Download presentation
Presentation is loading. Please wait.
1
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”, …); open(LOCK, O_WRONLY); … fd=open(atfile,O_CREAT); … perror(user_str); tty tty tty tty ttyLOCK ttyLOCK atfile Program: at (at-3.1.8-33)
2
2 Model Checking Millions of Lines of C Code Hao Chen Drew Dean, David Wagner Ben Schwarz, Geoff Morrison, Jacob West, Jeremy Lin
3
3 Problem statement Demonstrate the impact of MOPS for improving software security MOPS: MOdel checking Programs for Security
4
4 Achievements Showed that MOPS is scalable –Checked 700 packages in RedHat Linux 9 (85% packages, 30 million LOC) Showed that MOPS is usable –Most checks were done by students who were neither tool nor package developers Showed that MOPS is useful –Founds dozens of bugs and counting
5
5 Outline Overview of MOPS What have we done? –Checked 700 packages on RedHat Linux 9 –Checked EROS kernel How did we do it? Conclusion Demo
6
6 MOPS (MOdel checking Programs for Security properties) A static analysis tool that checks source programs for temporal safety properties Main features –Pushdown model checking –Inter-procedural analysis –Control flow centric
7
7 MOPS: MOdel checking Programs for Security properties Parser Model Checker Program Security Property (FSA) CFG Program OK Error Traces MOPS
8
8 Property 1: race condition Victim absent=stat(tmpfile,&s); Adversary if(absent){ fp=fopen(tmpfile,“w”); Create tmpfile
9
9 FSA model for race condition Check(f)Use(f) Check(f): stat(f), lstat(f), access(f), readlink(f), statfs(f) Use(f): chmod(f), chroot(f), creat(f), execv(f), execve(f), execl(f), …
10
10 Race condition: bug 1 exists = lstat(to, &s) == 0; if (!exists || !S_ISLNK(s.st_mode) && s.st_nlink == 1)) { ret = rename(from, to); if (ret == 0) { if (exits) { chmod(to, s.st_mode & 0777); … Program: ar (binutils-2.13.90.0.18-9)
11
11 Race condition: bug 2 we_own_log = 1; … if (stat(_PATH_LOG, &s1) != 0) … if ((stat(_PATH_LOG, &s2) != 0 || …) we_own_log = 0; … if (we_own_log) { unlink(_PATH_LOG); } Program: minilogd (initscripts-7.14-1)
12
12 PackageProgramReported bugsReal bugs binutilsar21 coreutilschown32 coreutilschmod21 coreutilscp21 dos2unix 42 ftpcopy 83 gaim 23 joe 11 jpilot 21 initscriptsminilogd11 innfastrm11 isdn4k-utilsisdnlog41 lrzszlsz41 LPRngcheckpc81 make 11 mc 51 Total5022 Race condition bugs
13
13 Property 2: drop privilege before making unsafe system calls int main() { // ruid≠0, euid=0 do_something_with_privilege(); drop_privilege(); execl(“/bin/sh”, “sh”, NULL); } void drop_privilege() { struct passwd *passwd; if ((passwd = getpwuid(getuid())) == NULL) return; fprintf(log, “User %s”, passwd->pw_name); seteuid(getuid()); } euid=0 euid≠0 seteuid(0 ) seteuid(!0) execl() unsafe
14
14 A bug on dropping privilege // ruid≠0, euid=suid=0 seteuid(getuid()); setuid(getuid()); … execlp(askpass, askpass, msg, (char *) 0); Progarm: ssh (openssh-3.5p1-6)
15
15 Problem: unportable semantics of setuid(getuid()) R≠0,E=S=0 R=E≠0,S=0 R=E=S≠0 R≠0,E=S=0 R=E≠0,S=0 R=E=S≠0 OpenBSD Linux
16
16 Vulnerability in ssh R≠0, E=S=0 OpenSSH 3.5 on Linux R=E≠0, S=0 seteuid(getuid()) setuid(getuid()) R≠0, E=S=0 OpenSSH 3.5 on OpenBSD R=E≠0, S=0 R=E=S≠0 seteuid(getuid()) setuid(getuid()) R≠0, E=S=0 OpenSSH 2.5.2 on Linux R=E=S≠0 setuid(getuid()) safe unsafe! Lessons: Unportable API causes vulnerability Programmer’s confusion causes vulnerability
17
17 Experiment on RedHat Linux 9 Programs –Tried all 839 packages on RedHat Linux 9 (30M LOC) –Succeed on 85% packages –Failed on 15% packages Mainly due to parsing failures: C++, non- standard C Performance –Machine: 1.5GHz Pentium 4, 1G MB memory –Took about 40 hours to check one property on all packages
18
18 Experience with EROS kernel EROS –Extremely Reliable Operating System [SSF95] –60,000 lines of code in the kernel Checked 5 properties (design invariants) –Verified 4 properties –Discovered 1 bug Provided preliminary evidence that –EROS’s design by invariants approach is effective in reducing bugs
![18 Experience with EROS kernel EROS –Extremely Reliable Operating System [SSF95] –60,000 lines of code in the kernel Checked 5 properties (design invariants) –Verified 4 properties –Discovered 1 bug Provided preliminary evidence that –EROS’s design by invariants approach is effective in reducing bugs](http://images.slideplayer.com./16/4946139/slides/slide_18.jpg "18 Experience with EROS kernel EROS –Extremely Reliable Operating System [SSF95] –60,000 lines of code in the kernel Checked 5 properties (design invariants) –Verified 4 properties –Discovered 1 bug Provided preliminary evidence that –EROS’s design by invariants approach is effective in reducing bugs")
19
19 Commit() or Yield() Init sys_call() { … Commit(); … ptr = malloc(); … } malloc() { … while (!buffer_available) Yield(); } Committed Yielded Error Lesson: static checking is good at catching surprising interaction among components Commit() Yield() Syscall return
20
20 Research challenge How to scale MOPS to large programs? –Solution: compact CFGs –Impact: reduce CFG sizes often by more than 100 times How to consolidate similar error traces? –Goal: report one error trace for each bug –Intuition Divide all error traces into categories One category represents one unique bug Report the shortest path from each category
21
21 Engineering challenge: integrating MOPS into software build processes 1st attempt: manually edit Makefiles –Too complicated; does not survive autoconf 2nd attempt: setenv GCC_EXEC_PREFIX to run MOPS instead of gcc –Build processes generate & run code 3rd attempt: build CFG & machine code –Dangling CFGs; links to object files broken 4th attempt: Put CFGs into ELF files –Solves all identified problems!
22
22 Lessons: how to have impact Make the tool useful and usable –Can check large programs efficiently –Can be used easily by ordinary programmers Check lots of code –More code to check, more bugs to find Explore the full potential of your tool
Similar presentations
