Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Analysis With material from Dave Levin, Mike Hicks, Dawson Engler, Lujo Bauer, Michelle Mazurek http://philosophyofscienceportal.blogspot.com/2013/04/van-de-graaff-generator-redux.html.

Published byGordon Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "Static Analysis With material from Dave Levin, Mike Hicks, Dawson Engler, Lujo Bauer, Michelle Mazurek http://philosophyofscienceportal.blogspot.com/2013/04/van-de-graaff-generator-redux.html."— Presentation transcript:

1 Static Analysis With material from Dave Levin, Mike Hicks, Dawson Engler, Lujo Bauer, Michelle Mazurek

2 Static analysis

3 for Software Assurance
Current Practice for Software Assurance inputs outputs program Is it correct? oracle register char *q; char inp[MAXLINE]; char cmdbuf[MAXLINE]; extern ENVELOPE BlankEnvelope; extern void settime __P((ENVELOPE *)); extern void help __P((char *)); extern bool enoughdiskspace __P((long)); extern int runinchild __P((char *, ENVELOPE *)); . Testing: Check correctness on set of inputs Benefits: Concrete failure proves issue, aids fix Drawbacks: Expensive, difficult, coverage? No guarantees

4 Current Practice Code audit: Convince someone your code is correct
(continued) Code audit: Convince someone your code is correct Benefit: Humans can generalize Drawbacks: Expensive, hard, no guarantees register char *q; char cmdbuf[MAXLINE]; char inp[MAXLINE]; extern ENVELOPE BlankEnvelope; extern void help __P((char *)); extern void settime __P((ENVELOPE *)); extern int runinchild __P((char *, ENVELOPE *)); extern bool enoughdiskspace __P((long)); extern void checksmtpattack __P((volatile int *, int, char *, ENVELOPE *)); if (fileno(OutChannel) != fileno(stdout)) { /* arrange for debugging output to go to remote host */ (void) dup2(fileno(OutChannel), fileno(stdout)); } settime(e); if (peerhostname == NULL) peerhostname = RealHostName; peerhostname = "localhost"; CurHostName = peerhostname; CurSmtpClient = macvalue('_', e); CurSmtpClient = CurHostName; if (CurSmtpClient == NULL) setproctitle("server %s startup", CurSmtpClient); #if DAEMON if (LogLevel > 11) /* log connection information */ sm_syslog(LOG_INFO, NOQID, "SMTP connect from %.100s (%.100s)", CurSmtpClient, anynet_ntoa(&RealHostAddr)); #endif /* output the first line, inserting "ESMTP" as second word */ p = strchr(inp, '\n'); expand(SmtpGreeting, inp, sizeof inp, e); if (p != NULL) *p++ = '\0'; id = strchr(inp, ' '); id = &inp[strlen(inp)]; if (id == NULL) cmd = p == NULL ? "220 %.*s ESMTP%s" : "220-%.*s ESMTP%s"; message(cmd, id - inp, inp, id); /* output remaining lines */ while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL) if (isascii(*id) && isspace(*id)) cmd < &cmdbuf[sizeof cmdbuf - 2]) *cmd++ = *p++; *cmd = '\0'; while (isascii(*p) && isspace(*p)) /* throw away leading whitespace */ p++; /* decode command */ for (c = CmdTab; c->cmdname != NULL; c++) if (!strcasecmp(c->cmdname, cmdbuf)) break; /* reset errors */ errno = 0; /* ** ** Process command. ** If we are running as a null server, return 550 ** to everything. */ if (nullserver) switch (c->cmdcode) case CMDHELO: case CMDQUIT: case CMDEHLO: case CMDNOOP: /* process normally */ default: if (++badcommands > MAXBADCOMMANDS) sleep(1); continue; usrerr("550 Access denied"); /* non-null server */ case CMDMAIL: case CMDEXPN: case CMDVRFY: if (*p == '\0') kp = p; /* skip to the value portion */ while ((isascii(*p) && isalnum(*p)) || *p == '-') if (*p == '=') vp = p; /* skip to the end of the value */ !(isascii(*p) && iscntrl(*p)) && while (*p != '\0' && *p != ' ' && *p != '=') if (*p != '\0') if (tTd(19, 1)) vp == NULL ? "<null>" : vp); printf("RCPT: got arg %s=\"%s\"\n", kp, rcpt_esmtp_args(a, kp, vp, e); if (Errors > 0) a = recipient(a, &e->e_sendqueue, 0, e); /* save in recipient list after ESMTP mods */ e->e_to = a->q_paddr; /* no errors during parsing, but might be a duplicate */ if (!bitset(QBADADDR, a->q_flags)) message("250 Recipient ok%s", " (will queue)" : ""); bitset(QQUEUEUP, a->q_flags) ? nrcpts++; else /* punt -- should keep message in ADDRESS.... */ ???

