Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language-Based Security. Outline CQUAL CQUAL CCured CCured Valgrind Valgrind Memcheck, AddrcheckMemcheck, Addrcheck HelgrindHelgrind Applying on PttBBS.

Published byEthelbert Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "Language-Based Security. Outline CQUAL CQUAL CCured CCured Valgrind Valgrind Memcheck, AddrcheckMemcheck, Addrcheck HelgrindHelgrind Applying on PttBBS."— Presentation transcript:

1 Language-Based Security

2 Outline CQUAL CQUAL CCured CCured Valgrind Valgrind Memcheck, AddrcheckMemcheck, Addrcheck HelgrindHelgrind Applying on PttBBS Applying on PttBBS

3 CQUAL By Jeffrey Foster, Manuel Fähndrich, Alexander Aiken and others By Jeffrey Foster, Manuel Fähndrich, Alexander Aiken and others Extending the type system of C with extra user-defined type qualifiers. Extending the type system of C with extra user-defined type qualifiers. Sample usage Sample usage User-space/kernel-space trust errorsUser-space/kernel-space trust errors Deadlock detectionDeadlock detection Format-string vulnerability detectionFormat-string vulnerability detection Y2K bug detectionY2K bug detection const Inferenceconst Inference

4 CQUAL (cont.) Three components Three components Core, inference algorithmCore, inference algorithm LatticeLattice PreludePrelude Assign qualifiers on variables Assign qualifiers on variables When it is used as function parametersWhen it is used as function parameters Via change_typeVia change_type Unless using change_type, the variable carries the qualifier foreverUnless using change_type, the variable carries the qualifier forever Propagate qualifiers Propagate qualifiers AssignmentAssignment Non-constnessNon-constness

5 CQUAL prelude & lattice int printf(const char $untainted * format,...); $tainted char * getenv(const char *name); char $tainted $_1 * fgets(char $tainted $_1* s, int size, FILE *stream); char $_1_2 * strcpy(char $_1_2 * s1, const char $_1 * s2); partial order { $untainted [level = value, color = "pam-color-untainted", sign = neg] $tainted [level = value, color = "pam-color-tainted", sign = pos] $untainted < $tainted }

6 CQUAL read/write lattice partial order [flow-sensitive] { $readwrite_unchecked < $read_unchecked $readwrite_unchecked < $write_unchecked $read_unchecked < $open_unchecked $write_unchecked < $open_unchecked $closed < $readwrite_unchecked $readwrite < $read $readwrite < $write $read < $open $write < $open $open < $open_unchecked $read < $read_unchecked $write < $write_unchecked $readwrite < $readwrite_unchecked }

7 CCured By George Necula, Scott McPeak, Westley Weimer, Matthew Harren, Jeremy Condit and others By George Necula, Scott McPeak, Westley Weimer, Matthew Harren, Jeremy Condit and others implemented on top of the CIL (C Intermediate Language) framework implemented on top of the CIL (C Intermediate Language) framework Source-to-source translator for C Source-to-source translator for C Add runtime information for pointers Add runtime information for pointers SAVESAVE SEQ, FSEQSEQ, FSEQ WILDWILD

8 CCured (cont.) SAFE pointer SAFE pointer The same as standard pointerThe same as standard pointer No pointer arithmeticNo pointer arithmetic SEQ, FSEQ SEQ, FSEQ Upper and base for boundary checkingUpper and base for boundary checking Three/two word wideThree/two word wide WILD pointer WILD pointer Cast between incompatible pointersCast between incompatible pointers Wrapping libraries Wrapping libraries ptrof, check_string, ensure_length, mkptr, mkptr_size, mkptr_string ptrof, check_string, ensure_length, mkptr, mkptr_size, mkptr_string

9 CCured pointers x: int *WILD;*x =>assert(x.b = null); assert(x.b ? x.p ? x.b+len(x.b) 1); *(x.p) x: τ*WILD *WILD;*x =>assert(x.b = null); assert(x.b ? x.p ? x.b+len(x.b) 2); assert(tag(x.b,x.p+1) == 1); *(x.p)

10 CCured pointers (cont.) struct hostent{ char * h_name; /* String */ char ** h_aliases; /*Array of strings */ short h_addrtype; };

11 CCured wrapper #pragma ccuredwrapper("strchr_wrapper", for("strchr")) __inline static char*strchr_wrapper(char* str, int chr) { __check_string(str); char*result = strchr(__ptrof(str), chr); return __mkptr(result,str); } #pragma ccuredwrapper("open_wrapper", for("open")); #pragma ccuredvararg("open_wrapper", sizeof(int)) __inline static int open_wrapper(char* file, int oflag,...) { __check_string(file); if(oflag & O_CREAT){ int mode; va_list argptr; va_start(argptr, oflag); mode = va_arg(argptr, int); va_end(argptr); return open(__ptrof(file), oflag, mode); } else return open(__ptrof(file), oflag); }

