Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU)"— Presentation transcript:

1 CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU) Greta Yorsh (TAU)? Seminar in Program Analysis for Cyber-Security Ittay Eyal, March 2011

2 High-Level Structure 2

3 Example void RTC_Si_SkipLine(const INT32 NbLine, char ** const PtrEndText) { INT32 indice; for (indice=0; indice<NbLine; indice++) { **PtrEndText = ‘\n’; (*PtrEndText)++; } **PtrEndText = ‘\0’; return; } 3

4 Core C Control-flow statements: if, goto, break, or continue Expressions are side-effect free and cannot be nested All assignments are statements Declarations do not have initializations Address-of formal variables is not allowed 4

5 void RTC_Si_SkipLine(const INT32 NbLine, char ** const PtrEndText) { INT32 indice; for (indice=0; indice<NbLine; indice++) { **PtrEndText = ‘\n’; (*PtrEndText)++; } **PtrEndText = ‘\0’; return; } void SkipLine(int NbLine, char** PtrEndText) { int indice; char* PtrEndLoc; indice=0; begin_loop: if (indice>=NbLine) goto end_loop; PtrEndLoc = *PtrEndText; *PtrEndLoc = ‘\n’; *PtrEndText = PtrEndLoc + 1; indice = indice + 1; goto begin_loop; end_loop: PtrEndLoc = *PtrEndText *PtrEndLoc = ‘\0’; } 5

6 Contracts Describe input, side-effects and output: Requires Modifies Ensures 6

7 void SkipLine(int NbLine, char** PtrEndText) requires is_within_bounds(*PtrEndText) && *PtrEndText.alloc > NbLine && NbLine >= 0 modifies *PtrEndText *PtrEndText.is_nullt *PtrEndText.strlen ensures *PtrEndText.is_nullt && *PtrEndText.strlen == 0 && *PtrEndText == [*PtrEndText] pre + NbLine; void SkipLine(int NbLine, char** PtrEndText) { int indice; char* PtrEndLoc; indice=0; begin_loop: if (indice>=NbLine) goto end_loop; PtrEndLoc = *PtrEndText; *PtrEndLoc = ’\n’; *PtrEndText = PtrEndLoc + 1; indice = indice + 1; goto begin_loop; end_loop: PtrEndLoc = *PtrEndText *PtrEndLoc = ’\0’; } 7

8 void main() { char buf[SIZE]; char *r, *s; r = buf; SkipLine(1,&r); fgets(r,SIZE-1,stdin); s = r + strlen(r); SkipLine(1,&s); } 8

9 Requires: is_within_bounds(*PtrEndText) && *PtrEndText.alloc > NbLine && NbLine >= 0 Modifies: *PtrEndText, *PtrEndText.is_nullt, *PtrEndText.strlen Ensures: *PtrEndText.is_nullt && *PtrEndText.strlen == 0 && *PtrEndText == [*PtrEndText] pre + NbLine; void SkipLine(int NbLine, char** PtrEndText) { int indice; char* PtrEndLoc; indice=0; begin_loop: if (indice>=NbLine) goto end_loop; PtrEndLoc = *PtrEndText; *PtrEndLoc = ’\n’; *PtrEndText = PtrEndLoc + 1; indice = indice + 1; goto begin_loop; end_loop: PtrEndLoc = *PtrEndText *PtrEndLoc = ’\0’; } void main() { char buf[SIZE]; char *r, *s; r = buf; SkipLine(1,&r); fgets(r,SIZE-1,stdin); s = r + strlen(r); SkipLine(1,&s); } 9

10 10

11 11

12 void main() { char buf[SIZE]; char *r, *s; r = buf; SkipLine(1,&r); fgets(r,SIZE-1,stdin); s = r + strlen(r); SkipLine(1,&s); } void SkipLine(int NbLine, char** PtrEndText) 12

13 P  inline(P) Function Entry point: Assume pre-conditions. Store inputs ([x] pre ) in temporary variables for post-conditions check. Return: Set return_value P. Function exit: Assert post-conditions. Function call and its result assertion: Assert pre-conditions. Assume post-conditions (possibly w.r.t. inputs). 13

14 Pointer Analysis The target – determine which objects may be updated through a pointer. Whole program points-to state is calculated. Then per-procedure. 14

15 Pointer Analysis foo(char *p, char *q) { char local[100]; … p = local; *q = 0; … } main() { char s[10], t[20], r[30]; char *temp; foo(s,t); foo(s,r); … temp = s … } str temp local pq 15

