1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Recitation By yzhuang, sseshadr. Agenda Debugging practices – GDB – Valgrind – Strace Errors and Wrappers – System call return values and wrappers – Uninitialization.
Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
#1 The Future of Software Security David Wagner U.C. Berkeley.
Template class Wrapper { public: T* operator->() { return &myT; } private: T myT; }; int main() { Wrapper wThing; wThing- >Foo(); // calls Thing::Foo()...
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Overview of program analysis Mooly Sagiv html://
#1 Pushdown model checking for security David Wagner U.C. Berkeley Work by Hao Chen, Ben Schwarz, and Drew Dean, Jeremy Lin, Geoff Morrison, David Schultz,
1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.
1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
University of Maryland Bug Driven Bug Finding Chadd Williams.
C Programming - Lecture 6 This lecture we will learn: –Error checking in C –What is a ‘wrappered function’? –What is a clean interface? –How to earn your.
Visual Linker Final presentation.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.
Testing. 2 Overview Testing and debugging are important activities in software development. Techniques and tools are introduced. Material borrowed here.
Static Code Checking: Security and Concurrency Ben Watson The George Washington University CS 297 Security and Programming Languages June 9, 2005.
Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Refactoring1 Improving the structure of existing code.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Finding Errors in.NET with Feedback-Directed Random Testing Carlos Pacheco (MIT) Shuvendu Lahiri (Microsoft) Thomas Ball (Microsoft) July 22, 2008.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
C Programming - Lecture 6 This lecture we will learn: –Error checking in C –What is a wrappered function? –How to assess efficiency. –What is a clean interface?
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
Refactoring1 Improving the structure of existing code.
1 Software Reliability in Wireless Sensor Networks (WSN) -Xiong Junjie
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
CS223: Software Engineering Lecture 26: Software Testing.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Content Coverity Static Analysis Use cases of Coverity Examples
Introduction to Compiler Construction
Configuration Fuzzing for Software Vulnerability Detection
Types for Programs and Proofs
APEx: Automated Inference of Error Specifications for C APIs
Seminar in automatic tools for analyzing programs with dynamic memory
Research in Language-Based Methods
Ik-Soon Kim December 18, 2010 Embedded Software Platform Team
CBCD: Cloned Buggy Code Detector
Verification of Software Security Properties
Programming Fundamentals (750113) Ch1. Problem Solving
Kernel Structure and Infrastructure
Introduction to Static Analyzer
Programming Fundamentals (750113) Ch1. Problem Solving
Programming Fundamentals (750113) Ch1. Problem Solving
MOPS: an Infrastructure for Examining Security Properties of Software
SOFTWARE ENGINEERING INSTITUTE
Presentation transcript:

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”, …); open(LOCK, O_WRONLY); … fd=open(atfile,O_CREAT); … perror(user_str); tty tty tty tty ttyLOCK ttyLOCK atfile Program: at (at )

2 Model Checking Millions of Lines of C Code Hao Chen Drew Dean, David Wagner Ben Schwarz, Geoff Morrison, Jacob West, Jeremy Lin

3 Problem statement Demonstrate the impact of MOPS for improving software security MOPS: MOdel checking Programs for Security

4 Achievements Showed that MOPS is scalable –Checked 700 packages in RedHat Linux 9 (85% packages, 30 million LOC) Showed that MOPS is usable –Most checks were done by students who were neither tool nor package developers Showed that MOPS is useful –Founds dozens of bugs and counting

5 Outline Overview of MOPS What have we done? –Checked 700 packages on RedHat Linux 9 –Checked EROS kernel How did we do it? Conclusion Demo

6 MOPS (MOdel checking Programs for Security properties) A static analysis tool that checks source programs for temporal safety properties Main features –Pushdown model checking –Inter-procedural analysis –Control flow centric

7 MOPS: MOdel checking Programs for Security properties Parser Model Checker Program Security Property (FSA) CFG Program OK Error Traces MOPS

8 Property 1: race condition Victim absent=stat(tmpfile,&s); Adversary if(absent){ fp=fopen(tmpfile,“w”); Create tmpfile

9 FSA model for race condition Check(f)Use(f) Check(f): stat(f), lstat(f), access(f), readlink(f), statfs(f) Use(f): chmod(f), chroot(f), creat(f), execv(f), execve(f), execl(f), …