5 How can we do better?

6 Static analysis Analyze program’s code without running it
In a sense, ask a computer to do code review Benefit: (much) higher coverage Reason about many possible runs of the program Sometimes all of them, providing a guarantee Reason about incomplete programs (e.g., libraries) Drawbacks: Can only analyze limited properties May miss some errors, or have false alarms Can be time- and resource-consuming

7 The Halting Problem Always terminates? register char *q; char inp[MAXLINE]; char cmdbuf[MAXLINE]; extern void help __P((char *)); extern ENVELOPE BlankEnvelope; extern void settime __P((ENVELOPE *)); extern bool enoughdiskspace __P((long)); extern int runinchild __P((char *, ENVELOPE *)); . program P analyzer Can we write an analyzer that can prove, for any program P and inputs to it, P will terminate? Doing so is called the halting problem Unfortunately, this is undecidable: any analyzer will fail to produce an answer for at least some programs and/or inputs Some material inspired by work of Matt Might:

8 Check other properties instead?
Perhaps security-related properties are feasible E.g., that all accesses a[i] are in bounds But these properties can be converted into the halting problem by transforming the program A perfect array bounds checker could solve the halting problem, which is impossible! Other undecidable properties (Rice’s theorem) Does this SQL string come from a tainted source? Is this pointer used after its memory is freed? Do any variables experience data races?

9 So is static analysis impossible?
Perfect static analysis is not possible Useful static analysis is perfectly possible, despite Nontermination - analyzer never terminates, or False alarms - claimed errors are not really errors, or Missed errors - no error reports ≠ error free Nonterminating analyses are confusing, so tools tend to exhibit only false alarms and/or missed errors

10 Say exactly the set of true things
Completeness Soundness If analysis says that X is true, then X is true. If X is true, then analysis says X is true. True things Things I say are all True things Things I say Things I say True things Trivially Complete: Say nothing Trivially Sound: Say everything Sound and Complete: Say exactly the set of true things

11 Stepping back Soundness: No error found = no error exists
Alarms may be false errors Completeness: Any error found = real error Silence does not guarantee no errors Basically any useful analysis is neither sound nor complete (def. not both) … usually leans one way or the other

12 The Art of Static Analysis
Design goals: Precision: Carefully model program, minimize false positives/negatives Scalability: Successfully analyze large programs Understandability: Error reports should be actionable Observation: Code style is important Aim to be precise for “good” programs OK to forbid yucky code in the name of safety Code that is more understandable to the analysis is more understandable to humans

13 Adding some depth: Taint (flow) analysis

14 Tainted Flow Analysis Cause of many attacks is trusting unvalidated input Input from the user (network, file) is tainted Various data is used, assuming it is untainted Examples expecting untainted data source string of strcpy (≤ target buffer size) format string of printf (contains no format specifiers) form field used in constructed SQL query (contains no SQL commands)

15 Recall: Format String Attack
Adversary-controlled format string Attacker sets name = "%s%s%s “ to crash program Attacker sets name = "%n" to write to memory Yields code injection exploits These bugs still occur in the wild occasionally Too restrictive to forbid non-constant format strings char *name = fgets(.., network_fd); printf(name); // Oops

16 The problem, in types Specify our requirement as a type qualifier
tainted = possibly controlled by adversary untainted = must not be controlled by adversary int printf(untainted char *fmt, ..); tainted char *fgets(..); tainted char *name = fgets(..,network_fd); printf(name); // FAIL: tainted ≠ untainted

17 Analyzing taint flows Goal: For all possible inputs, prove tainted data will never be used where untainted data is expected untainted annotation: indicates a trusted sink tainted annotation: an untrusted source no annotation means: not sure (analysis must figure it out) Solution requires inferring flows in the program What sources can reach what sinks If any flows are illegal, i.e., whether a tainted source may flow to an untainted sink We will aim to develop a sound analysis

18 At each program step, test whether inputs ≤ policy
Legal Flow Illegal Flow void f(tainted int); untainted int a = ..; f(a); void g(untainted int); tainted int b = ..; g(b); f accepts tainted or untainted data g accepts only untainted data untainted ≤ tainted tainted ≤ untainted Define allowed flow as a lattice: < untainted tainted At each program step, test whether inputs ≤ policy

19 Analysis Approach If no qualifier is present, we must infer it Steps:
Create a name for each missing qualifier (e.g., α, β) For each program statement, generate constraints Statement x = y generates constraint qy ≤ qx Solve the constraints to produce solutions for α, β, etc. A solution is a substitution of qualifiers (like tainted or untainted) for names (like α and β) such that all of the constraints are legal flows If there is no solution, we (may) have an illegal flow