16 Pointer Analysis foo(char *p, char *q) { char local[100]; … p = local; *q = 0; … } main() { char s[10], t[20], r[30]; char *temp; foo(s,t); foo(s,r); … temp = s … } PARAM #1 local pq Parametrization for foo PARAM #2 16

17 C to Integer Program 17

18 C2IP Inline(P) Pointer info Integer Program l.val: possible values. l.offset: w.r.t. base address. l.aSize: Allocation size. l.is_nullt: Null terminated? l.len: String length (with \0) 18

19 C to Integer Program Expression Check 19

20 C to Integer Program Constructs to Statements 20

21 C to Integer Program Notation V: the number of variables and allocation sites. S: the number of C expressions. Integer Program Complexity O(V) constraint variables Each pointer may point to O(V) locations Total complexity: O(S V) 21

22 Integer Analysis Calculates the inequalities that hold at each point. Conservative. Each assertion is verified against the inequalities. 22

23 Integer Analysis *PtrEndText.alloc > NbLine void main() { char buf[SIZE]; char *r, *s; r = buf; SkipLine(1,&r); fgets(r,SIZE-1,stdin); s = r + strlen(r); SkipLine(1,&s); } 23

24 Integer Analysis - Contracts To optimize the contracts, do the following: 1.Assume True preconditions Use ASPost [1] to calculate the linear inequalities at the exit point Deduce the postconditions. 1.Use AWPre to calculate backwards the most liberal preconditions. [6] P. Cousot and N. Halbwachs. Automatic discovery of linear constraints among variables of a program. In Symp. on Princ. of Prog. Lang., 1978. 24

25 Implementation C  CoreC: Based on the AST-Toolkit [32] Points-to analysis: Golf [8, 9] Integer analysis: Polyhedra library [6, 19] [6] P. Cousot and N. Halbwachs. Automatic discovery of linear constraints among variables of a program. In Symp. on Princ. of Prog. Lang., 1978. [8] M. Das. Unification-based pointer analysis with directional assignments. In SIGPLAN Conf. on Prog. Lang. Design and Impl., 2000. [9] M. Das, B. Liblit, M. F¨hndrich, and J. Rehof. Estimating the impact of scalable pointer analysis on optimization. In Static Analysis Symp., 2001. [19] B. Jeannet. New polka library. Available at “http://www.irisa.fr/prive/Bertrand.Jeannet/newpolka.html”. [32] Microsoft Research. AST-toolkit. 2002. 25

26 Empirical Results Source from two real-world projects: String manipulation library from EADS Airbus code. 11 procedures, 400 lines. Part of the WEB2c converter. 8 procedures, 460 lines. 26

27 Empirical Results 27

28 Empirical Results 28

29 Empirical Results 29

30 Conclusion Not easy to analyze C. Plenty of techniques and tools. High false positive ratio - without hand-crafted contracts. Experimental results section slim. High variance for little data. (They had to write all contracts…) What would happen to normal code? 30

Download ppt "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU)"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Intermediate Code Generation

Intermediate Code Generation
Register Allocation Mooly Sagiv Schrierber 317 03-640-7606 Wed 10:00-12:00 html://www.math.tau.ac.il/~msagiv/courses/wcc.html.

Register Allocation Mooly Sagiv Schrierber Wed 10:00-12:00 html://
Programming Languages and Paradigms The C Programming Language.

Programming Languages and Paradigms The C Programming Language.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
1 Lecture 05 – Pointer Analyses & CSSV Eran Yahav.

1 Lecture 05 – Pointer Analyses & CSSV Eran Yahav.
6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.

6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.
Chapter 10.

Chapter 10.
1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)

1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Assume/Guarantee Reasoning using Abstract Interpretation Nurit Dor Tom Reps Greta Yorsh Mooly Sagiv.

Assume/Guarantee Reasoning using Abstract Interpretation Nurit Dor Tom Reps Greta Yorsh Mooly Sagiv.
 2006 Pearson Education, Inc. All rights reserved. 1 7 7 Arrays.

 2006 Pearson Education, Inc. All rights reserved Arrays.
1 Chapter 6 Looping Dale/Weems/Headington. 2 l Physical order vs. logical order l A loop is a repetition control structure based on a condition. l it.

1 Chapter 6 Looping Dale/Weems/Headington. 2 l Physical order vs. logical order l A loop is a repetition control structure based on a condition. l it.
Dr. Muhammed Al-Mulhem 1ICS535-101 ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.

Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

Similar presentations

Ads by Google