CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C

Transcription

1 CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI 2003 DAEDALUS project

2 Vulnerabilities of C programs /* from web2c [strpascalc] */ void foo(char *s) { } while ( *s!= ) *s = 0; s++; Null dereference Dereference to unallocated storage Out of bound pointer arithmetic Out of bound update

3 Is it common? General belief yes! FUZZ study Test reliability by random input Tens of applications on 9 different UNIX systems 18% 23% hang or crash CERT advisory Up to 50% of attacks are due to buffer overflow COMMON AND DANGEROUS

4 CSSV s Goals Efficient conservative static checking algorithm Verify the absence of buffer overflow --- not just finding bugs All C constructs Pointer arithmetic, casting, dynamic memory, Real programs Minimum false alarms

5 Complicated Example /* from web2c [fixwritesc] */ #define BUFSIZ 102 char buf[bufsiz]; char insert_long(char *cp) { char temp[bufsiz]; for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i], (long) ); strcpy(&temp[i+6],cp); buf cp temp (long)

6 Complicated Example /* from web2c [fixwritesc] */ #define BUFSIZ 102 char buf[bufsiz]; buf cp char insert_long(char *cp) { char temp[bufsiz]; for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i], (long) ); strcpy(&temp[i+6],cp); temp ( l o n g ) Cleanness is potentially violated: 7 + offset (cp) BUFSIZ

7 Complicated Example /* from web2c [fixwritesc] */ #define BUFSIZ 102 char buf[bufsiz]; char insert_long(char *cp) { char temp[bufsiz]; for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i], (long) ); strcpy(&temp[i+6],cp); buf temp cp (long) Cleanness is potentially violated: offset(cp)+7 +len(cp) BUFSIZ 7 + offset (cp) < BUFSIZ

8 Verifying Absence of Buffer Overflow is non-trivial void safe_cat(char *dst, int size, char *src ) string(src) string(dst) { (size > len(src)+len(dst)) alloc(dst+len(dst)) > len(src)) if ( size > strlen(src) + strlen(dst) ) { {string(src) string(dst) alloc(dst+len(dst)) > len(src)} } } dst = dst + strlen(dst); {string(src) alloc(dst) > len(src)} strcpy(dst, src);

9 Can this be done for real programs? Complex linear relationships Pointer arithmetic Loops Procedures Use Polyhedra[CH78] Pointer analysis Widening Procedure contracts Very few false alarms!

10 C String Static Verifier Detects string violations Buffer overflow (update beyond bounds) Unsafe pointer arithmetic References beyond null termination Unsafe library calls Handles full C Multi-level pointers, pointer arithmetic, structures, casting, Applied to real programs Public domain software C code from Airbus

11 Operational Semantics Shadow memory base size p 1 =alloc(m) p 2 = p 1 + i i 0x80000 p 2 0x80580 p 1 0x x x p 3 0x x x x x x x m p 3 = *p 2 0x x undef

12 Ignore exact location Track base addresses Abstract locations CSSV s Abstraction i p 1 p 2 p 3 i 0x80000 p 2 0x80580 p 1 0x x x p 3 0x Shadow memory base 0x x x80590 size 0x x x m heap 1 0x x undef

13 Track sizes Abstract locations CSSV s Abstraction i p 1 p 2 p 3 i 0x80000 p 2 0x80580 p 1 0x x x p 3 0x Shadow memory base 0x x x80590 size 0x90000 m heap 1 0x x x x m undef

14 Track pointers from one base to another Abstract locations CSSV s Abstraction i p 1 p 2 p 3 i 0x80000 p 2 0x80580 p 1 0x x x p 3 0x Shadow memory base 0x x x80590 size 0x90000 m heap 1 0x x x x m undef

15 Pointer Validation How can we validate pointer arithmetic? p 2 = p 1 + i i =8 Track offsets from origin Track numeric values p 1 p 2 p m heap 1

16 Numeric values are unknown Track integer relationships p 2 = p 1 + i p 2 offset = p 1 offset + i i p 1 p 2 p 3 m heap 1

17 Pointer arithmetic Validation p 2 = p 1 + i *p 1 size p 1 offset + i Pointer dereference p 3 = *p 2 *p 2 size p 2 offset

