Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research in Language-Based Methods

Published byStewart Cooper Modified over 6 years ago

Similar presentations

Presentation on theme: "Research in Language-Based Methods"— Presentation transcript:

1 Research in Language-Based Methods
Software Security: Research in Language-Based Methods David Wagner U.C. Berkeley

2 Software security today
Even after large, extensive testing efforts, commercial software is shipped riddled with errors (“bugs”). — PITAC Report to the President, February 24, 1999 Trustworthy Computing is computing that is available, reliable, and secure as electricity, water services and telephony....No Trustworthy Computing platform exists today. — Bill Gates, January 15, 2002 (highest priority for Microsoft) [T]he national annual costs of an inadequate infrastructure for software testing is estimated to range from $22.2 to $59.5 billion. — NIST Planning Report 02-3, May 2002 In short: Software vulnerabilities are rampant.

3 Problem Statement Many security holes are due to buggy implementations
The technical challenge: How do we reason about the security properties of software? Can we detect instances of common vulnerabilities? Can we prove our software is free of these holes? Can we build code that is “secure by construction”? This talk: Reasoning about temporal safety properties of legacy software

4 MOPS: Modelchecking Security Properties
Pushdown model checking of C source code Security properties expressed as finite state automata Code is modelled as a pushdown automaton strncpy(d,s,n) other d[n-1] = ’\0’; Example: A simple FSA to detect misuse of strncpy( ). Error state indicates possible failure to null-terminate d. (Real property is much more complex: many ways to terminate; pre-termination vs. post-termination; delayed termination.)

5 TOCTTOU (time-of-check to time-of-use)
Canonical example of a TOCTTOU vulnerability: if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY); Notice: not an atomic operation! Bug: Permissions may change between access() & open() Attacker can arrange for this to happen in an attack check(x) use(x) check = { access, lstat, stat, readlink, statfs } use = { chmod, open, remove, unlink, mount, link, mkdir, rmdir … }

6 Insecure temporary file creation/use
Temporary file creation requires special care: 1) unguessable filename; 2) safe permissions; 3) file ops should use fd, not filename (TOCTTOU) mkstemp(x) fileop(x) { tmpnam(), tempnam(), mktemp(), tmpfile() } fileop(x) = { open(x), chmod(x), remove(x), unlink(x) … }

7 MOPS in the large Experiment: Analyze an entire Linux distribution
Redhat 9, all C packages (732 pkgs, ~ 50 MLOC) Security analysis at an unprecedented scale Team of 4 manually examined 900+ warnings 1 grad student; 3 undergrads new to MOPS Exhaustive analysis of TOCTTOU, tmpfile, others; statistical sampling of strncpy Laborious: multiple person-months of effort Found 108 new security holes in Linux apps Security Property Warnings Real bugs Bug ratio TOCTTOU 790 41 5% temporary files 108 34 35% strncpy 1378 11+ ~ 5-10% Total 2333 108+

8 Bug #1: “zip” Pathname from cmd line d_exists = (lstat(d, &t) == 0);
if (d_exists) { /* respect existing soft and hard links! */ if (t.st_nlink > 1 || (t.st_mode & S_IFMT) == S_IFLNK) copy = 1; else if (unlink(d)) return ZE_CREAT; } ... eventually writes new zipfile to d ...

9 Bug #2: “ar” exists = lstat (to, &s) == 0; if (! exists ||
(!S_ISLNK (s.st_mode) && s.st_nlink == 1)){ ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777); if (chown (to, s.st_uid, s.st_gid) >= 0) chmod (to, s.st_mode & 07777); }

10 Bug #3 static void open_files() { int fd; create_file_names();
if (input_file == 0) { input_file = fopen(input_file_name, "r"); if (input_file == 0) open_error(input_file_name); fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL) { if (fd >= 0) close(fd); open_error(action_file_name); } void open_error(char *f) { perror(f); unlink(action_file_name); exit(1);

11 Lessons & surprises from the MOPS effort
Program analysis at scale is highly non-trivial Good UI, explanation of errors is critical Build integration so important — and so hard — that we re-implemented it no less than four times But worth it: Large-scale experiments incredibly valuable Tech. transfer: techniques being adopted in commercial security code scanning tools There is an enormous opportunity for better tools — but also enormous research challenges

12 TRUST Agenda Technical directions: Static code verification
Dynamic analysis Multi-lingual security Software design Major themes: Program analysis System composition Participants: John Mitchell (area leader) Alex Aiken Ken Birman Dan Boneh Hector Garcia-Molina George Necula Mike Reiter Fred Schneider Gün Sirer Dawn Song Doug Tygar David Wagner Jeannette Wing

Download ppt "Research in Language-Based Methods"

Similar presentations

Static Analysis for Security

Static Analysis for Security
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.

1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.

Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.

#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.
TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.

TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
August 2006Scott Stoller, Stony Brook University1 Research in Formal Methods, Concurrent & Distributed Systems, and Programming Languages at Scott D. Stoller.

August 2006Scott Stoller, Stony Brook University1 Research in Formal Methods, Concurrent & Distributed Systems, and Programming Languages at Scott D. Stoller.
High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.

High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.
#1 Pushdown model checking for security David Wagner U.C. Berkeley Work by Hao Chen, Ben Schwarz, and Drew Dean, Jeremy Lin, Geoff Morrison, David Schultz,

#1 Pushdown model checking for security David Wagner U.C. Berkeley Work by Hao Chen, Ben Schwarz, and Drew Dean, Jeremy Lin, Geoff Morrison, David Schultz,

Similar presentations

Ads by Google