Presentation is loading. Please wait.

Presentation is loading. Please wait.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley."— Presentation transcript:

1 MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley

2 The Problem Security holes are often in the software Software bugs are a leading cause of security vulnerabilities Security programming is pitfall-laden It’s too easy to unintentionally violate implicit usage rules of OS API’s

3 Improving Software Quality If secure programming is hard, let’s build tools that make it easier to get security right An approach: enforce defensive coding Enumerate rules of prudent security coding Use tools to automatically verify that software follows these rules Project goal: explore a novel approach to this

4 A High-Level View Compile-time analysis of C source code For developers:  Integrating MOPS into build process catches bugs as soon as they’re introduced  Think of MOPS like a type system; would you program without one? For auditers:  MOPS can analyze legacy code to help with code reviews of existing packages A perfect match for open source

5 Uh-Oh… But: full software verification is totally impractical. Isn’t this idea hopeless??

6 No Problem! But: full software verification is totally impractical. Isn’t this idea hopeless?? Answer: Wrong! We can do a lot.

7 Lightweight Verification How to make verification practical: Check application-independent properties  Reduce specification costs through reuse Support only a subclass of properties  Temporal safety properties: i.e., “ordering” Exploit advances in modelchecking  Analyze control flow; ignore data flow Be conservative: warn when unsure

8 Prudent Coding Rules system() or exec() seteuid(0) seteuid(0) Example of a rule: Avoid calling exec() or system() with root privilege Key insight: Many rules are finite- state machines Good for “ordering properties” Intuitive for programmers

9 More Example Rules After chroot(f), immediately call chdir(f) Always follow strncpy(d,s,n) by d[n-1] = '\0' chroot(f) other chdir(f) other strncpy(d,s,n) other d[n-1]='\0' other

10 More Example Rules (2) A stat(f) followed by open(f) is awfully suspicious (race conditions) In a setuid program, open() followed by perror() is very dangerous stat(f)open(f) other open()perror() other

11 How to check whether code satisfies a property Let Σ = set of security-relevant events, B = set of “bad” traces that violate the property, T = set of feasible traces (T, B  Σ*) If T  B = Ø, then the property is respected Under the Hood T B

12 How to check whether code satisfies a property Let Σ = set of security-relevant events, B = set of “bad” traces that violate the property, T = set of feasible traces (T, B  Σ*) If T  B = Ø, then the property is respected Framework: software model checking B: finite-state automaton (regular language) T: pushdown automaton (context-free lang.) Under the Hood T B

13 Other Technical Advances Better modelchecking for security Compaction: for scalability Backtracking: for explaining bugs Automatic model extraction: how to cheaply build a faithful formal model of (parts of) the OS Paper in submission Guidance for programmers on privilege management Tutorial paper on pitfalls in setu*id(), and on how to use it safely A safer API for privilege management Paper accepted at Usenix Security 2002

14 Some Results OpenSSH Ssh 2.5.2: properly drops root before exec() (new) Ssh, sshd 2.5.2: no set*uid() call will fail (new) Sendmail 8.10.1: has capabilities bug on Linux (old) 8.12.0: fails to drop group privileges properly (old) Wu-ftpd 2.4  11: has tractorbeaming attack (old) 2.4  12: no tractorbeaming attacks -- follows defensive programming rules for setuid, longjmp, signals (new) Login, crontab, … Have fd-inheritance security holes when run setuid (new?)

15 More Results Buggy manual pages setuid(2) in RH Linux 7.2: omits capabilities setgid(2) in RH Linux 7.2: incorrectly claims gid 0 is special setreuid(2) in FreeBSD 4.4: incorrectly claims ruid/euid can always be swapped Buggy operating systems Linux kernel 2.4.18: fsuid invariant violated; security risk (our proposed fix accepted by Linus) Moral: Formal models are powerful

16 Status of MOPS Fully functional first cut Parses anything gcc will; allows specification of user-defined properties Some limitations (work-in-progress):  Doesn’t come with a database of rules of defensive programming … yet  UI, build integration isn’t “pretty” … yet Publicly released -- come and get it! http://www.cs.berkeley.edu/~daw/mops/

17 MOPS: building more secure software MOPS Project Summary Our main contributions: Novel techniques for improving software assurance of open source software through model-checking & lightweight formal methods Verification of certain security properties of important open source software; several security bugs found & fixed Release of our tool, MOPS, to open source community Buggy, insecure code Higher-security code MOPS

18 Conclusion MOPS: making security programming safer http://www.cs.berkeley.edu/~daw/mops/

Download ppt "MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Static Analysis for Security

Static Analysis for Security
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,

Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
Software Engineering Session 14 INFM 603. Software Software represents an aspect of reality –Input and output represent the state of the world –Software.

Software Engineering Session 14 INFM 603. Software Software represents an aspect of reality –Input and output represent the state of the world –Software.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.
Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
Paper Prototyping.

Paper Prototyping.
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

Similar presentations

Ads by Google