18 The null-termination byte Many expressions involve the \0 byte strcpy(dst, src) Track the existence of null-termination Track the index of the first one

19 Abstract Transformers Defines the effect of statements on the abstract representation p 1 =alloc(m) p 2 = p 1 + i i p 1 p 2 p 3 m heap 1

20 Unknown value Abstract Transformers p 3 = *p 2 p 3 =0 p 3 = unknown *p 2 is_nullt *p2len == p2offset otherwise

21 Overly Conservative Representing infeasible concrete states Infeasible pointer aliases Infeasible integer variables

22 Procedure Calls Contracts char* strcpy(char* dst, char *src) requires ( string(src) alloc(dst) > len(src) ) mod ensures len(dst), is_nullt(dst) ( len(dst) = = pre@len(src) return = = pre@dst )

23 Advantages of Procedure Contracts Modular analysis Not all the code is available Enables more expensive analyses User control of the verification Detect errors at point of logical error Improve the precision of the analysis Check additional properties Beyond ANSI-C

24 Specification and Soundness All errors are detected Violation of procedure s precondition Call Violation of procedure's postcondition Return Violation of statement s precondition a[i]

25 Procedure Calls Contracts char* strcpy(char* dst, char *src) requires ( string(src) alloc(dst) > len(src) ) mod ensures len(dst), is_nullt(dst) ( len(dst) = = pre@len(src) return = = pre@dst )

26 safe_cat s contract void safe_cat(char* dst, int size, char* src) requires mod ensures ( string(src) string(dst) alloc(dst) == size ) dst ( len(dst) <= [len(src)] pre + [len(dst)] pre len(dst) >= [len(dst)] pre )

27 Specification insert_long() /* insert_longc */ #include "insert_longh" char buf[bufsiz]; char * insert_long (char *cp) { char temp[bufsiz]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; } char * insert_long(char *cp) requires( string(cp) buf cp < buf + BUFSIZ ) mod cpstrlen ensures ( len(cp) = = pre[len(cp) + 6] return_value = = cp + 6 ; )

28 Complicated Example /* from web2c [fixwritesc] */ #define BUFSIZ 102 char buf[bufsiz]; buf cp char insert_long(char *cp) { char temp[bufsiz]; for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i], (long) ); strcpy(&temp[i+6],cp); temp ( l o n g ) Cleanness is potentially violated: 7 + offset (cp) BUFSIZ

29 Complicated Example /* from web2c [fixwritesc] */ #define BUFSIZ 102 char buf[bufsiz]; char insert_long(char *cp) { char temp[bufsiz]; for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i], (long) ); strcpy(&temp[i+6],cp); buf temp cp (long) Cleanness is potentially violated: offset(cp)+7 +len(cp) BUFSIZ 7 + offset (cp) < BUFSIZ

30 CSSV Technical overview C files Procedure name Pointer Analysis Procedure s Pointer info C2IP Contracts Integer Proc Integer Analysis Potential Error Messages

31 Used Software ASToolKit [Microsoft] Core C [TAU - Greta Yorsh] GOLF [Microsoft - Manuvir Das] New Polka [Inria - Bertrand Jeannet]

32 CSSV Static Analysis 1 Inline contracts Expose behavior of called procedures 2 Pointer analysis (global) Find relationship between base addresses Project into procedures 3 Integer analysis Compute offset information

33 Preliminary results (web2c) FA errors space (Mb) time (sec) corec line line Proc insert_long fprintf_pascal_string space_terminate external_file_name join remove_newline null_terminate

34 Preliminary results (EADS/RTC_Si) Proc line corec line time (sec) space (Mb) errors FA FiltrerCarNonImp SkipLine StoreIntInBuffer

35 CSSV: Summary Semantics Safety checking Full C Enables abstractions Contract language String behavior Omit pointer aliasing Procedural points-to Scalable Improve precision Static analysis Tracks important string properties Utilizes integer analysis

36 Related Projects SAL Microsoft Brian Hacket static analysis

37 Conclusion Ambitious sound analyses Very few false alarms Scaling is an issue Use staged analyses Use modular analysis Use encapsulation