Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI’2003 DAEDALUS project.

Published byDwayne Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI’2003 DAEDALUS project."— Presentation transcript:

1 CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI’2003 DAEDALUS project

2 /* from web2c [strpascal.c] */ void foo(char *s) { while ( *s != ‘ ‘ ) s++; *s = 0; } Vulnerabilities of C programs Null dereference Dereference to unallocated storage Out of bound pointer arithmeticOut of bound update

3 Is it common? General belief – yes! FUZZ study –Test reliability by random input –Tens of applications on 9 different UNIX systems –18% – 23% hang or crash CERT advisory –Up to 50% of attacks are due to buffer overflow COMMON AND DANGEROUS

4 CSSV’s Goals Efficient conservative static checking algorithm –Verify the absence of buffer overflow --- not just finding bugs –All C constructs Pointer arithmetic, casting, dynamic memory, … –Real programs –Minimum false alarms

5 Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 charbuf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … cp buf (long) temp

6 Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 charbuf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … cp buf ( l o n g ) temp Cleanness is potentially violated: 7 + offset (cp)  BUFSIZ

7 Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 charbuf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … cp buf (long) temp Cleanness is potentially violated: offset(cp)+7 +len(cp)  BUFSIZ 7 + offset (cp) < BUFSIZ

8 Verifying Absence of Buffer Overflow is non-trivial void safe_cat(char *dst, int size, char *src ) { if ( size > strlen(src) + strlen(dst) ) { dst = dst + strlen(dst); strcpy(dst, src); } {string(src)  alloc(dst) > len(src)} {string(src)  string(dst)  alloc(dst+len(dst)) > len(src)} string(src)  string(dst)  (size > len(src)+len(dst))  alloc(dst+len(dst)) > len(src))

9 Can this be done for real programs? Complex linear relationships Pointer arithmetic Loops Procedures Use Polyhedra[CH78] Points-to-analysis Widening Procedure contracts Very few false alarms!

10 C String Static Verifier Detects string violations –Buffer overflow (update beyond bounds) –Unsafe pointer arithmetic –References beyond null termination –Unsafe library calls Handles full C –Multi-level pointers, pointer arithmetic, structures, casting, … Applied to real programs –Public domain software –C code from Airbus

11 Operational Semantics p 1 =alloc(m) p 2 = p 1 + i p 3 = *p 2 p 1 0x480590 0x5050510 i 0x480000 p 2 0x480580 0x5050518 0x5050510.... 999 8 0x5050518 20 p 3 0x490000 20 4.... m 4 4 undef 0x480590.... 0x5050510 0x480000 0x480580 0x5050510 Shadow memory base size 0x490000 4

12 Domain Construction Given an abstract domains D 1, D 2, …, D k Construct a “composite domain” c(D 1, D 2, …, D k ) Examples: –Cartesian Abstraction More later

13 CSSV ’ s Abstraction Ignore exact location Track base addresses i p1p1 p2p2 p3p3 heap 1 p 1 0x480590 0x5050510 i 0x480000 p 2 0x480580 0x5050518 0x5050510.... 999 8 0x5050518 20 p 3 0x490000 20 4.... m 4 4 undef 0x480590.... 0x5050510 0x480000 0x480580 0x5050510 Shadow memory base size 0x490000 4 Abstract locations

14 CSSV ’ s Abstraction Track sizes i p1p1 p2p2 p3p3 heap 1 p 1 0x480590 0x5050510 i 0x480000 p 2 0x480580 0x5050518 0x5050510.... 999 8 0x5050518 20 p 3 0x490000 20 4.... m 4 4 undef 0x480590.... 0x5050510 0x480000 0x480580 0x5050510 Shadow memory base size 0x490000 4 Abstract locations 4 4 4 4 m

15 CSSV ’ s Abstraction Track pointers from one base to another (may) i p1p1 p2p2 p3p3 heap 1 p 1 0x480590 0x5050510 i 0x480000 p 2 0x480580 0x5050518 0x5050510.... 999 8 0x5050518 20 p 3 0x490000 20 4.... m 4 4 undef 0x480590.... 0x5050510 0x480000 0x480580 0x5050510 Shadow memory base size 0x490000 4 Abstract locations 4 4 4 4 m

16 Pointer Validation How can we validate pointer arithmetic? Track offsets from origin Track numeric values p 2 = p 1 + i i p1p1 p2p2 p3p3 heap 1 4 4 4 4 m 0 8 =8

17 Numeric values are unknown Track integer relationships p 2 = p 1 + i i p1p1 p2p2 p3p3 heap 1 4 4 4 4 m p 1.offset p 1.offset + i p 2.offset = p 1.offset + i

18 Validation Pointer arithmetic p 2 = p 1 + i *p 1.size  p 1.offset + i Pointer dereference p 3 = *p 2 *p 2.size  p 2.offset

19 The null-termination byte Many expressions involve the ‘ \0 ’ byte strcpy(dst, src) Track the existence of null-termination Track the index of the first one

