Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wei Le and Mary Lou Soffa University of Virginia

Published byΆφροδίτη Παπάγος Modified over 6 years ago

Similar presentations

Presentation on theme: "Wei Le and Mary Lou Soffa University of Virginia"— Presentation transcript:

1 Wei Le and Mary Lou Soffa University of Virginia
Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia

2 Motivation Detect where buffer overflow can occur
Buffer overflow: 20 years since Morris Worm, still the most common exploit Challenge: eliminate exploitable buffer overflows Detect where buffer overflow can occur Determine cause and remove it 2

3 Problems of Static Approaches
Detection Precision: false positives Report for errors does not provide much information for diagnosis report an overflow point in the program Not fully automatic: manual annotation 3

4 Our Goals and Approaches
Goal: automatically identify paths on which a buffer overflow can occur and report the path segment that causes the overflow Challenge: huge number of paths Approach: interprocedual path-sensitive for precision and help diagnosis demand-driven for scalability 4

5 Five Types of Paths Infeasible: no input can exercise the path
Safe: no input can overflow the buffer Vulnerable: users can write any content to the buffer Overflow-user-independent: the buffer content is statically determinable Don’t-know: the buffer status cannot be judged statically 5

6 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN strcat(resolved, wbuf)
An Example Safe Infeasible Overflow 1 y n resolved wbuf 2 3 rootd = 1 rootd = 0 4 \0 \0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN 5 LEN = 6 y n exit 6 rootd == 0 y wu-ftpd realpath.c 7 n strcat(resolved, “/”) 8 strcat(resolved, wbuf) 6

7 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN strcat(resolved, wbuf)
Demand-Driven Analysis Solved char resolved [LEN ] …… Q053 (LEN-1<l, f) Q153 (LEN<l, f) 1 Q052 (LEN-1<l, f) y n 2 3 rootd = 1 rootd = 0 Infeasible 4 Q05 (LEN-1-rootd<l, f) Q15 (LEN-rootd<l, f) strlen(wbuf)+rootd+1+ strlen(resolved) > LEN 5 exit Q0 Q1 y n 6 rootd == 0 Q1 (s+1<l, f) s: strlen(resolved)+strlen(wbuf) l: sizeof(resolved) f: wbuf y 7 n strcat(resolved, “/”) 8 Q0 (s<l, f) strcat(resolved, wbuf) 7

8 The Demand-Driven Model
PVS (potentially vulnerable statement) strcpy(a,b) Query sizeof(a) > strlen(b), flag Information for Updating Queries char a[9] Propagation Rules interprocedural, loop, join point, infeasible Resolving the Query false, flag = user input 8

9 Approach Propagate Program Feasibility Detection PVS Infeasible Node
Paths Node Information Overflow Properties Raise Query Propagate Query Update Query Resolve Query Yes Propagate Results Label Paths No 9

10 Experiments Purpose Implementation: Microsoft Phoenix APIs[phoenix]
Existence of the 5 types of paths Benefit of demand-driven analysis Implementation: Microsoft Phoenix APIs[phoenix] Benchmarks 9 programs, size K LOC the BugBench[06lu] and Buffer Overflow Benchmark[03Zitser] 10

11 Experimental Results Benchmark Path Types Vul CNST UnK Safe
polymorph-0.4.0 966 ncompress-4.2.4 288 man-1.5h1 16 24 gzip-1.2.4 1 bc-1.06 >50,000 >30,000 squid-2.3 4 2 wu-ftp 4320 18,624 sendmail 48 648 BIND 11

12 Experimental Results All defined types of paths exist
Problematic paths manifest certain complexity Memory usage: 9-65MB Time cost: s

13 User Scenario Entry PVS

14 User Scenario Entry Overflow User Independent Vulnerable PVS

15 User Scenario Entry Overflow User Independent Vulnerable PVS

16 User Scenario Benchmark Average Path Size #P #B polymorph-0.4.0 2.5
25.9 ncompress-4.2.4 2.0 27.8 man-1.5h1 1.8 14.3 gzip-1.2.4 3.0 5 squid-2.3 1.0 6.8 wu-ftp 3.8 33.6 sendmail 35.5 BIND 23.5 User Scenario Entry Overflow User Independent Vulnerable Root Cause PVS

17 Related Work Static Detection for Buffer Overflow
ARCHER[03xie] BOON[00wagner] ESPx[06hackett] Prefast[ms] Prefix[00bush] Splint[96evans] Path-Sensitive Analysis for Defects ARCHER[03xie] ESPx[06hackett] ESP [02das] IPSSA[03livshits] MOPS[02check] Prefix[00bush] Demand-Driven Approach A general framework[96Duesterwald] Application for dataflow computation[96Duesterwald], infeasible detection[97bodik], memory leak[06Orlovich] , postmortem analysis[04Manevich] 17

18 Conclusions A categorization of five types of paths for buffer overflow An interprocedual demand-driven path-sensitive diagnosis tool for identifying the type of paths through a potential overflow Experimental results that demonstrate the path types existing in real program 18

19 Thank you and Questions?
19

Download ppt "Wei Le and Mary Lou Soffa University of Virginia"

Similar presentations

Usage of the memoQ web service API by LSP – a case study

Usage of the memoQ web service API by LSP – a case study
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January 2009 1 Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.

Refinement-Based Context-Sensitive Points-To Analysis for JAVA Soonho Kong 17 January Work of Manu Sridharan and Rastislav Bodik, UC Berkeley.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.

1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.

Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Memory Systems Performance Workshop 2004© David Ryan Koes 20041 MSP 2004 Programmer Specified Pointer Independence David Koes Mihai Budiu Girish Venkataramani.

Memory Systems Performance Workshop 2004© David Ryan Koes MSP 2004 Programmer Specified Pointer Independence David Koes Mihai Budiu Girish Venkataramani.
Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.

Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
4/20/2006ELEC7250: Alexander 1 LOGIC SIMULATION AND FAULT DIAGNOSIS BY JINS DAVIS ALEXANDER ELEC 7250 PRESENTATION.

4/20/2006ELEC7250: Alexander 1 LOGIC SIMULATION AND FAULT DIAGNOSIS BY JINS DAVIS ALEXANDER ELEC 7250 PRESENTATION.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.

ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://

Similar presentations

Ads by Google