Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy.

Published byEthel Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy."— Presentation transcript:

1 Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy Lin and Wei Tu Jacob West, Security Research Group, Fortify Software ACSAC2005

2 1 Outline Introduction MOPS Background Analyzing Red Hat 9 ä Tool performance ä Human performance ä Security properties Vulnerability Examples ä TOCTTOU ä Standard File Descriptors ä Temporary Files ä strncpy() Results

3 2 Introduction Over 50% of security vulnerabilities caused by coding errors Automated detection possible ä Rapidly expanding field ä Academic and commercial ä Feasible at large scale

4 3 MOPS ( MO delchecking P rograms for S ecurity properties) Static analysis for security C programs Enforce temporal safety rules

5 4 Analyzing Red Hat 9: Overview Tool performance ä Analysis of large code base feasible ä Compaction improves performance ä Reasonable resource requirements Human performance ä Integration with existing build processes ä False positives ä Easy-to-review error traces ä Grouped error traces Security properties ä Temporal safety properties ä Employable by other tools ä Iteratively refined for low false positives

6 5 Analyzing Red Hat 9: Tool Performance Red Hat 9: 839 packages, 60 million TLOC 732 packages (87%) 107 failures caused by parse errors ä 73 packages contained C++ code ä 34 packages used unsupported C99 constructs Compaction improves performance ä Only consider relevant operations Reasonable resource requirements ä TOCTTOU takes about 10 hours on P4 1.5 GHZ / 1GB

7 6 Analyzing Red Hat 9: Human Performance Integration with existing build processes  Integrated with rpmbuild, make  Interposed on gcc ä Analyze multiple packages easily False positives ä Relatively low, permits human review Easy-to-review error traces ä Navigate code quickly to verify error traces Grouped error traces ä Understand multiple traces through representative samples

8 7 Analyzing Red Hat 9: Security Properties Temporal safety properties ä Security properties expressed as Finite State Automata (FSA) Pattern variables  e.g. foo(x); bar(x); where x is the same Iteratively refined to reduce false positives Employable by other tools Properties include ä TOCTTOU: Time-of-check, to time-of-use race conditions ä Standard File Descriptors: Vulnerable uses of stdin, stdout and stderr ä Temporary Files: Insecure creation of temporary files  strncpy(): Dangerous uses of strncpy()

9 8 Security Properties : TOCTTOU Time-of-check to time-of-use race conditions occur when a program checks the access permission of an object and, if the check succeeds, makes a privileged system call on the object. Example: if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY);

10 9 Security Properties : TOCTTOU Checks: access(), stat(), etc. Uses: creat(), open(), unlink(), etc.

11 10 Vulnerability Example: TOCTTOU – binutils :: ar exists = lstat (to, &s) == 0; /* Use rename only if TO is not a symbolic link and has only one hard link. */ if (! exists || (!S_ISLNK (s.st_mode) && s.st_nlink == 1)){ ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777); if (chown (to, s.st_uid, s.st_gid) >= 0) { chmod (to, s.st_mode & 07777); }...

12 11 Security Properties: Standard File Descriptors Since the kernel does require that stdin, stdout and stderr point to terminal devices, an attacker may cause a victim program open one of them to a sensitive file. Example /* victim.c */ fd = open("/etc/passwd", O_RDWR); if (!process_ok(argv[0])) perror(argv[0]); /* attack.c */ int main(void) { close(2); execl("victim", "foo: :0:1:Super-User-2:...", NULL); }

13 12 Security Properties: Standard File Descriptors States correspond to the status of the three standard file descriptors and transitions occur on a "safe" open ( /dev/null and /dev/tty ). open(…)

14 13 Vulnerability Example: Standard File Descriptors - gnuchess void BookBuilder(short depth,...){ FILE *wfp,*rfp; if (depth == -1 && score == -1) { if ((rfp = fopen(BOOKRUN,"r+b")) != NULL) { printf("Opened existing book!\n"); } else { printf("Created new book!\n"); wfp = fopen(BOOKRUN,"w+b"); fclose(wfp); if ((rfp = fopen(BOOKRUN,"r+b")) == NULL) { printf("Could not create %s file\n", BOOKRUN); return; }...

15 14 Security Properties: Temporary Files Because many of the functions in the C standard library that create temporary files are insecure an adversary that is able to predict the filename can gain control of the file by precreating it. Example fd = mkstemp(action_file_name);... unlink(action_file_name);

16 15 Security Properties: Temporary Files tmpnam(), tempnam(), mktemp() and tmpfile() are always unsafe mkstemp() is safe if the generated filename is not used

17 16 Vulnerability Example: Temporary Files - yacc static void open_files() {... fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL){... open_error(action_file_name); } void open_error(char *filename) { warnx("f - cannot open \"%s\"", filename); done(2); } void done(int k) {... if (action_file_name[0]) unlink(action_file_name);

18 17 Security Properties: strncpy() First strncpy() encourages off-by-one errors if the programmer is not careful to compute the value of n precisely. Secondly, because the function does not automatically null- terminate a string in all cases it is a common mistake for a program to create unterminated strings during its execution. Example buf[sizeof(buf)-1] = '\0'; strncpy(buf,..., sizeof(buf));

19 18 Security Properties: strncpy()

20 19 Vulnerability Example: strncpy() - xloadimage newopt->info.dump.type = argv[++a];... dumpImage(dispimage, dump->info.dump.type, dump->info.dump.file, verbose); void dumpImage(Image *image, char *type, char *filename, int verbose) { int a; char typename[32]; char *optptr; optptr = index(type, ','); if (optptr) { strncpy(typename, type, optptr - type); typename[optptr - type] = '\0';... }

21 20 Results 1358 strncpy() warnings; 53 audited; 11 real bugs* 200 human hours found 108 real bugs in 50 million lines of code Order of magnitude larger in scale than previous academic work Static analysis will be feasible and integral part of building systems PropertyReported Warnings% FPReal Bugs TOCTTOU79095%41 Standard File Descriptors5661%22 Insecure Temporary Files10869%34 Total95490%97 strncpy()53/135879%11/258* Projected Total231285%355

22 Questions? Want to talk more about software security? jwest@fortifysoftware.com

Download ppt "Model Checking an Entire Linux Distribution for Security Violations Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.

#1 Program analysis for security: Making it scale David Wagner U.C. Berkeley Work by Hao Chen, Karl Chen, Rob Johnson, Ben Schwarz, and Jeremy Lin, Geoff.
CS 311 – Lecture 09 Outline Introduction to Systems programming – System calls – Categories of system calls Error Management System calls File Handling.

CS 311 – Lecture 09 Outline Introduction to Systems programming – System calls – Categories of system calls Error Management System calls File Handling.
TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.

TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.

ESP: Program Verification Of Millions of Lines of Code Manuvir Das Researcher PPRC Reliability Team Microsoft Research.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.

Similar presentations

Ads by Google