Vulnerability Analysis (III): Sta8c Analysis

Size: px

Start display at page:

Download "Vulnerability Analysis (III): Sta8c Analysis"

Naomi Nelson
5 years ago
Views:

1 Computer Security Course. Vulnerability Analysis (III): Sta8c Analysis Slide credit: Vijay D Silva

2 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis

3 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis

4 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n T nt ERR

5 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n T nt 2 n ERR

6 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n ERR T nt 2 n Number of predicates can be exponen&al in the number of branches.

7 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated?

8 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated?

9 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated? A loop can generate an infinite number of path predicates Number of path predicates is finite only if the program terminates

10 Independence of Variables How many paths to the asser8on?

11 Independence of Variables How many paths to the asser8on? 4

12 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch?

13 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch? 2

14 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch? 2 Including all statements on a path leads to larger constraints than necessary Data dependencies can be used to prune paths and simplify constraints

15 Structure of Formulas The path predicate for this asser8on viola8on involves bit- vector mul8plica8on Reasoning about mul8plica8on of variables is computa8onally expensive (think of mul8plier circuits) ERR

16 Structure of Formulas ERR The path predicate for this asser8on viola8on involves bit- vector mul8plica8on Reasoning about mul8plica8on of variables is computa8onally expensive (think of mul8plier circuits) Only need to show an upper bound on y Imprecise reasoning can be more efficient and enough

17 Challenges for Symbolic Execu8on Control Path explosion due to branches and loops Redundant explora&on of same path prefixes Search strategy determines if vulnerabili8es are found Data Algorithmic complexity of arithme8c and string reasoning Constraint explosion because of irrelevant variables and opera8ons Memory modeling is labor intensive but necessary How can we address these issues?

18 1 Efficiency of Symbolic Execu8on 2 Sta8c Analysis by Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis

19 Single Program Execu8on Moscone Center SODA Hall

20 Bo\lenecks for Dynamic Analysis Weather Traffic Roads Terrain... Informa8on Overload Route Explosion

21 Bo\lenecks for Dynamic Analysis Weather Traffic Roads Terrain... Informa8on Overload Data Route Explosion Control

22 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car

23 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car

24 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car

25 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car

26 Sta8c Analysis Some ques8ons can be answered efficiently. Can we drive, on land, from Melboure to Hobart? Not enough informa8on to answer ques8ons about traffic, terrain, the weather, routes from Melbourne to Sydney etc.

27 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis

28 Sta8c Analysis A sta&c analysis is one that does not execute the program. A syntac&c analysis uses the code text but does not interpret statements A seman&c analysis interprets statements and updates facts based on statements in the code

29 Syntac8c Example: Op8onal Arguments The system call open() has op8onal arguments Typical mistake: Result: file has random permissions To detect this problem: Look for oflag == O_CREAT without mode argument

30 Syntac8c Example: Calling Conven8ons Goal: confine a process to a jail in the filesystem Use chroot() to change the filesystem root for a process Problem: chroot() does not itself change the current working directory Result: fopen may refer to a file outside the jail Detec8on: look for pa\erns matching the specifica8on

31 Syntac8c Example: Name Confusion source: Squashing Bugs with Sta&c Analysis, William Pugh, 2006 flags is a parameter, this.flags is a field Problem: check does not prevent null dereference Result: Poten8al Null Pointer Dereference Detec8on: find similar names on code paths where security- relevant condi8ons are checked

32 Quiz Can you iden8fy the problems in the following code? (all taken from well tested, produc8on sojware) source: Squashing Bugs with Sta&c Analysis, William Pugh, 2006

$Syntac8c Analysis Specify Error Pa\erns Parse Program Error paierns:$ $Detec&on: match pa\ern against program representa8on Pruning: Used to$

33 Syntac8c Analysis Specify Error Pa\erns Parse Program Error paierns: Heuris8cally observed common error pa\erns in prac8ce Detect Pa\erns Prune False Alarms Parsing: generates data structure used for error detec8on Detec&on: match pa\ern against program representa8on Pruning: Used to eliminate common false alarms

34 Error Pa\ern Types Error Type Examples Typos API Usage Copy- Paste Iden8fier confusion = vs ==, &x vs. x, missing/extra semi- colons chroot, mul8ple locking, etc. variable names/increments not updated global and local variables, fields and parameters

35 Pa\ern Representa8on and Detec8on Representa3on String Parse Tree Control Flow Graphs Types of Algorithms Subsequence mining, edit distance, matching Pa\ern matching, Automata algorithms, sub- graph isomorphism

