Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Intermediate Code Generation

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Type Checking Compiler Design Lecture (02/25/98) Computer Science Rensselaer Polytechnic.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.

Telescoping Languages: A Compiler Strategy for Implementation of High-Level Domain-Specific Programming Systems Ken Kennedy Rice University.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.

Context-sensitive Analysis, II Ad-hoc syntax-directed translation, Symbol Tables, andTypes.

A Type System for Expressive Security Policies David Walker Cornell University.

From Cooper & Torczon1 Implications Must recognize legal (and illegal) programs Must generate correct code Must manage storage of all variables (and code)

MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.

Guide To UNIX Using Linux Third Edition

1.2 Language Processing Activities The fundamental language processing activities divided into two parts. 1. Program generation activities 2. Program execution.

Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.

Guide To UNIX Using Linux Third Edition

Introduction to Unix (CA263) Introduction to Shell Script Programming By Tariq Ibn Aziz.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Examining the Code [Reading assignment: Chapter 6, pp ]

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

Control Flow Resolution in Dynamic Language Author: Štěpán Šindelář Supervisor: Filip Zavoral, Ph.D.

Computer Security and Penetration Testing

Inferring and checking system rules by static analysis William R Wright.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Board Activity Find your seat on the seating chart Login – Remember your login is your first initial your last name and the last three numbers of your.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Chapter 1 Introduction Chapter 1 Introduction 1 st Semester 2015 CSC 1101 Computer Programming-1.

Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.

Static Analysis James Walden Northern Kentucky University.

CHAPTER 1 INTRODUCTION 1 st Semester H King Saud University College Of Applied Studies and Community Services CSC 1101 Computer Programming-1.

Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta

Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.

1 Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem Stanford University.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

CHAPTER 1 INTRODUCTION 2 nd Semester H King Saud University College Of Applied Studies and Community Services CSC 1101 Computer Programming-1.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke Presented by: Xia Cheng.

How Are Computers Programmed? CPS120: Introduction to Computer Science Lecture 5.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.

INTRODUCTION TO COMPUTER PROGRAMMING(IT-303) Basics.

Software Design and Development Languages and Environments Computing Science.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

Chapter 1 Introduction 2nd Semester H

Secure Coding Rules for C++ Copyright © 2016 Curt Hill

Introduction to Operating Systems

Types for Programs and Proofs

Key Ideas from day 1 slides

Secure Coding Rules for C++ Copyright © Curt Hill

High Coverage Detection of Input-Related Security Faults

SUDS: An Infrastructure for Creating Bug Detection Tools

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

King Saud University College Of Applied Studies and Community Services CSC 1101 Computer Programming-1 Done By: Asmal Alosaimi Edited By: Fatimah Alakeel.

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

King Saud University College Of Applied Studies and Community Services CSC 1101 Computer Programming-1 Done By: Asmal Alosaimi Edited By: Fatimah Alakeel.

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

In Today’s Class.. General Kernel Responsibilities Kernel Organization

Presentation transcript:

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007

Outline Motivation Example: Range Checker Solution Details  Belief Inference  Analysis Issues  Enforcing Obscure Rules Evaluation Discussion

Motivation (1) Problem  Find security holes (security rules violation) in source code of system software Security rules  Sanitize untrusted input before using it  Do not release sensitive data to unauthorized users Observation  Many rules are poorly understood and erratically obeyed Approach  Use static analysis to check if security rules are obeyed

Motivation (2) Program analysis: Intuition  Tool Security rules  Domain specific  System specific  High-level Metacompilation  Make it easy for programmer to add rules

Example: Range Checker (1) Security rule  Integers supplied by untrustworthy sources should be range-checked before used for dangerous operations

Range Check (2) Checker needs to identify  Untrustworthy sources that generate data  Checks must be done to sanitize the data  Trusting sinks that must be protected Untrustworthy sources  System calls (sys_*)  Routines copy data from user space (copy_from_user, copyin)  Data from network

Range Check (3) Sanitizing data  Signed integers: lower and upper bound  Unsigned integers: upper bound check  Tricky: integer overflow

Range Check (4) Trusting sinks  Array index  Loop bound  Copying/allocation routines Potentially 3 x 3 x 3 = 27 types of security holes!

Implementation (1)

Implementation (2) State machine representation  Metal: high-level, state-machine language  Compilation extension linked to xgcc  States can be global or bound to expressions How it works?  “After xgcc translates each input function into its internal representation, the checker is applied down every possible execution path in that function”

Implementation (3)

Advantages Propagate the knowledge of one programmer to many  Security rules are subtle Find difficult-to-observe errors Catch error without running code  Many errors are found in the drivers Lightweight

About the checker Ad hoc knowledge (security rules) Effective (range checker finds 100+ errors in Linux) False negative False positive

Belief Inference Traditional checkers:  Hardwired knowledge MC:  Use code behavior to infer checking properties Inference  Untrustworthy sources  Trusting sinks  Network Data

Driving Untrustworthy Sources Challenges  There are many untrustworthy sources  Difficult to analyze Use inference  Untrustworthy input is often used in stylized ways

Deriving Trusting Sinks Normal checking sequence  (1) OS reads data from unsafe source  (2) Check the data  (3) Pass it to a trusting sink What if (3) is missing?  Something may be wrong…

Network Data Challenge  Network data is not trustworthy  sk_buff holds network data  Incoming or outgoing? Candidates  If the fields were read more often than written, the structure is incoming  If the checker sees the allocation of the structure, it’s outgoing

Analysis – Transitive Tainting Allow tainted variables to transitively taint other variables

Analysis – Inter-procedural Analysis (1) The user only provides the “base” unsafe sources and trusting sinks Automatically compute all procedures that transitively produces or consumes data Two-pass process  First pass: Emit a call graph, compute the transitive set of functions, store calculated sources and sinks in text files  Second pass: at call sites, taint variable / report errors Special case: function pointers

Analysis – Inter-procedural Analysis (2)

Analysis – False Positives Checker design  First write simple checkers  Eliminating false positives Common false positives  “Fancy” bound checks  Taint granularity  Subroutine checks bounds

Analysis – False Negatives First of all, false negatives are expected… Potential improvements  Comparison with correct value  Other information flow channel (tainted value stored in data structure)  Info lost during inter-procedure analysis  Only local inference

Enforcing Obscure Rules (1) The length-field copy attack  Signed integer must be lower and upper bound checked

Enforcing Obscure Rules (2) Integer overflow  Fixed size arithmetic

Evaluation (1) – Errors Overview Severe erros as common as minor ones

Evaluation (2) – Errors Overview Most bugs are local Low false positive rate

Evaluation (3) – Results Validation Linux (2.4.5 – )  Post errors to Linux Kernel  Count unique errors  Many resulted in kernel patch  False result – kernel developers will explain why  Minor bugs – may introduce possibility of new bugs OpenBSD (2.9)  Submitted to a local BSD hacker  All errors resulted in kernel patches Total kernel patches 50+

Discussion (1) Core techniques  Static analysis – State Machine model, although implementation details are not given (see details)details  Make ad hoc knowledge powerful  Belief inference (save effort to specify everything)  Extract information from source code presentation

Discussion (2) How to do better?  Static analysis (other models/tools?)  Finding errors (combine with dynamic analysis?) Other applications  Finding bugs (past work)  …

Thank you

Reference Using Programmer-Written Compiler Extensions to Catch Security Holes Ken Ashcraft and Dawson Engler In Proceeding of IEEE Security and Privacy 2002.