1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

3/27/ :01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Usage of the memoQ web service API by LSP – a case study
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
Static code check – Klocwork
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.
Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Program analysis Mooly Sagiv html://
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Program analysis Mooly Sagiv html://
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Overview of program analysis Mooly Sagiv html://
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Deep Typechecking and Refactoring Zachary Tatlock, Chris Tucker, David Shuffleton, Ranjit Jhala, Sorin Lerner 1 University of California, San Diego.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.
Mining Windows Kernel API Rules Jinlin Yang 09/28/2005CS696.
1 Improving Productivity With Fine-grain Compiler-based Checkpointing Chuck (Chengyan) Zhao Prof. Greg Steffan Prof. Cristiana Amza Allan Kielstra* Dept.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
ABCD: Eliminating Array-Bounds Checks on Demand Rastislav Bodík Rajiv Gupta Vivek Sarkar U of Wisconsin U of Arizona IBM TJ Watson recent experiments.
David Evans The Bugs and the Bees Research in Swarm Programming and Security University of Virginia.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.
CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.
Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology.
Heap liveness and its usage in automatic memory management Ran Shaham Elliot Kolodner Mooly Sagiv ISMM’02 Unpublished TVLA.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Automated Debugging with Error Invariants TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Chanseok Oh.
Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.
University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Path-Based Fault Correlations
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code
Zhenbo XU, Jian ZHANG, Zhongxing XU
High Coverage Detection of Input-Related Security Faults
Wei Le and Mary Lou Soffa University of Virginia
Improving Security Using Extensible Lightweight Static Analysis
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Actively Learning Ontology Matching via User Interaction
MOPS: an Infrastructure for Examining Security Properties of Software
SOFTWARE ENGINEERING INSTITUTE
Presentation transcript:

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu

2 Buffer overflow: 20 years since Morris Worm, still the most common exploit Challenge: eliminate exploitable buffer overflows – Detect where buffer overflow can occur – Determine cause and remove it 2 Motivation

3 Detection Precision: false positives Report for errors does not provide much information for diagnosis – report an overflow point in the program Not fully automatic: manual annotation 3 Problems of Static Approaches

4 Goal: automatically identify paths on which a buffer overflow can occur and report the path segment that causes the overflow Challenge: huge number of paths Approach: – interprocedual path-sensitive for precision and help diagnosis – demand-driven for scalability 4 Our Goals and Approaches

5 Infeasible: no input can exercise the path Safe: no input can overflow the buffer Vulnerable: users can write any content to the buffer Overflow-user-independent: the buffer content is statically determinable Don’t-know: the buffer status cannot be judged statically 5 Five Types of Paths

6 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn Safe Overflow Infeasible wu-ftpd realpath.c An Example \0 wbuf resolved \0 LEN = 6

7 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn Demand-Driven Analysis …… char resolved [LEN ] Q 1 (s+1<l, f) Q1Q1 Q 052 (LEN-1<l, f) Q 05 (LEN-1-rootd<l, f) Q 1 5 (LEN-rootd<l, f) Solved Q0Q0 Infeasible Q 0 (s<l, f) s: strlen(resolved)+strlen(wbuf) l: sizeof(resolved) f: wbuf Q 053 (LEN-1<l, f) Q 15 3 (LEN<l, f)

8 PVS ( potentially vulnerable statement) strcpy(a,b) Query sizeof(a) > strlen(b), flag Information for Updating Queries char a[9] Propagation Rules interprocedural, loop, join point, infeasible Resolving the Query false, flag = user input 8 The Demand-Driven Model

9 Raise Query Yes Propagate Query Update Query Resolve Query Propagate Results Label Paths No Feasibility Detection Infeasible Paths Node Information PVS Program Overflow Properties 9 Approach

10 Purpose − Existence of the 5 types of paths − Benefit of demand-driven analysis Implementation: Microsoft Phoenix APIs [phoenix] Benchmarks − 9 programs, size K LOC − the BugBench [06lu] and Buffer Overflow Benchmark [03Zitser] 10 Experiments

11 Experimental Results BenchmarkPath Types VulCNSTUnKSafe polymorph ncompress man-1.5h gzip bc-1.060>50,0000>30,000 squid wu-ftp ,624 sendmail BIND0020

12 All defined types of paths exist Problematic paths manifest certain complexity Memory usage: 9-65MB Time cost: s Experimental Results

13 Entry PVS User Scenario

14 Entry PVS Vulnerable Overflow User Independent User Scenario

15 Entry PVS Vulnerable Overflow User Independent User Scenario

16 Entry PVS Root Cause Vulnerable Overflow User Independent User Scenario BenchmarkAverage Path Size #P#B polymorph ncompress man-1.5h gzip squid wu-ftp sendmail BIND

17 Static Detection for Buffer Overflow ARCHER [03xie] BOON [00wagner] ESPx [06hackett] Prefast [ms] Prefix [00bush] Splint [96evans] Path-Sensitive Analysis for Defects ARCHER [03xie] ESPx [06hackett] ESP [02das] IPSSA [03livshits] MOPS [02check] Prefix [00bush] Demand-Driven Approach − A general framework [96Duesterwald] − Application for dataflow computation [96Duesterwald], infeasible detection [97bodik], memory leak [06Orlovich], postmortem analysis [04Manevich] Related Work

18 A categorization of five types of paths for buffer overflow An interprocedual demand-driven path- sensitive diagnosis tool for identifying the type of paths through a potential overflow Experimental results that demonstrate the path types existing in real program 18 Conclusions

19 Thank you and Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.