Presentation is loading. Please wait.

Presentation is loading. Please wait.

MOPS: an Infrastructure for Examining Security Properties of Software

Published by免杆 宋 Modified over 5 years ago

Similar presentations

Presentation on theme: "MOPS: an Infrastructure for Examining Security Properties of Software"— Presentation transcript:

1 MOPS: an Infrastructure for Examining Security Properties of Software
Authors: Hao Chen, David Wagner University of California at Berkeley Publish: ACM Computer and Communication Security 02 Presenter: Xingbo Gao

2 Outline Problem Definition and Motivation
Introduction of Temporal Safety Properties Formal Models and Framework Feasible Applications Strengths, Weakness and Improvements

3 Problem Definition and Motivation
// now in directory “/var/ftp” chroot(“/var/ftp/pub”); > confines the root priv. in new dir. chdir(“/var/ftp/pub”); filename=read_from_network(); fd=open(filename, O_RDONLY); root / /var /etc /var/ftp /etc/passwd filename = “../../etc/passwd” ?? /var/ftp/pub

4 Contribution A New idea to examine security properties of software: verify whether temporal safety properties are obeyed Propose a formal model to automate this verification process

5 Temporal Safety Property
Dictates the order of a sequence of security-relevant operations Can be used to describe many rules for security programs Violating such properties often render the program vulnerable to attack Detecting violations or verifying the satisfaction significantly helps to reduce the software vulnerabilities Manual checking cannot scale to large programs

6 Formal Model : the set of security-relevant operations
: all sequences of security operations that violate the security property : the set of all feasible paths is a regular language: ( : FSA) is a context free language: ( :PDA)

7 Another Example Before making certain system calls that run untrusted programs, a privileged process must first drop all privileges

8 Brief Review of ruid, euid and suid
Each Unix process has three user ids: ruid: real user id euid: effective user id suid: saved user id real-uid = tom effective-uid = tom saved-uid = root real-uid = tom effective-uid = root saved-uid = root syscall passwd -> seteuid(0)

9 Temporal Safety Property Example
int main(int argc, char *argv[]) { // start with root privilege do_something_with_privilege(); drop_privilege(); execl(“/bin/sh”, “/bin/sh”, NULL); risky syscall } void drop_privilege() { struct passwd *passwd; if ((passwd=getpwuid(getuid())) == NULL) return; fprintf(log, “drop priv for %s”, passwd->pw_name); seteuid(getuid());

10 Formal Model Cont. ∑={execl(), seteuid(0), seteuid(!0)}
(set of security operations) T={[seteuid(!0), execl()], [execl()]} (all feasible traces) T ∩ L(M) = [execl()] An FSA describing Property “Dropping Privileges”

11 Modular Implementation

12 Applications Checking proper dropping privilege
sendmail fails to drop root privilege in user IDs sendmail fails to drop privilege in group IDs Verifying success of system calls OpenSSH no uid-setting syscalls may fail Checking privilege flow in non-local control flow wu-ftpd 2.4 beta 11 has offending path wu-ftpd 2.4 beta 12 fixed this vulnerability

13 Strengths and Weakness
proposed a novel formal approach to model checking security properties in large programs efficient algorithm and good scalability sound modeling Weakness can raise some false alarms due to approximated modeling reduced precision because of very limited data flow analysis e.g. if-then-else

14 Possible Improvements
Investigate how much data flow analysis can be incorporated into MOPS Improve MOPS while experimenting with checking more security properties in more programs

15 Questions ?

Download ppt "MOPS: an Infrastructure for Examining Security Properties of Software"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.

Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
Operating Systems Recitation 11, June 9-10, 2002.

Operating Systems Recitation 11, June 9-10, 2002.
1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.

1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.
1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Introduction to Computer Technology

Introduction to Computer Technology
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
COMP313A Programming Languages Introduction. More Housekeeping Stuff Reading Material Textbook –Programming Languages: Principles and Practice by Kenneth.

COMP313A Programming Languages Introduction. More Housekeeping Stuff Reading Material Textbook –Programming Languages: Principles and Practice by Kenneth.
A Conservative Algorithm for Computing the Flow of Permissions in Java Programs Gleb Naumovich Polytechnic University Brooklyn, USA Presented by David.

A Conservative Algorithm for Computing the Flow of Permissions in Java Programs Gleb Naumovich Polytechnic University Brooklyn, USA Presented by David.

Similar presentations

Ads by Google