20 Abstract Transformers Defines the effect of statements on the abstract representation p 1 =alloc(m) p 2 = p 1 + i i p2p2 p3p3 p1p1 4 4 4 4 heap 1 p 1.offset = 0 m p 1.offset + i

21 Abstract Transformers Unknown value p 3 = *p 2 p 3 =0 *p 2.is_nullt  *p2.len == p2.offset p 3 = unknownotherwise

22 Overly Conservative Representing infeasible concrete states Infeasible pointer aliases Infeasible integer variables

23 char* strcpy(char* dst, char *src) requires mod ensures Procedure Calls – Contracts ( string(src)  alloc(dst) > len(src) ) len(dst), is_nullt(dst) ( len(dst) = = pre@len(src)  return = = pre@dst )

24 Advantages of Procedure Contracts Modular analysis –[Not all the code is available] –Enables more expensive analyses User control of the verification –Detect errors at point of logical error –Improve the precision of the analysis –Check additional properties Beyond ANSI-C

25 Specification and Soundness All errors are detected Violation of procedure ’ s precondition –Call Violation of procedure's postcondition –Return Violation of statement ’ s precondition –… a[i] …

26 char* strcpy(char* dst, char *src) requires mod ensures Procedure Calls – Contracts ( string(src)  alloc(dst) > len(src) ) len(dst), is_nullt(dst) ( len(dst) = = pre@len(src)  return = = pre@dst )

27 safe_cat’s contract void safe_cat(char* dst, int size, char* src) requires mod ensures ( string(src)  string(dst) alloc(dst) == size ) ( len(dst) <= pre@len(src) e + pre@len(dst)  len(dst) >= pre@len(dst|) ) dst

28 Specification – insert_long() /* insert_long.c */ #include "insert_long.h" char buf[BUFSIZ]; char * insert_long (char *cp) { char temp[BUFSIZ]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; } char * insert_long(char *cp) requires( string(cp)  buf  cp < buf + BUFSIZ ) mod cp.len ensures ( len(cp) = = pre@len(cp) + 6  return_value = = cp + 6 ; )

29 Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 charbuf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … cp buf ( l o n g ) temp Cleanness is potentially violated: 7 + offset (cp)  BUFSIZ

30 Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 charbuf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … cp buf (long) temp Cleanness is potentially violated: offset(cp)+7 +len(cp)  BUFSIZ 7 + offset (cp) < BUFSIZ

31 CSSV – Technical overview C files Procedure ’ s Pointer info Pointer Analysis C2IP Integer Proc Integer Analysis Potential Error Messages Procedure name C files Contracts

32 Used Software ASToolKit [Microsoft] –LLVM, Soot Core C [TAU - Greta Yorsh] –CIL [Berkeley, LLVM] GOLF [Microsoft - Manuvir Das] New Polka [Inria - Bertrand Jeannet] –Apron

33 CSSV Static Analysis 1.Inline contracts Expose behavior of called procedures 2.Pointer analysis (global) Find relationship between base addresses Project into procedures 3.Integer analysis Compute offset information

34 Preliminary results (web2C) FAerrorsspace (Mb) time (sec) coreC line line Proc 02132.06414insert_long 020.30.12510fprintf_pascal_string 000.20.1239space_terminate 021.70.22814external_file_name 125.20.65315join 004.60.610525remove_newline 020.20.1239null_terminate

35 Preliminary results (EADS/RTC_Si) FAerrorsspace (Mb) time (sec) coreC line line Proc 000.51.63419FiltrerCarNonImp 001.90.84212SkipLine 00217.913437StoreIntInBuffer

36 CSSV: Summary Semantics –Safety checking –Full C –Enables abstractions Contract language –String behavior –Omit pointer aliasing Procedural points-to –Scalable –Improve precision Static analysis –Tracks important string properties –Utilizes integer analysis

37 Related Projects SAL Microsoft Splint: David Evans Sage: Microsoft Brian Hacket static analysis, ICSE’2006 Vinod Ganapathy: CCS’2013

38 Conclusion  Ambitious sound analyses  Very few false alarms  Scaling is an issue –Use staged analyses –Use modular analysis –Use encapsulation

Download ppt "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI’2003 DAEDALUS project."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1 Lecture 05 – Pointer Analyses & CSSV Eran Yahav.

1 Lecture 05 – Pointer Analyses & CSSV Eran Yahav.
CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU)

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor (TAU), Michael Rodeh (IBM Research Haifa), Mooly Sagiv (TAU)
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.

Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
An Overview on Static Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of.

An Overview on Static Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Assume/Guarantee Reasoning using Abstract Interpretation Nurit Dor Tom Reps Greta Yorsh Mooly Sagiv.

Assume/Guarantee Reasoning using Abstract Interpretation Nurit Dor Tom Reps Greta Yorsh Mooly Sagiv.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.

Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.
Overview of program analysis Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Overview of program analysis Mooly Sagiv html://
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.

Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Similar presentations

Ads by Google