Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy.

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
Introducing BLAST Software Verification John Gallagher CS4117.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.
CS 311 – Lecture 09 Outline Introduction to Systems programming – System calls – Categories of system calls Error Management System calls File Handling.
TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.
#1 The Future of Software Security David Wagner U.C. Berkeley.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
Software Security David Wagner University of California at Berkeley.
Building Secure Software Chapter 9 Race Conditions.
Overview of program analysis Mooly Sagiv html://
#1 Pushdown model checking for security David Wagner U.C. Berkeley Work by Hao Chen, Ben Schwarz, and Drew Dean, Jeremy Lin, Geoff Morrison, David Schultz,
1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.
Overview of program analysis Mooly Sagiv html://
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Distributed Computing Systems Project 1 – Dumpster Diving Due: Tuesday, March 25 th.
Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.
Shell (Part 2). Example r What if we want to support something like this: m ps –le | sort r One process should execute ps –le and another should execute.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.
1 Multiprocessors May Reduce System Dependability Under File-based Race Condition Attacks Jinpeng Wei, Calton Pu Georgia Institute of Technology Atlanta,
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta
Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
CSCI 330 UNIX and Network Programming Unit VII: I/O Management I.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
Laface 2007 File system 2.1 Operating System Design Filesystem system calls buffer allocation algorithms getblk brelse bread breada bwrite iget iput bmap.
Buffer overflow and stack smashing attacks Principles of application software security.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Race conditions and synchronization issues Exploiting UNIX.
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
CS 404Ahmed Ezzat 1 CS 404 Introduction to Compiler Design Lecture 1 Ahmed Ezzat.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Content Coverity Static Analysis Use cases of Coverity Examples
Types for Programs and Proofs
Distributed Computing Systems
Research in Language-Based Methods
Ik-Soon Kim December 18, 2010 Embedded Software Platform Team
Secure Software Development: Theory and Practice
High Coverage Detection of Input-Related Security Faults
Introduction to Static Analyzer
MOPS: an Infrastructure for Examining Security Properties of Software
SOFTWARE ENGINEERING INSTITUTE
SHELLSHOCK ATTACK.
Presentation transcript:

Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy Lin and Wei Tu Jacob West, Security Research Group, Fortify Software ACSAC2005

1 Outline Introduction MOPS Background Analyzing Red Hat 9 ä Tool performance ä Human performance ä Security properties Vulnerability Examples ä TOCTTOU ä Standard File Descriptors ä Temporary Files ä strncpy() Results

2 Introduction Over 50% of security vulnerabilities caused by coding errors Automated detection possible ä Rapidly expanding field ä Academic and commercial ä Feasible at large scale

3 MOPS ( MO delchecking P rograms for S ecurity properties) Static analysis for security C programs Enforce temporal safety rules

4 Analyzing Red Hat 9: Overview Tool performance ä Analysis of large code base feasible ä Compaction improves performance ä Reasonable resource requirements Human performance ä Integration with existing build processes ä False positives ä Easy-to-review error traces ä Grouped error traces Security properties ä Temporal safety properties ä Employable by other tools ä Iteratively refined for low false positives

5 Analyzing Red Hat 9: Tool Performance Red Hat 9: 839 packages, 60 million TLOC 732 packages (87%) 107 failures caused by parse errors ä 73 packages contained C++ code ä 34 packages used unsupported C99 constructs Compaction improves performance ä Only consider relevant operations Reasonable resource requirements ä TOCTTOU takes about 10 hours on P4 1.5 GHZ / 1GB

6 Analyzing Red Hat 9: Human Performance Integration with existing build processes  Integrated with rpmbuild, make  Interposed on gcc ä Analyze multiple packages easily False positives ä Relatively low, permits human review Easy-to-review error traces ä Navigate code quickly to verify error traces Grouped error traces ä Understand multiple traces through representative samples