12 CCured wrapper (cont.) static void* __qsort_base; static int (*__qsort_compare)(void*, void*); static int __qsort_compare_wrapper(void* SAFE left, void* SAFE right){ void* wideleft = __mkptr(left, qsort_base); void* wideright = __mkptr(right, qsort_base); return __qsort_compare(wideleft, wideright); } #pragma ccuredwrapper("qsort_wrapper", for("qsort")); inline static void qsort_wrapper(void* base, size_t nmemb, size_t size, int (*compare)(void* left, void* right)){ __cleartags(base, nmemb * size); __qsort_base = base; __qsort_compare = compare; qsort(__ptrof(base), nmemb, size, __qsort_compare_wrapper); __qsort_base=0; }

13 Valgrind By Julian Seward and others By Julian Seward and others A program supervision framework A program supervision framework Initial before all others and run the client code in a simulated CPU Initial before all others and run the client code in a simulated CPU Translate x86 machine code into UCodeTranslate x86 machine code into UCode Manipulate by skinsManipulate by skins Translate back to x86 instructionsTranslate back to x86 instructions Skins Skins Memcheck, AddrcheckMemcheck, Addrcheck HelgrindHelgrind Cachegrind and othersCachegrind and others

14 Valgrind: Memcheck Shadow each byte of memory used with nine bits Shadow each byte of memory used with nine bits One A (addressability) bitOne A (addressability) bit Eight V (validity) bitsEight V (validity) bits Check A bit for every memory access Check A bit for every memory access Check V bits if the following operations deponend on it Check V bits if the following operations deponend on it BranchingBranching System callSystem call Memory addressingMemory addressing

15 Valgrind: Memcheck (cont.) Replacing library functions Replacing library functions malloc/new/new[]malloc/new/new[] free/delete/delete[]free/delete/delete[] Hook system calls Hook system calls mmap, mremap, munmap, mprotect,brkmmap, mremap, munmap, mprotect,brk read, writeread, write

16 Valgrind: Other Skins Addrcheck: similar to Memcheck but hold A bit only Addrcheck: similar to Memcheck but hold A bit only Helgrind: data-race detector using the Eraser algorithm (not work with v3.1) Helgrind: data-race detector using the Eraser algorithm (not work with v3.1) Cachegrind: cache profiler Cachegrind: cache profiler Massif: heap profiler Massif: heap profiler Lacky: simple profiler Lacky: simple profiler

17 Applying on PttBBS CQUAL CQUAL Successfully appliedSuccessfully applied Many false alert because of “ general buffer ”Many false alert because of “ general buffer ” admin.c:1168 type of actual argument 1 doesn't match type of formal genbuf[]: $kernel $nonconst $noninit $tainted $untainted const prelude.cq:38 $tainted <= *fgets_ret@1168 admin.c:1168<= genbuf[] admin.c:1334<= *fmt stuff.c:889<= *vsnprintf_arg3 prelude.cq:54<= $untainted

18 Applying on PttBBS (cont.) CCured CCured Script failedScript failed Valgrind Valgrind Have been used for a long timeHave been used for a long time Detect many memory related problemsDetect many memory related problems Memory leak Memory leak Buffer overflow Buffer overflow Use after free Use after free

Download ppt "Language-Based Security. Outline CQUAL CQUAL CCured CCured Valgrind Valgrind Memcheck, AddrcheckMemcheck, Addrcheck HelgrindHelgrind Applying on PttBBS."

Similar presentations

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.

This Time Pointers (declaration and operations) Passing Pointers to Functions Const Pointers Bubble Sort Using Pass-by-Reference Pointer Arithmetic Arrays.
Memory and Files Dr. Andrew Wallace PhD BEng(hons) EurIng

Memory and Files Dr. Andrew Wallace PhD BEng(hons) EurIng
Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:

Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:
CS 241 Section Week #2 2/4/10. 2 Topics This Section MP1 overview Part1: Pointer manipulation Part2: Basic dictionary structure implementation Review.

CS 241 Section Week #2 2/4/10. 2 Topics This Section MP1 overview Part1: Pointer manipulation Part2: Basic dictionary structure implementation Review.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.

ECE 353: Lab C Pointers and Structs. Basics A pointer holds an address to some variable Notation: – Dereferencing operator: * int *x is a declaration.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
1 Generics Professor Jennifer Rexford

1 Generics Professor Jennifer Rexford
. Plab – Tirgul 2 Const, C Strings. Pointers int main() { int i,j; int *x; // x points to an integer i = 1; x = &i; j = *x; ijx 1.

. Plab – Tirgul 2 Const, C Strings. Pointers int main() { int i,j; int *x; // x points to an integer i = 1; x = &i; j = *x; ijx 1.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Similar presentations

Ads by Google