Presentation is loading. Please wait.

Presentation is loading. Please wait.

#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff."— Presentation transcript:

1 #1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff Morrison, David Schultz, Jacob West

2 #2 Wrapping up the MOPS project End-of-project experimental evaluation Lessons Verification of security properties via type inference Modular analysis Preliminary results: user/kernel, format strings Outline

3 #3 Pushdown model checking of C source code Security properties expressed as finite state automata Refresher on MOPS strncpy(d,s,n) other d[n-1] = ’\0’; Example: A simple FSA to detect misuse of strncpy( ). Error state indicates possible failure to null-terminate d. (Real property is much more complex: many ways to terminate; pre-termination vs. post-termination; delayed termination.)

4 #4 Canonical example of a TOCTTOU vulnerability: if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY); Notice: not an atomic operation! Bug: Permissions may change between access() & open() Attacker can arrange for this to happen in an attack TOCTTOU (time-of-check to time-of-use) check(x) use(x) check = { access, lstat, stat, readlink, statfs } use = { chmod, open, remove, unlink, mount, link, mkdir, rmdir … }

5 #5 Temporary file creation requires special care: 1) unguessable filename; 2) safe permissions; 3) file ops should use fd, not filename (TOCTTOU) Insecure temporary file creation/use mkstemp(x) fileop(x) fileop(x) = { open(x), chmod(x), remove(x), unlink(x) … } { tmpnam(), tempnam(), mktemp(), tmpfile() }

6 #6 Experiment: Analyze an entire Linux distribution Redhat 9, all C packages (732 pkgs, ~ 50 MLOC) Security analysis at an unprecedented scale Team of 4 manually examined 900+ warnings 1 grad student; 3 undergrads new to MOPS Exhaustive analysis of TOCTTOU, tmpfile, others; statistical sampling of strncpy Laborious: multiple person-months of effort Found 79 new security holes in Linux apps MOPS in the large Security PropertyWarningsReal bugsBug ratio TOCTTOU790415% temporary files1083435% strncpy668(unknown)~ 5-10% Total159779+

7 #7 Unexpectedly, most real bugs were local False alarm rate high. Doing better requires deeper modeling of OS/filesystem semantics. Path sensitivity only good for  2x improvement Many non-bugs were still very interesting (represented fragile assumptions about environment) Engineering for analysis at scale is highly non-trivial Good UI, explanation of errors is critical Build integration so important — and so hard — that we re-implemented it no less than four times But worth it: Large-scale experiments incredibly valuable Tech. transfer: techniques being adopted in commercial security code scanning tools Lessons & surprises from the MOPS effort

8 #8 Bug #1: “zip” d_exists = (lstat(d, &t) == 0); if (d_exists) { /* respect existing soft and hard links! */ if (t.st_nlink > 1 || (t.st_mode & S_IFMT) == S_IFLNK) copy = 1; else if (unlink(d)) return ZE_CREAT; }... eventually writes new zipfile to d... Pathname from cmd line

9 #9 Bug #2: “ar” exists = lstat (to, &s) == 0; if (! exists || (!S_ISLNK (s.st_mode) && s.st_nlink == 1)){ ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777); if (chown (to, s.st_uid, s.st_gid) >= 0) chmod (to, s.st_mode & 07777); }

10 #10 Bug #3 static void open_files() { int fd; create_file_names(); if (input_file == 0) { input_file = fopen(input_file_name, "r"); if (input_file == 0) open_error(input_file_name); fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL) { if (fd >= 0) close(fd); open_error(action_file_name); } void open_error(char *f) { perror(f); unlink(action_file_name); exit(1); }

11 #11 State of the art Research direction: verify absence of data-driven attacks, using type inference Current research Best-effort bugfinding Soundness manual audits, grep Verify absence of classes of bugs full program verification

12 #12 State of the art Research direction: verify absence of data-driven attacks, using type inference Best-effort bugfinding Soundness manual audits, grep Verify absence of classes of bugs full program verification Current focus Current research

13 #13 Q: Why is writing secure code hard? A: Secure programs must handle untrusted data securely, and must get it right every single time. Focus area: input validation Untrusted data should be sanitized before it is used at any trusting consumer Defends against data-driven attacks Strategy: Help programmers get it right “every time” with tool support Input validation

14 #14 Previous work has studied best-effort bugfinding Useful, but misses many bugs Challenge: verifying absence of (certain kinds of) bugs Verification has many benefits For developers: (1) prevents shipping insecure code; (2) integration into build & QA process fixes bugs early (like regression testing) For users: provides a security metric Also, in our experience, verification finds more bugs Why focus on verification?

15 #15 Experiment: Can CQual verify absence of u/k bugs? Sound whole-kernel analysis Refresher: user/kernel security holes Found 10 exploitable holes in Linux 2.4.23 core Sparse: missed all 10 bugs; 7000 annotations; many FPs MECA: missed 6/8 bugs; 75 annotations; very few FPs Lesson: Soundness matters! Cost: 90 min. CPU time, 10GB RAM on 800MHz Itanium Conclusion: Memory usage is a key challenge for scalability Linux kernelWarningsBugsAnnotationsSize 2.4.23-default5310287300K LoC

16 #16 Reduce space complexity of CQual’s CFL reachability analysis, by generating summaries for each module: for (f in source-files) read f; minimize CFL graph by rewrite rules; store graph read all graphs, & link together; perform CFL reachability New: Modular type inference uvwuwuvw () rewrites toor uvwuwuvw ) rewrites toor uvwuwuvw (( rewrites toor ( )) uvwuvw [ v ineligible for deletionor ))( If v has local scope, rewrite & delete v (unless ineligible — see below)

17 #17 Experiment: Can CQual verify absence of fmt str bugs? Sound whole-program analysis Early indications: 1) polymorphic type inf + partial field sensitivity help enormously; 2) FPs are very rare. Preliminary experiments: Format string holes Program Bugs/Warnings/Manual Annotation? MonomorphicPoly+field sens. LOC.c /.i muh1/12/yes(  6)1/1/none3k / 103k cfengine1/ 5/yes1/3/none24k / 126k bftpd1/ 2/yes(  1)1/1/none2k / 34k mars_nwe0/0/yes(  2) 0/0/none21k / 73k sshd0/0/yes(  12) 0/0/none26k / 221k apache0/0/yes (  2)0/0/none33k / 136k (4 others)0/0/none83k / 163k

18 #18 Goal: Build a Linux kernel verifiably free of u/k bugs Whole-kernel analysis (5 MLoC), using modular CFL reachability for space efficiency Re-write hard-to-verify code using cleaner idioms Hypothesis: tools can improve software security by gently steering developers toward safer coding styles Work in progress Goal: Verify that Debian is free of format string bugs Whole-program analysis (3000 packages, 50+ MLoC), using modular analysis and parallelization Become part of Debian release/QA process?

19 #19 Bugfinding is good. Verification is even better. Think big. Experiment bigger. Concluding thoughts Questions?

Download ppt "#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff."

Similar presentations

Static Analysis for Security

Static Analysis for Security
PScout: Analyzing the Android Permission Specification

PScout: Analyzing the Android Permission Specification
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research.

Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability Jakob Rehof and Manuel Fähndrich Microsoft Research.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Verifying the Safety of User Pointer Dereferences Suhabe Bugrara Stanford University Joint work with Alex Aiken.

Verifying the Safety of User Pointer Dereferences Suhabe Bugrara Stanford University Joint work with Alex Aiken.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Similar presentations

Ads by Google