36 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis

37 Example Program Entry How can we automa8cally check if the error loca8on is reachable in this program? Exit Err An analysis must reason about control flow branches a loop data increment, decrement comparisons with 0

38 Abstrac8ng Data Entry Only track relevant proper8es of x x<=0 x!=0 x>=0 x<0 x==0 x>0 Exit Err

39 Abstrac8ng Data Entry Only track relevant proper8es of x x can have any value x<=0 x!=0 x>=0 x<0 x==0 x>0 Exit Err

40 Abstrac8ng Data Entry Only track relevant proper8es of x x can have any value x<=0 x!=0 x>=0 Exit Err x<0 x==0 x>0 false no value is feasible

41 Sign Analysis Entry Analysis: update data about x based on control flow x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err

42 Sign Analysis Entry Analysis: update data about x based on control flow x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err Assuming arbitrary ini8aliza8on, anything can be about x

43 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err The assignment updates the fact about x

44 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err The condi8on does not affect x so the fact flows through

45 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x<0 x==0 x>0 false Exit Err Loss of precision! We cannot write x==- 1 so we approximate it by x<0

46 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x>0 x<0 x==0 x>0 false Exit Err

47 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0? x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve

48 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0? x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve

49 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve

50 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 Exit Err x<0 x==0 x>0 false

51 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit Err x<0 x==0 x>0 false

52 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit x<0 x==0 x>0 false The condi8onal restricts x Err x<0

53 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit Err x<0 x<0 x==0 x>0 false The analysis concludes that it may be possible to reach Err with x<0

54 Sign Analysis vs. Symbolic Execu8on Entry Compare the sign analysis to symbolic execu8on x!=0 x==0 x==0 x!=0 x<0 x>0 Exit x!=0 Data was not precisely represented Some variables were ignored Control flow paths were joined It is not clear if there is an error It is not clear which path leads to the error Err x<0

55 Sign Analysis vs. Symbolic Execu8on Entry Compare the sign analysis to symbolic execu8on x!=0 x==0 x==0 x!=0 x<0 x>0 Exit x!=0 Err x<0 Data was not precisely represented Some variables were ignored Control flow paths were joined It is not clear if there is an error It is not clear which path leads to the error Problem: no informa8on about y

56 Zero Propaga8on Entry Suppose we only track if y is zero or not y!=0 false Exit Err

57 Zero Propaga8on Entry Suppose we only track if y is zero or not y!=0 false Exit Err

58 Quiz: Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis???? y!=0? Exit? Err false

59 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false

60 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit false A loop head is also a join- point Err

61 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit false A loop head is also a join- point Err

62 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false Since the loop head was updated, what follows may change.

63 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false Since the loop head was updated, what follows may change. In this case, the update does not change the result of the analysis.

64 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false When propaga8on does not change the results, a fixed point is reached.

65 Sign Analysis vs. Zero Propaga8on Entry Sign analysis and zero propaga8on both report that the error may be reached. Each analysis ignores one variable. y!=0 Can we do be\er by tracking both variables at the same 8me? y!=0 Exit Err

66 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false x>=0 false y!=0 Exit Err x<0

67 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false x>=0 false y!=0 Exit Err x<0 Product analysis does not yield more informa8on (in this case) than running both separately

68 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false Exit Err x<0 x>=0 false y!=0 Problem: Correla8on between x and y is lost at this joint point. Analysis is path insensi&ve.

69 Disjunc8ve Refinement Entry Disjunc8ve refinement allows disjunc8ons of facts x>=0 x>=0 y!=0 join x>=0 y!=0 x<0 = x>=0 x<0 y!=0 or instead of Exit Err x<0

70 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 Exit Ini8al steps are the same Err

71 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 or x<0 x>0 y!=0 Join is now disjunc8on Exit Err

72 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 or x<0 x>0 y!=0 x>0 x<0 y!=0 Exit Err More precise informa8on propagated ajer join

73 Analysis with Disjunc8ve Refinement Entry x>=0 x==0 x>=0 y!=0 x>=0 y!=0 x>0 or x>0 y!=0 x>0 y!=0 Exit Err false Result of final analysis. Asser8on is not violated.