20 No possible solution for
Example Analysis int printf(untainted char *fmt, ..); tainted char *fgets(..); 1 printf(x); α char *name = fgets(.., network_fd); 2 β char *x = name; 3 Illegal flow! 1 tainted ≤ α 2 α ≤ β No possible solution for α and β 3 β ≤ untainted First constraint requires α = tainted To satisfy the second constraint implies β = tainted But then the third constraint is illegal: tainted ≤ untainted

21 Taint Analysis: Adding Sensitivity

22 No constraint solution. Bug?
But what about? int printf(untainted char *fmt, ..); tainted char *fgets(..); char *name = fgets(.., network_fd); char *x; x = name; x = "hello!"; printf(x); α β tainted ≤ α α ≤ β No constraint solution. Bug? untainted ≤ β False Alarm! β ≤ untainted

23 Flow Sensitivity Our analysis is flow insensitive
Each variable has one qualifier Conflates the taintedness of all values it ever contains Flow-sensitive analysis accounts for variables whose contents change Allow each assigned use of a variable to have a different qualifier E.g., α1 is x’s qualifier at line 1, but α2 is the qualifier at line 2, where α1 and α2 can differ Could implement this by transforming the program to assign to a variable at most once

24 Reworked Example → No Alarm int printf(untainted char *fmt, ..);
tainted char *fgets(..); char *name = fgets(.., network_fd); char *x1, *x2; x1 = name; x2 = "%s'; printf(x2); α γ β tainted ≤ α α ≤ β No Alarm Good solution exists: γ = untainted α = β = tainted untainted ≤ γ γ ≤ untainted

25 Handling conditionals
int printf(untainted char *fmt, ..); tainted char *fgets(..); char *name = fgets(.., network_fd); char *x; if (..) x = name; else x = "hello!"; printf(x); α β tainted ≤ α α ≤ β Constraints still unsolvable Illegal flow untainted ≤ β β ≤ untainted

26 Multiple Conditionals
int printf(untainted char *fmt, ..); tainted char *fgets(…); void f(int x) { char *y; if (x) y = "hello!"; else y = fgets(.., network_fd); if (x) printf(y); } α untainted ≤ α No solution for α. Bug? tainted ≤ α False Alarm! α ≤ untainted (and flow sensitivity won’t help)

27 Path Sensitivity db4e9c736e9bcefb6fd3a677006efea8
Consider path feasibility. E.g., f(x) can execute path when x ≠ 0, or when x == 0. But, path infeasible A path sensitive analysis checks feasibility, e.g., by qualifying each constraint with a path condition void f(int x) { char *y; 1if (x) 2y = “hello!”; else 3y = fgets(…); 4if (x) 5printf(y); 6} db4e9c736e9bcefb6fd3a677006efea8 x ≠ 0 ⟹ untainted ≤ α (segment 1-2) x = 0 ⟹ tainted ≤ α (segment 1-3) x ≠ 0 ⟹ α ≤ untainted (segment 4-5)

28 Static analysis in practice
Thoroughly check limited but useful properties Eliminate some categories of errors Developers can concentrate on deeper reasoning Encourage better development practices Programming models that avoid mistakes Teach programmers to manifest their assumptions Using annotations that improve tool precision Seeing increased commercial adoption

29 Static analysis in practice
Fortify clang analyzer & KLEE FindBugs Caveat: appearance in the above list is not an implicit endorsement, and these are only a sample of available offerings

Download ppt "Static Analysis With material from Dave Levin, Mike Hicks, Dawson Engler, Lujo Bauer, Michelle Mazurek http://philosophyofscienceportal.blogspot.com/2013/04/van-de-graaff-generator-redux.html."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Chapter 5 Errors Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 5 Errors Bjarne Stroustrup
Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.

Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May 21-23 2002.

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Overview of program analysis Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Overview of program analysis Mooly Sagiv html://
Designing For Testability. Incorporate design features that facilitate testing Include features to: –Support test automation at all levels (unit, integration,

Designing For Testability. Incorporate design features that facilitate testing Include features to: –Support test automation at all levels (unit, integration,
Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.

Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
CSE 311 Foundations of Computing I Lecture 28 Computability: Other Undecidable Problems Autumn 2011 CSE 3111.

CSE 311 Foundations of Computing I Lecture 28 Computability: Other Undecidable Problems Autumn 2011 CSE 3111.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
4 - Conditional Control Structures CHAPTER 4. Introduction A Program is usually not limited to a linear sequence of instructions. In real life, a programme.

4 - Conditional Control Structures CHAPTER 4. Introduction A Program is usually not limited to a linear sequence of instructions. In real life, a programme.

Similar presentations

Ads by Google