Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley."— Presentation transcript:

1 Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley

2 Format String Bugs  I/O functions in C use format strings printf(“%s”, buf)print buf as string  But you can also do printf(buf);

3 Format String Bugs  Attacker may set the content in the buffer buf = printf(buf);  Set buf = “%s%s%s%s%s” to crash program  Set buf = “…%n…” to write to memory may yield exploits to gain root access

4 Format String Bugs Application Found byImpactyears ------------------------------------------------------------------------------- wu-ftpd 2.*security.isremote root> 6 Linux rpc.statdsecurity.isremote root> 4 IRIX telnetdLSDremote root> 8 Apache + PHP3security.isremote user> 2 NLS / localeCORE SDIlocal root? screenJouko Pynnonenlocal root> 5 BSD chpassTESOlocal root? OpenBSD fstatktwolocal root?

5 Traditional Techniques  Testing – how to ensure coverage?  Manual code review – bugs too subtle while (fgets(buf, sizeof buf, f)){ lreply(200, buf); } void lreply(int n, char* fmt,…){ vsnprintf(buf, sizeof buf, ftm, ap); }  Re-implement – not possible for legacy system

6 Using Type Qualifiers  Add qualifier annotations int printf(untainted char *fmt, …); tainted int getchar(); int main(int argc, tainted char *argv[]); tainted = may be controlled by the attacker untainted = must not be controlled by the attacker

7 The Basic Idea void f(tainted int); untainted int a; tainted int b; f(a); // OK f(b); // OK void g(untainted int) untainted int a; tainted int b; g(a); // OK g(b); // Error

8 Subtyping void f(tainted int); untainted int a; f(a); void g(untainted int) tainted int b; g(b); f accepts both tainted and untainted data. g only accepts untainted data. untainted < tainted

9 Type System Type system will prove judgments of the form Γ ├ e :  “In type environment Γ, expression e has type  ”

10 Type Rules  ├ e 1 :  1   2  ├ e 2 :  1  ├ e 1 e 2 :  2 “In type environment , if expression e 1 has type from  1 to  2 and e 2 has type  1, then application of e 2 to e 1 has type  2 ”

11 Partial Order A partial order is a relation  that satisfies the following three properties: 1. reflexivity: a  a 2. antisymmetry: If a  b and b  a then a = b 3. transitivity: If a  b, b  c, then a  c

12 Lattice A lattice is a partial order where any two elements x and y have a least upper bound, x  y, and a greatest lower bound, x  y. a b c d tainted untainted

13 Qualifier Subtyping Rule Q 1  Q 2 Q 1 int  Q 2 int untainted  tainted untainted int  tainted int int can replaced by any C primitive data type: char, double …. How about pointer?

14 Pointer Qualifier Subtyping Rule Q 1  Q 2 T 1  T 2 Q 1 ptr(T 1 )  Q 2 ptr(T 2 ) Wrong! tainted char *t; // T2 = tainted char untainted char *u; // T1 = untainted char t = u; // allowed by the wrong rule *t = ; // t is alias of u

15 Pointer Aliasing  We have multiple names for the same memory location But they have different types And we can write into memory at different types tainted untainted t u

16 Pointer Qualifier Subtyping Rule  The right rule Q 1  Q 2 T 1 = T 2 Q 1 ptr(T 1 )  Q 2 ptr(T 2 )

17 Type Qualifier Inference  Recall the format string vulnerabilities We have legacy C program that had no information about qualifiers We add qualifier annotation for the standard library functions Then we check whether there were any contradiction  This requires type qualifier inference

18 Qualifier Inference  A small number of annotations at key places in the program  Generate a fresh qualifier variable at every position for a type  Analyze and generate sub-typing constraints  Check if the constraints have a valid solution

19 Qualifier Inference Example tainted char *getenv (const char *name) int printf(untaintd const char *fmt, …) char *s, *t s = getenv(“LD_LIBRARY_PATH”); t = s; printf(t); getenv_ret_p = tainted printf_arg0_p = untainted getenv_ret  s getenv_ret_p  s_p s  t s_p  t_p t  printf_arg0 t  printf_arg0_p tainted = getenv_ret_p  s_p  t_p  printf_arg0_p = untainted tainted  untainted Error!

20 Type Rules So Far  Primitive types Q 1  Q 2 Q 1 int  Q 2 int  Pointer Q 1  Q 2 T 1 = T 2 Q 1 ptr(T 1 )  Q 2 ptr(T 2 )

21 Qualifier Inference Extension 1  Leaf Polymorphism char id (char x) { return x } … tainted char t; untainted char u; char a, b; a = id (t); b = id (u); x is tainted, id_ret is tainted b is tainted However id() is just a identity function. It preserves the qualifiers.

22 Polymorphism  Add in a qualifier variable to id() function  char id (  char x)  Instantiate the  to the correct qualifier for each function call a = id (t) tainted char id (tainted char x) b = id (u) untainted char id (untainted char x)

23 Polymorphism - Subtyping  Use naming trick to specify subtyping relation for polymorphism $_1_2 char* strcat($_1_2 char*, $_1 const char*) {1}  {1, 2} $_1  $_1_2

24 Qualifier Inference Extension 2  Explicit Type Casts Type cast should preserve the qualifier void *y; char *x = (char*) y; // if y is tainted, x should be tainted Preserve by collapsing qualifiers char **s, **t; void *v = (void *) s;s_p = s_p_p = v_p t = (char **)v; v_p = t_p = t_p_p If either *s or **s is tainted, then *v is tainted and *t and **t is tainted

25 Cast Type Qualifier  Allow qualifier cast void *y; char *x = (untainted char*) y;

26 Qualifier Inference Extension 3  Variable Argument Functions Annotate the varargs specifier … int printf(untainted char*, untainted …); Use naming trick to specify the subtyping relation int sprintf($_1_2 char*, untainted char *, $_2 …);

27 Qualifier Inference Extension 4  Const f(const char *x); char *unclean, *clean; unclean = getenv(“PATH”); // returns tainted f(unclean); f(clean); unclean is tainted clean is tainted Pointer Rule Q 1  Q 2 T 1 = T 2 Q 1 ptr(T 1 )  Q 2 ptr(T 2 )

28 Pointer Rule for Const  Const make sure the input data is not modified  If the pointer has a const qualifier, the pointer rule becomes Q 1  Q 2 T 1 < T 2 Q 1 ptr(T 1 )  Q 2 ptr(T 2 )

29 Evaluation

30 Conclusion  Qualifier is a generic static analysis technique User-Space/Kernel-Space Trust Errors Deadlock Detection  Has low false positive and negative rates

31 Demo of Cqual

Download ppt "Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.

Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.
Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Type Qualifiers CS 6340 1. 2 Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors (bugs).

Type Qualifiers CS Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors ("bugs").
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Compiler Construction

Compiler Construction
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster.

Type Qualifiers: Lightweight Specifications to Improve Software Quality Jeffrey S. Foster.
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Format String Protection David Brumley Sam Wu June 12 th, 2002.

Format String Protection David Brumley Sam Wu June 12 th, 2002.

Similar presentations

Ads by Google