7 Analyzing Red Hat 9: Security Properties Temporal safety properties ä Security properties expressed as Finite State Automata (FSA) Pattern variables  e.g. foo(x); bar(x); where x is the same Iteratively refined to reduce false positives Employable by other tools Properties include ä TOCTTOU: Time-of-check, to time-of-use race conditions ä Standard File Descriptors: Vulnerable uses of stdin, stdout and stderr ä Temporary Files: Insecure creation of temporary files  strncpy(): Dangerous uses of strncpy()

8 Security Properties : TOCTTOU Time-of-check to time-of-use race conditions occur when a program checks the access permission of an object and, if the check succeeds, makes a privileged system call on the object. Example: if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY);

9 Security Properties : TOCTTOU Checks: access(), stat(), etc. Uses: creat(), open(), unlink(), etc.

10 Vulnerability Example: TOCTTOU – binutils :: ar exists = lstat (to, &s) == 0; /* Use rename only if TO is not a symbolic link and has only one hard link. */ if (! exists || (!S_ISLNK (s.st_mode) && s.st_nlink == 1)){ ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777); if (chown (to, s.st_uid, s.st_gid) >= 0) { chmod (to, s.st_mode & 07777); }...

11 Security Properties: Standard File Descriptors Since the kernel does require that stdin, stdout and stderr point to terminal devices, an attacker may cause a victim program open one of them to a sensitive file. Example /* victim.c */ fd = open("/etc/passwd", O_RDWR); if (!process_ok(argv[0])) perror(argv[0]); /* attack.c */ int main(void) { close(2); execl("victim", "foo: :0:1:Super-User-2:...", NULL); }

12 Security Properties: Standard File Descriptors States correspond to the status of the three standard file descriptors and transitions occur on a "safe" open ( /dev/null and /dev/tty ). open(…)

13 Vulnerability Example: Standard File Descriptors - gnuchess void BookBuilder(short depth,...){ FILE *wfp,*rfp; if (depth == -1 && score == -1) { if ((rfp = fopen(BOOKRUN,"r+b")) != NULL) { printf("Opened existing book!\n"); } else { printf("Created new book!\n"); wfp = fopen(BOOKRUN,"w+b"); fclose(wfp); if ((rfp = fopen(BOOKRUN,"r+b")) == NULL) { printf("Could not create %s file\n", BOOKRUN); return; }...

14 Security Properties: Temporary Files Because many of the functions in the C standard library that create temporary files are insecure an adversary that is able to predict the filename can gain control of the file by precreating it. Example fd = mkstemp(action_file_name);... unlink(action_file_name);

15 Security Properties: Temporary Files tmpnam(), tempnam(), mktemp() and tmpfile() are always unsafe mkstemp() is safe if the generated filename is not used

16 Vulnerability Example: Temporary Files - yacc static void open_files() {... fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL){... open_error(action_file_name); } void open_error(char *filename) { warnx("f - cannot open \"%s\"", filename); done(2); } void done(int k) {... if (action_file_name[0]) unlink(action_file_name);

17 Security Properties: strncpy() First strncpy() encourages off-by-one errors if the programmer is not careful to compute the value of n precisely. Secondly, because the function does not automatically null- terminate a string in all cases it is a common mistake for a program to create unterminated strings during its execution. Example buf[sizeof(buf)-1] = '\0'; strncpy(buf,..., sizeof(buf));

18 Security Properties: strncpy()

19 Vulnerability Example: strncpy() - xloadimage newopt->info.dump.type = argv[++a];... dumpImage(dispimage, dump->info.dump.type, dump->info.dump.file, verbose); void dumpImage(Image *image, char *type, char *filename, int verbose) { int a; char typename[32]; char *optptr; optptr = index(type, ','); if (optptr) { strncpy(typename, type, optptr - type); typename[optptr - type] = '\0';... }

20 Results 1358 strncpy() warnings; 53 audited; 11 real bugs* 200 human hours found 108 real bugs in 50 million lines of code Order of magnitude larger in scale than previous academic work Static analysis will be feasible and integral part of building systems PropertyReported Warnings% FPReal Bugs TOCTTOU79095%41 Standard File Descriptors5661%22 Insecure Temporary Files10869%34 Total95490%97 strncpy()53/135879%11/258* Projected Total231285%355

Questions? Want to talk more about software security?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.