1 Static Analysis for Bug Finding Benjamin Livshits.

Slides:

Advertisements

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Advertisements

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

“Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs” CMSC 838Z – Spring 2004 V. Benjamin Livshits and Monica S. Lam presented.

Program Analysis for Security Suhabe Bugrara Stanford University.

Overview of program analysis Mooly Sagiv html://

Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs by V.Benjamin Livshits and Monica S. Lam {livshits,

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Secure Software Engineering: Input Vulnerabilities

CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Approaches to Application Security – DSM

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Computer Security and Penetration Testing

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Mitigation of Buffer Overflow Attacks

Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Web Applications Testing By Jamie Rougvie Supported by.

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Crash Course in Web Hacking

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll

Content Coverity Static Analysis Use cases of Coverity Examples

Secure Coding Techniques

Mitigation against Buffer Overflow Attacks

World Wide Web policy.

CS5123 Software Validation and Quality Assurance

PHP: Security issues FdSc Module 109 Server side scripting and

Johannes Lerch, Ben Hermann, Eric Bodden, and Mira Mezini

Software Security Lesson Introduction

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

Securing Web Applications with Information Flow Tracking

Introduction to Static Analyzer

CS5123 Software Validation and Quality Assurance

Understanding and Preventing Buffer Overflow Attacks in Unix

Format String Vulnerability

Presentation transcript:

1 Static Analysis for Bug Finding Benjamin Livshits

2 Compilers Can be Used for Bug Finding A trend of compiler research Started in 1991 with Intrinsa –Bug finding tool called Prefix –Looks for NULL dereferences –Memory leaks (double-deletes, dangling pointers) –Concurrency bugs (race conditions) –etc. Purchased by Microsoft –Became Prefix/Prefast –Used by MS internally on a regular basis

3 Why Compilers? Observation: –Many bugs can be found by analyzing the source code –Compilers have access to the source Security is an attractive application: –The cost of a break-in is very high –Sound static (compiler) analysis can find all bugs

4 Common Classes of Security Vulnerabilities Server-type software (C, C++) Application software (Java, C#, PHP) Buffer overruns Format string violations SQL injections Cross-site scripting attacks HTTP splitting attacks Directory traversal attacks Session hijacking attacks etc.

5 Buffer Overruns

6 How Buffer Overruns Work There is no array bounds checking in C Hackers can exploit that Different flavors of overruns –Simplest: overrun a static buffer –Idea: Don’t want user data to be copied to static buffers! 1.Arrange for suitable code to in program address space 2.Get the program to jump to that code overwrite a return address to point to the code 3.Put something interesting into the exploit code –such as exec(“sh”), etc.

7 Example: Buffer Overrun in gzip 0589 if (to_stdout && !test && !list && (!decompress || SET_BINARY_MODE(fileno(stdout)); 0591 } 0592 while (optind < argc) { 0593 treat_file(argv[optind++]); 0704 local void treat_file(iname) 0705 char *iname; 0706 { if (get_istat(iname, &istat) != OK) return; 0997 local int get_istat(iname, sbuf) 0998 char *iname; 0999 struct stat *sbuf; 1000 { strcpy(ifname, iname); gzip.c:593 gzip.c:1009 gzip.c:716 Need to have a model of strcpy

8 Need it to represent flow of date in C: Yes if we can prove that p cannot point to a Should we put a flow edge from 3 to a to represent potential flow? If we don’t –Analysis may miss bugs If we do –Analysis may end up being too imprecise a = 2; *p = 3; …  is the value of a still 2? A Glimpse of What Analysis is Needed

9 Application Level Vulnerabilities (SQL Injection & Friends)

10 blogger.com cracked Aug Firefox marketing site hacked Jul MS UK defaced in hacking attack Jul Hacker hits Duke system Jun MSN site hacked in South Korea Jun MSN site hacking went undetected for days Jun Phishers manipulate SunTrust site to steal data Sep Tower Records settles charges over hack attacks Apr Western Union Web site hacked Sep Real-Life Hacking Stories 75% of all security attacks today are at the application level* 97% of 300+ audited sites were vulnerable to Web application attacks* $300K average financial loss from unauthorized access or info theft** Average $100K/hour of downtime lost * Source: Gartner Research *Source: Computer Security Institute survey

11 Simple Web App Web form allows user to look up account details Underneath – Java Web app. serving requests

12 Happy-go-lucky SQL statement: Leads to SQL injection –One of the most common Web application vulnerabilities caused by lack of input validation But how? –Typical way to construct a SQL query using concatenation –Looks benign on the surface –But let’s play with it a bit more… SQL Injection Example String query = “SELECT Username, UserID, Password FROM Users WHERE username =“ + user + “ AND password =“ + password;

13 Injecting Malicious Data (1) query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob' AND Password = ‘********‘” submit

14 Injecting Malicious Data (2) query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob‘-- ‘AND Password = ‘ ‘” submit

15 Injecting Malicious Data (3) submit query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob‘; DROP Users-- ‘AND Password = ‘‘”

16 Summary of Attacks Techniques 1.Inject (taint sources) Parameter manipulation Hidden field manipulation Header manipulation Cookie poisoning Second-level injection 2. Exploit (taint sinks) SQL injections Cross-site scripting HTTP request splitting HTTP request smuggling Path traversal Command injection 1. Header manipulation + 2. HTTP splitting = vulnerability Input and output validation are at the core of the issue

17 Focusing on Input/Output Validation 30% 19% 18% SQL injection and cross-site scripting are most prevalent Buffer overruns are losing their market share

18 public String getRawParameter(String name) throws ParameterNotFoundException { String[] values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); } Taint Propagation String session.ParameterParser.getRawParameter(String name) String session.ParameterParser.getRawParameter(String name, String def) ParameterParser.java:586 public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; } ParameterParser.java:570 String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query );... Element lessons.ChallengeScreen.doStage2(WebSession s) ChallengeScreen.java:194

19 Why Pointer Analysis? // get Web form parameter String param = request.getParameter(...);... // execute query con.executeQuery(query); Imagine manually auditing an application –Two statements somewhere in the program –Can these variables refer to the same object? Question answered by pointer analysis...

20 Stack Pointers in Java? Java references are pointers in disguise Heap

21 What Does Pointer Analysis Do for Us? Statically, the same object can be passed around in the program: –Passed in as parameters –Returned from functions –Deposited to and retrieved from data structures –All along it is referred to by different variables Pointer analysis “summarizes” these operations: –Doesn’t matter what variables refer to it –We can follow the object throughout the program a b c

22 Recurring Issues Static analysis is a powerful approach to finding bugs in program at the source 1.Soundness: find all bugs of a kind –Marking every line of the program as a problem achieves that 2.Precision: low rate of false positives –can have an extremely precise sound analysis but takes years to run 3.Scalability: Want to analyze programs 10,000-50,000 LOC Some analyses go up to 1M LOC