74 1 Analysis Frameworks 2 Types of Analyses 3 Precision 4 Summary of Program Analysis

75 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons

76 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons

77 States, Transi8ons, Execu8ons

78 States, Transi8ons, Execu8ons States values of local and global variables, program counter, stack, heap pc i a[0] a[1] a[2] a[3] a[4] d 1 0 undef undef undef undef

79 States, Transi8ons, Execu8ons States values of local and global variables, program counter, stack, heap Control Data pc i a[0] a[1] a[2] a[3] a[4] d 1 0 undef undef undef undef

80 States, Transi8ons, Execu8ons States Transi8ons values of local and global variables, program counter, stack, heap state changes pc d b i a[0] 1 0 a[i]=0 0 0 a[1] undef 0 a[2] undef undef a[3] undef undef a[4] undef undef

81 States, Transi8ons, Execu8ons States Transi8ons values of local and global variables, program counter, stack, heap state changes pc d b Control i a[0] a[1] 1 0 undef a[i]= Data a[2] undef undef a[3] undef undef a[4] undef undef

82 States, Transi8ons, Execu8ons States Transi8ons Execu8ons values of local and global variables, program counter, stack, heap state changes Sequence of state changes pc a b c d b i a[0] undef undef i=0 undef a[i]=0 0 ++i 0 a[i]=0 0 0 a[1] undef undef undef undef 0 a[2] undef undef undef undef undef a[3] undef undef undef undef undef a[4] undef undef undef undef undef

83 Control and Data in Programs Variables Statements Control flow have values, define state modify values, define transi8ons on data modify program counter, define control transi8ons States Variables Execu8ons Execu8ons Transi8ons Statements Control Flow

Variables Laace Execu8ons Sta8c Analyzer

84 Architecture of a Sta8c Analyzer The behavior of a program can be approximated by separately approxima8ng variable values, statements and control flow. Variables Laace Execu8ons Sta8c Analyzer Statements Control Flow Transformers System of Equa8ons

85 Laaces in Sta8c Analysis x<=0 x!=0 x>=0 top x<0 x==0 x>0 false Even false Odd bot Signs posi8ve/nega8ve/zero cannot represent non- zero values no rela8onships between variables Parity even or odd cannot represent values no rela8onships between variables Constants a single value cannot represent more values: x==3 x==4 no rela8onships between variables

86 The Interval Laace [INT_MIN, 0] [INT_MIN, - 1] [INT_MIN, INT_MAX] [- 1,1] [- 2,- 1] [- 1,0] [0,1] [1,2] [- 1,- 1] [0,0] [1,1] [] [0,INT_MAX] [1,INT_MAX] a An interval is a pair [a,b] with a <= b min(a,c) a c a There is a par&al order between intervals a max(a,c) c b c b b d max(b,d) d The join is the smallest enclosing interval min(b,d) b d The meet is the largest shared interval

87 Loss of Informa8on in the Interval Laace [INT_MIN, 0] [INT_MIN, INT_MAX] [0,INT_MAX] Intervals are useful for tracking the range of variables. They lose informa8on about concrete values. [INT_MIN, - 1] [- 1,1] [1,INT_MAX] Arbitrary sets {1,5}, {1,3,5} {1,2,4,5} are represented by [1,5] [- 2,- 1] [- 1,0] [0,1] [1,2] [- 1,- 1] [0,0] [1,1] [] Union Rela8ons [1,3] join [6,7] = [1,7] includes values 4 and 5 x=y can only be wri\en as x:[int_min,int_max], y:[int_min,int_max]

Propaga8on In sta8c analysis laace elements abstract states order is used to check if results

88 Laace in a Sta8c Analyzer Laace A laace is a set with a par&al order for comparing elements a least upper bound called join a greatest lower bound called meet Transformers Sta8c Analyzer Propaga8on In sta8c analysis laace elements abstract states order is used to check if results change meet and join are used at branch and join points Most analyses use only meet or only join

89 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons

90 Sign Analysis Transformers x>=0 x = x + 1; x>0 A transformer (or transfer func&on) describes how a statement modifies laace elements d in f d out x = 0; x = x+1; if (x > 4) x<=0 x!=0 x>=0 x<=0 x!=0 x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x<0 x==0 x>0 x<0 x==0 x>0 false false false

91 Interval Analysis Transformers Statement Transformer Loss of Precision x = x+3 a b a+3 b+3 No loss of precision x=2*x a 2a b mul8ples of 2 in [2a,2b] 2b [3,4] is transformed to [6,8] and includes 7, which is not a mul8ple of 2 if (x<=4) a b INT_MIN 4 a min(b,4)* No loss of precision if (x==y) a x c max(a,c) x y y b d min(b,d)* Cannot express that x and y must have the same value, not just bounds * [a,b] means False when a>b.

Approach starts with GEN and KILL sets

Approach starts with GEN and KILL sets b -Advanced-DFA Review of Data Flow Analysis State Propaga+on Computer Science 5-6 Fall Prof. L. J. Osterweil Material adapted from slides originally prepared by Prof. L. A. Clarke A technique for determining