Static Analysis for Security Amir Bazine Per Rehnberg.

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.
Lecture 20 Arrays and Strings
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; \0 The “\0” (null character)
Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.
Stack buffer overflow
. Plab – Tirgul 2 Const, C Strings. Pointers int main() { int i,j; int *x; // x points to an integer i = 1; x = &i; j = *x; ijx 1.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Teaching Buffer Overflow Ken Williams NC A&T State University.
C strings (Reek, Ch. 9) 1CS 3090: Safety Critical Programming in C.
Examining the Code [Reading assignment: Chapter 6, pp ]
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Strings in C. Strings are Character Arrays Strings in C are simply arrays of characters. – Example:char s [10]; This is a ten (10) element array that.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to C programming
University of Calgary – CPSC 441. C PROGRAM  Collection of functions  One function “main()” is called by the operating system as the starting function.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.
Character Arrays Based on the original work by Dr. Roger deBry Version 1.0.
File IO and command line input CSE 2451 Rong Shi.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
5-1 Embedded Systems C Programming Language Review and Dissection III Lecture 5.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Buffer overflow and stack smashing attacks Principles of application software security.
CSCI 330 UNIX and Network Programming
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
Charles Clute Tom Most Michael Hein. Strings in C  There is no String... But there’s hope! Strings are character arrays char volume[6]; char volume[6]
5.6 String Processing Part 2. Sprintf(destnvar,…..regularprintf) Write formatted data to string Same as printf except the output is put in variable. A.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.
CSC 482/582: Computer Security
Content Coverity Static Analysis Use cases of Coverity Examples
Buffer Overflow By Collin Donaldson.
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Strings CSCI 112: Programming in C.
Pointers & Arrays 1-d arrays & pointers 2-d arrays & pointers.
Secure Code Scanners Cameron Davidson.
High Coverage Detection of Input-Related Security Faults
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Introduction to Static Analyzer
Buffer Overflows.
Testing & Security Dr. X.
Presentation transcript:

Static Analysis for Security Amir Bazine Per Rehnberg

Content Background Static Analysis tools Our resarch and tests Test results Conclusion

Background Increase of reported vulnerabilities Dynamic analysis not enough Developed new static analysis tools –Ease the auditing process

!!!

Static analys tools How they work –Brake the code into stream of tokens –Compare with database What they prevent –TOCTTOU, Overflows, bad randomizations, format string attacks, file descriptor leakage… Sort risks Problems

Some analysis tools ITS4 RATS Flawfinder Splint –Enhanced lint –Lightweight static analysis –Annotations

Splint Example char *strcpy (char *s1, char *s2) maxSet(s1) >= maxRead(s1) == maxRead

Survey Our survey was about finding out how static analysis tools works and what they can do.

Buffer overflow example 13 void add_alias(char *ip, char *hostname, char *alias) { 14 char formatbuffer[256]; 15 FILE *file; sprintf(formatbuffer, "%s\t%s\t%s\n", ip, hostname, alias); file = fopen(HOSTFILE, "a"); 20 if (file == NULL) { 21 perror("fopen"); 22 exit(EXIT_FAILURE); 23 } fprintf(file, formatbuffer); 26 if (fclose(file) != 0) { 27 perror("close"); 28 exit(EXIT_FAILURE); 29 } 30}

flawfinder Examining vuln_lab2.c vuln_lab2.c:17: [4] (buffer) sprintf: Does not check for buffer overflows. Use snprintf or vsnprintf. vuln_lab2.c:25: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. vuln_lab2.c:14: [2] (buffer) char: Statically-sized arrays can be overflowed. Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ITS4 vuln_lab2.c:25:(Urgent) fprintf Non-constant format strings can often be attacked. Use a constant format string vuln_lab2.c:17:(Very Risky) sprintf This function is high risk for buffer overflows Use snprintf if available, or precision specifiers, if available. Splint vuln_lab2.c: (in function add_alias) vuln_lab2.c:17:3: Buffer overflow possible with sprintf. Recommend using snprintf instead: sprintf Use of function that may lead to buffer overflow. (Use – bufferoverflow high to inhibit warning) RATS Analyzing vuln_lab2.c vuln_lab2.c:14: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. vuln_lab2.c:17: High: sprintf Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow. vuln_lab2.c:25: High: fprintf Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Result

Format string example 5int main(int argc,char **argv) { 6char buf[256]; 7snprintf(buf,sizeof buf,argv[1]); 8}

Splint Finished checking --- no warnings ITS4 fs1.c:7:(Urgent) snprintf Non-constant format strings can often be attacked. Use a constant format string. RATS fs1.c:6: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. flawfinder fs1.c:7: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0- terminate. Use a constant for the format specification. fs1.c:6: [2] (buffer) char: Statically-sized arrays can be overflowed. Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. Result

Integer overflow example 1int my_string_copy(char *dest, const char *src, int len) 2{ 3 if (len > MAX_LENGTH) 4 return -1; 5 6 memcpy(dest, src, len); 7 8 return len; 9}

Result ITS4 -- no warnings RATS -- no warnings Flawfinder my_func.c:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination. Make sure destination can always hold the source data. Splint my_func.c:6:21: Function memcpy expects arg 3 to be size_t gets int: len To allow arbitrary integral types to match long unsigned

Limitations of the tools Predefined vulnerability database Can’t handle pre-processing statements Generates much false positivies Doesn’t do any deeper analysis

Conclusions These tools gives you a starting point for performing manual security audits You have to do a deeper manual audit by our self They are simple and one can achieve they same result with common source navigation tools

Our recommendations Check the warnings that your compiler gives you! Use static/dynamic tools to check your source code for flaws Do manual security audits!

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.