Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOFTWARE ENGINEERING INSTITUTE

Published byFrida Inger Møller Modified over 5 years ago

Similar presentations

Presentation on theme: "SOFTWARE ENGINEERING INSTITUTE"— Presentation transcript:

1 SOFTWARE ENGINEERING INSTITUTE
Automated Detection of Vulnerabilities Based on Program Analysis and Model Checking Wang L., Zhang Q., Zhao P. SYSTEM SOFTWARE RESEARCH GROUP SOFTWARE ENGINEERING INSTITUTE

2 Outline Why choose model checking How we do it Static analysis
Prototype - CodeAuditor Demo example Experiment result Related work Conclusion & future work

3 Why choose model checking
Dynamic Be efficient Depend on special input data Static General static method Program analysis Efficient, but imprecise Formal verification method Model checking (abstract-verify-refine paradigm) Emphasizing precision explore an abstract tree which stores all reachability paths information.

4 How we do it Model Checking Program analysis Model checker - BLAST
Can NOT automatically build the vulnerability model State space explosion Program analysis Constraint-based analysis Model the buffers in source code Pointer alias analysis - to improve precision Slicing - to improve efficiency …… char name[5]; if(true) name[9] = 'c';

5 Static analysis Constraint-based analysis Code instrumentation
Model string buffers as pairs of integer {max_length ,used_length} Model the statement and function as attributes transfer and constraints. Be described in an XML configuration file Code instrumentation Traverse the AST of GCC, parse configuration file and execute instrumentation Convert the instrumented AST to original code

6 Static analysis (cont.)
Alias analysis Compute pointer alias at every program location Update attributes of aliased pointers

7 Prototype - CodeAuditor

8 More details Several buffer operations and their constraints/assertions Dangerous function call strcpy(dst, src) Interprocedual analysis char * foo (char *s); C Code constraints and assertions char *p 0  p.max ; 0  p.used char a[n] n  a.max; 0  a.used p = malloc(n) n p.max; 0  p.used strcpy(dst, src) assert(dst.max >= src.used); src.used  dst.used strcat(s,t) assert(s.max >= s.used + t.used); t.used + s.used  s.used strncat(s,t, n) assert(s.max >= s.used + n); s.used + n  s.used scanf(“%ns”,str) assert(str.max >= n); n  str.used sprintf(dst, “%s”, str) assert(dst.max >= str.used);str.used  dst.used sprintf(dst, “%d”, n) assert(dst.max >= 20); 20  dst.used assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; assert(dst_length_max >= src_length_used); dst_length_used = src_length_used; int foo_ret_length_max = 0; int foo_ret_length_used = 0; int foo_s_length_max = 0; int foo_s_length_used = 0;

9 Demo example

10 Experiment results Vulnerability detection
1 Minicom: 2 Corehttp: 3 Monkey: Software LOC Total Alarms True False New Bugs Before After minicom-1.80 6000 18080 3 2 1 corehttp-alpha 5008 13020 9 8 7 monkey0.11 443 1200 5

11 Program slicing Program slicing – to reduce state space
Slicing criterion : SC(L)=(L,V) L: Location of buffer relate statements V: variables of buffer related # No. of predicates Trace length Time (ms) Perf. Improve % result Assert_1 4126 165 time out ---- No result Assert_1_slice 43 44 2530 safe Assert_2 4140 305 Assert_2_slice 33 36 Assert_3 507 47 3409 19.5 % unsafe Assert_3_slice 11 2743 Assert_4 915 126 2315 15.7 % Assert_4_slice 15 6 1950 Assert_5 715 76 12765 33.1 % Assert_5_slice 23 8550

12 Related work Static ATOM Pin Cascade CCured Dynamic Cred

13 Conclusion & future work
The tool is precise and effective Future work The efficiency remains to improve Apply it to other new vulnerabilities replace model checking with other tech.

14 Q&A

Download ppt "SOFTWARE ENGINEERING INSTITUTE"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Static Analysis for Security

Static Analysis for Security
This research is funded in part the U. S. National Science Foundation grant CCR-0113181. DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.

This research is funded in part the U. S. National Science Foundation grant CCR DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.
CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.

Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.

Program Slicing. 2 CS510 S o f t w a r e E n g i n e e r i n g Outline What is slicing? Why use slicing? Static slicing of programs Dynamic Program Slicing.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

Similar presentations

Ads by Google