Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

Copyright © Coverity, Inc All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Static Analysis for Memory Safety Salvatore Guarnieri

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Program analysis Mooly Sagiv html://

ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.

Overview of program analysis Mooly Sagiv html://

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

Control Flow Resolution in Dynamic Language Author: Štěpán Šindelář Supervisor: Filip Zavoral, Ph.D.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Honeypot and Intrusion Detection System

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

Security Issues in Distributed Heterogeneous Systems Somesh Jha Computer Sciences Department University of Wisconsin Madison, WI

Static Analysis James Walden Northern Kentucky University.

Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta

1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

1 Compiler & its Phases Krishan Kumar Asstt. Prof. (CSE) BPRCE, Gohana.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

Software Development Introduction

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.

B UFFER O VERFLOW V ULNERABILITIES Prudhviraj Karumanchi Vijay Venugopalan Vijaya Raghavan CPSC 620 Presentation 12/3/2009.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

ESSoS: February Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

AppAudit Effective Real-time Android Application Auditing Andrew Jeong

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.

Optimistic Hybrid Analysis

Overflows Mark Shtern.

Buffer Overflows Incomplete Access Control

Path-Based Fault Correlations

Secure Software Development: Theory and Practice

High Coverage Detection of Input-Related Security Faults

SUDS: An Infrastructure for Creating Bug Detection Tools

Wei Le and Mary Lou Soffa University of Virginia

Improving Security Using Extensible Lightweight Static Analysis

Detecting Targeted Attacks Using Shadow Honeypots

Mock Object Creation for Test Factoring

Announcement Project 2 Due Project 3 will be out this weekend.

Software Security.

Buffer Overflow Slide Set #7 Textbook Chapter 10 Clicker Questions

Sampling Dynamic Dataflow Analyses

Presentation transcript:

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche

Motivation Real attacks in server software Malicious code and DoS Why Static Analysis tools? Dynamic approach is expensive & incomplete Safe languages make runtime checks Perform an unbiased evaluation

Tools Evaluated ToolAnalysis StrategyCom ARCHER Bottom-up inter-procedural, flow- sensitive, symbolic triggers BOON Inter-procedural, flow-insensitive, only strings PolySpace Inter-procedural, flow-sensitive, abstract interpretation Y SPLINT Intra-procedural, lightweight analysis UNO Inter-procedural, flow-sensitive, model checking

Test Cases BIND (4) Most popular DNS server WU-FTPD (3) Popular FTP daemon Sendmail (7) Dominant mail transfer agent Total vulnerabilities: 14

Initial experience (145K lines) Splint issued parse errors ARCHER quit with a Div/0 error PolySpace run 4 days and quit

New Testing Approach Create lower scale models BAD vs. OK version Retrospective analysis

Results SystemP(detection)P(false+)P(~f|d) PolySpace Splint Boon Archer Uno00-

Discussion Detection Rate: 3 of 5 < 5% High rate of false alarms (1 in 12 & 46) Results only on marked lines Insensitive to corrections (<40%) None was able to analyze sendmail

Conclusion Results are promising: Errors were detected Need of improvement because of: False positives Poor discrimination