10 Race condition: bug 1 exists = lstat(to, &s) == 0; if (!exists || !S_ISLNK(s.st_mode) && s.st_nlink == 1)) { ret = rename(from, to); if (ret == 0) { if (exits) { chmod(to, s.st_mode & 0777); … Program: ar (binutils )

11 Race condition: bug 2 we_own_log = 1; … if (stat(_PATH_LOG, &s1) != 0) … if ((stat(_PATH_LOG, &s2) != 0 || …) we_own_log = 0; … if (we_own_log) { unlink(_PATH_LOG); } Program: minilogd (initscripts )

12 PackageProgramReported bugsReal bugs binutilsar21 coreutilschown32 coreutilschmod21 coreutilscp21 dos2unix 42 ftpcopy 83 gaim 23 joe 11 jpilot 21 initscriptsminilogd11 innfastrm11 isdn4k-utilsisdnlog41 lrzszlsz41 LPRngcheckpc81 make 11 mc 51 Total5022 Race condition bugs

13 Property 2: drop privilege before making unsafe system calls int main() { // ruid≠0, euid=0 do_something_with_privilege(); drop_privilege(); execl(“/bin/sh”, “sh”, NULL); } void drop_privilege() { struct passwd *passwd; if ((passwd = getpwuid(getuid())) == NULL) return; fprintf(log, “User %s”, passwd->pw_name); seteuid(getuid()); } euid=0 euid≠0 seteuid(0 ) seteuid(!0) execl() unsafe

14 A bug on dropping privilege // ruid≠0, euid=suid=0 seteuid(getuid()); setuid(getuid()); … execlp(askpass, askpass, msg, (char *) 0); Progarm: ssh (openssh-3.5p1-6)

15 Problem: unportable semantics of setuid(getuid()) R≠0,E=S=0 R=E≠0,S=0 R=E=S≠0 R≠0,E=S=0 R=E≠0,S=0 R=E=S≠0 OpenBSD Linux

16 Vulnerability in ssh R≠0, E=S=0 OpenSSH 3.5 on Linux R=E≠0, S=0 seteuid(getuid()) setuid(getuid()) R≠0, E=S=0 OpenSSH 3.5 on OpenBSD R=E≠0, S=0 R=E=S≠0 seteuid(getuid()) setuid(getuid()) R≠0, E=S=0 OpenSSH on Linux R=E=S≠0 setuid(getuid()) safe unsafe! Lessons: Unportable API causes vulnerability Programmer’s confusion causes vulnerability

17 Experiment on RedHat Linux 9 Programs –Tried all 839 packages on RedHat Linux 9 (30M LOC) –Succeed on 85% packages –Failed on 15% packages Mainly due to parsing failures: C++, non- standard C Performance –Machine: 1.5GHz Pentium 4, 1G MB memory –Took about 40 hours to check one property on all packages

18 Experience with EROS kernel EROS –Extremely Reliable Operating System [SSF95] –60,000 lines of code in the kernel Checked 5 properties (design invariants) –Verified 4 properties –Discovered 1 bug Provided preliminary evidence that –EROS’s design by invariants approach is effective in reducing bugs

19 Commit() or Yield() Init sys_call() { … Commit(); … ptr = malloc(); … } malloc() { … while (!buffer_available) Yield(); } Committed Yielded Error Lesson: static checking is good at catching surprising interaction among components Commit() Yield() Syscall return

20 Research challenge How to scale MOPS to large programs? –Solution: compact CFGs –Impact: reduce CFG sizes often by more than 100 times How to consolidate similar error traces? –Goal: report one error trace for each bug –Intuition Divide all error traces into categories One category represents one unique bug Report the shortest path from each category

21 Engineering challenge: integrating MOPS into software build processes 1st attempt: manually edit Makefiles –Too complicated; does not survive autoconf 2nd attempt: setenv GCC_EXEC_PREFIX to run MOPS instead of gcc –Build processes generate & run code 3rd attempt: build CFG & machine code –Dangling CFGs; links to object files broken 4th attempt: Put CFGs into ELF files –Solves all identified problems!

22 Lessons: how to have impact Make the tool useful and usable –Can check large programs efficiently –Can be used easily by ordinary programmers Check lots of code –More code to check, more bugs to find Explore the full potential of your tool

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.