max ≥ src_len_max tgt_len_min ≤ src_len_min

October 30, 2003CCS Vinod Ganapathy13 Constraint Generation if(…) strcpy( tgt, srcA ) strcpy( tgt, srcB ) tgt_len_max ≥ srcA_len_max tgt_len_min ≤ srcA_len_min tgt_len_max ≥ srcB_len_max tgt_len_min ≤ srcB_len_min

October 30, 2003CCS Vinod Ganapathy14 Constraint Generation Methods Order of statements: –Flow-Sensitive Analysis: Respects program order –Flow-Insensitive Analysis: Does not respect program order Function Calls: –Context-Sensitive modeling of functions: Respects the call-return semantics –Context-Insensitive modeling of functions: Ignores call-return semantics => imprecise

October 30, 2003CCS Vinod Ganapathy15 Constraint Generation Constraints generated by our tool: –Flow-insensitive –Context-sensitive for some library functions –Partly Context-sensitive for user defined function Procedure summaries

October 30, 2003CCS Vinod Ganapathy16 Taint Analysis C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy17 Taint Analysis Removes un-initialized constraint variables –Un-modeled library calls –Un-initialized program variables Required for solvers to function correctly

October 30, 2003CCS Vinod Ganapathy18 Constraint Solvers C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy19 Constraint Solvers Abstract problem: –Given a set of constraints on max and min variables –Get tightest possible fit satisfying all the constraints Our approach: –Model and solve as a linear program

October 30, 2003CCS Vinod Ganapathy20 Constraint Solvers We have developed two solvers: –Vanilla solver –Hierarchical solver Speed of Analysis Precision of results slow fast low high Vanilla Hierarchical

October 30, 2003CCS Vinod Ganapathy21 Linear Programming An objective function F Subject to: A set of constraints C Example: Maximize: x Subject to : X <= 3

October 30, 2003CCS Vinod Ganapathy22 Why Linear Programming? Can support arbitrary linear constraints Commercial linear program solvers are highly optimized and fast Use of linear programming duality for diagnostics –Can be used to produce a “witness” trace leading to the statement causing the buffer overrun

October 30, 2003CCS Vinod Ganapathy23 Vanilla Constraint Solver Goal: Obtain values for buffer bounds Modeling as a Linear Program Minimize : max variable Subject to : Set of Constraints And Maximize : min variable Subject to : Set of Constraints Least Upper Bound Greatest Lower Bound Tightest possible fit

October 30, 2003CCS Vinod Ganapathy24 Vanilla Constraint Solver However, it can be shown that: Min : Σ ( max vars) – Σ( min vars) Subject to : Set of Constraints yields the same solution for each variable Solve just one Linear Program and get values for all variables!

October 30, 2003CCS Vinod Ganapathy25 Vanilla Constraint Solver Why is this method imprecise? –Infeasible linear programs –Why do such linear programs arise? Deals with infeasibility using an approximation algorithm See paper for details

October 30, 2003CCS Vinod Ganapathy26 Detection Front-End C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

October 30, 2003CCS Vinod Ganapathy27 Detection Front-End 0 1 buf_alloc_min buf_len_max Scenario I: ‘’Possible’’ buffer overflow

October 30, 2003CCS Vinod Ganapathy28 Detection Front-End 0 1 buf_alloc_min buf_len_max Scenario II: Sure buffer overflow

October 30, 2003CCS Vinod Ganapathy29 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

October 30, 2003CCS Vinod Ganapathy30 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

October 30, 2003CCS Vinod Ganapathy31 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

October 30, 2003CCS Vinod Ganapathy32 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

October 30, 2003CCS Vinod Ganapathy33 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } False Path Result: x = y = [6..31]

October 30, 2003CCS Vinod Ganapathy34 Adding Context Sensitivity Make user functions context-sensitive –e.g. wrappers around library calls Inefficient method: Constraint inlining Can separate calling contexts  Large number of constraint variables  Cannot support recursion

October 30, 2003CCS Vinod Ganapathy35 Adding Context Sensitivity Efficient method: Procedure summaries Basic Idea: –Summarize the called procedure –Insert the summary at the call-site in the caller –Remove false paths

October 30, 2003CCS Vinod Ganapathy36 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

October 30, 2003CCS Vinod Ganapathy37 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } Summary: i = z + 1 x = y =

October 30, 2003CCS Vinod Ganapathy38 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } Jump Functions

October 30, 2003CCS Vinod Ganapathy39 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } No false paths x = [6..6] y = [31..31] i = [6..31]

October 30, 2003CCS Vinod Ganapathy40 Adding Context Sensitivity Computing procedure summaries: –In most cases, reduces to a shortest path problem –Other cases, Fourier-Motzkin variable elimination

October 30, 2003CCS Vinod Ganapathy41 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

October 30, 2003CCS Vinod Ganapathy42 Results: Overruns Identified ApplicationLOCWarningsVulnerabilityDetected? WU-FTPD CA Yes WU-FTPD None14 New Sendmail Identified by Wagner et al. Yes Sendmail CA Yes, but…

October 30, 2003CCS Vinod Ganapathy43 Results: Context Sensitivity WU-FTPD-2.6.2: 7310 ranges identified Constraint Inlining: –5.8x number of constraints –8.7x number of constraint variables –406 ranges refined in at least one calling context Function Summaries: –72 ranges refined

October 30, 2003CCS Vinod Ganapathy44 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

October 30, 2003CCS Vinod Ganapathy45 Conclusions Built a tool to detect buffer overruns Incorporated in a program understanding framework Current work: –Adding Flow Sensitivity –Reducing the number of false warnings while still maintaining scalability

October 30, 2003CCS Vinod Ganapathy46 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha University of Wisconsin-Madison David Chandler, David Melski, David Vitek Grammatech Inc., Ithaca, New York

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.