Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Transcription

1 Simple Overflow 1 #include <stdio.h> int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); } return 0; nova:signed {4}./ex2 num is 32 bits long num = 0xffffffff num + 1 = 0x0

2 Integer Overflows Exploits range of value integers can store Ex: signed two-byte int stores between and Cause unexpected wrap-around scenarios Attacker passes int greater than max (positive) -> value wraps around to the min (negative!) Can cause unexpected program behavior, possible buffer overflow exploits Completely crazy from a more abstract point of view

3 Signed/unsigned Confusion

4 There s more: Memory Safety Issues 4 buffer overflow use after free read/dereference of uninitialized memory double-free null pointer dereference

5 Memory Safety 5 Computer languages such as C and C++ that support arbitrary pointer arithmetic, casting, and deallocation are typically not memory safe. There is a variety of approaches to find errors in programs in C/C++. C/C++ is too close to hardware and provides little out of the box in terms of safe(r) programming

6 Alternatives? Better Languages 6 Most high-level programming languages avoid the problem by disallowing pointer arithmetic and casting entirely, and by using garbage collection for memory management. Generally, elevates the level of vulnerabilities Buffer overruns are not an issue, but other things like XSS are

7 Attack Defense Zigzag 7 Stack-based buffer overruns StackGuard Heap-based buffer overruns ALSR and NX Heap sprays and ROC Specific defenses

8 Shellshock 8 Shellshock is the mediafriendly name for a security bug found in Bash, a command shell That may allow a remote attacker to send you text that you hand over to a Bash script as harmless looking data, only to find that it gets processed as if it were code, or program commands. The bug is what's known as a Remote Code Execution This sort of trickery is often known as command injection, because it involves sneaking in operating system commands, hoping that they get run by mistake. vulnerability

9 9 Shellshock

10 Remote Execution? 10 Wait, remote command execution on bash? How can someone remotely execute commands on a local shell? The issue starts with mod_cgi and how web servers interact with CGI programs (written in Perl, PHP, Shell or any other language). The web server passes (environment) user variables to them so they can do their work. In simple terms, this vulnerability allows an attacker to pass a command as a variable that gets executed by bash.

11 Patch is the Message 11 It means that if you are using mod_cgi on your webserver and you have a CGI written in shell script, you are in deep trouble. Drop everything now and patch your servers. If you have CGI s written on any other language, but you are using system(), (backticks) or executing any commands from the CGI, you are in deep trouble. Drop everything now and patch your servers. If you don t know what you have, Drop everything now and patch your servers.

12 Patch and Test 12 #sudo apt-get install bash - or - [root@yourserver ~]# env x='() { :;}; echo vulnerable' bash -c 'echo hello' #sudo yum update bash bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello

13 Trying This on bicycle.cs 13 But someone needs to come in and actively patch the machine once the bug is found This is too late the vulnerability may already have been exploited

14 CSE484/CSE584 ROBUST APPLICATION CODE THROUGH ANALYSIS Dr. Benjamin Livshits

15 15 Cost of Fixing a Defect

16 16 How Do We Find Bugs?

17 Runtime Monitoring 17 Instrument code for testing Heap memory: Purify Valgrind: Perl tainting (information flow) Java race condition checking Pros: Easy to reproduce the bug Relatively easy to implement Cons: Slows down the program significantly 10x-40x slowdowns Test only: cannot be used in production Not all paths executed

18 Black-box Testing 18 Fuzzing and penetration testing Black-box web application security analysis Typically, tries to provide cleverly crafted unexpected inputs Also knows as inputs of death Example: Peach fuzzer antifuzzer, Dfuz, SPIKE, GPF, etc. Pros: Easy to reproduce the bug Don t need to understand the code Can be done by someone else Cons: Have no visibility into program logic Has low coverage Possibly lots of missing vulnerabilities

19 19 Static Analysis Static code analysis toos Coverity Tools from Microsoft like Prefix and Prefast FindBugs (for Java) Fortify (for security) Pros: Near-perfect code coverage, exercise all paths Can be run, incrementally as part of development process Cons: Can be imprecise Can scale poorly Can produce results that are tough to interpret

20 20 From Coverity

21 21 From CPyChecker

22 22 From FxCop

23 23 From PVS-Studio

24 24 From Visual Lint

25 25 XSS Detect

26 26 Visual Studio

27 Outline General discussion of static analysis tools Goals and limitations Approach based on abstract states More about one specific approach Property checkers from Engler et al., Coverity Sample security-related results Slides from: S. Bugrahe, A. Chou, I&T Dillig, D. Engler, J. Franklin, A. Aiken, Mitchll

28 Static Analysis Coverage Advantage Entry Manual testing only examines small subset of behaviors Exit Software Behaviors

29 Program Analyzers analyze large code bases Code Report Type Line 1 mem leak 324 Spec Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 false alarm false alarm 10,502 info leak 10,921 potentially reports many warnings may emit false alarms

30 Static Analysis Goals Bug finding: identify code that the programmer wishes to modify or improve Correctness: Verify the absence of certain classes of errors

31 Soundness and Completeness Property Soundness Definition If the program contains an error, the analysis will report a warning. Sound for reporting correctness Completeness If the analysis reports a warning, the program will contain an error. Complete for reporting correctness

32 Unsound Sound Decidable? Complete Incomplete Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable May not report all errors Reports no false alarms Decidable May not report all errors May report false alarms Decidable

33 Over- and Underapproximations Modules Reported Error Sound Over-approximation of Behaviors... Software False Alarm Behaviors approximation is too coarse yields too many false alarms

34 Does This Program Ever Crash? entry X 0 Is Y = 0? yes no X X + 1 X X - 1 Is Y = 0? yes Is X < 0? yes no no exit crash

35 Does This Program Ever Crash? entry X 0 Is Y = 0? yes no X X + 1 X X - 1 Is Y = 0? infeasible path! overly imprecise program will never crash yes Is X < 0? yes no crash no exit

36 Try Analyzing Without Approximation entry X = 0 X 0 Is Y = 0? X = 01 2 X = 12 3 X = 12 3 X = 12 3 yes no X X + 1 X X - 1 Is Y = 0? yes no Is X < 0? yes no crash exit X = 12 3 non-termination! therefore, need to approximate

37 Dataflow Analysis Framework dataflow elements X = 0 d in X X + 1 f d out = f(d in) X = 1 d out transfer function dataflow equation

38 Applying the Dataflow Approach X = 0 d in1 X = 1 X X + 1 d out1 f1 d out1 = f 1 (d in1 ) X = 1 d in2 d out1 = d in2 Is Y = 0? f2 d out2 = f 2 (d in2 ) X = 1 d out2

39 Meet/Join Operator d out1 = f 1 (d in1 ) d in 1 f 1 f 2 d in 2 d out2 = f 2 (d in2 ) d out1 d join d in3 d out3 f 3 d out 2 d join = d out1 d out2 d join = d in3 d out3 = f 3 (d in3 ) What is the space of dataflow elements,? What is the least upper bound operator,? least upper bound operator Example: union of possible values

40 Try Analyzing with Signs Approximation entry X = 0 X 0 Is Y = 0? X = 0 yes no X = 0 lost precision X = pos X = T X = T X X + 1 X X - 1 Is Y = 0? yes no X = neg X = T Is X < 0? exit X = T yes no X = T terminates... but reports false alarm therefore, need more precision crash

41 Lattices X = T X neg X = T X pos true X = pos X = 0 X = neg X = X = Y = 0 Y 0 false refined signs signs lattice lattice Boolean formula lattice

42 Try Analyzing with Path-sensitive signs entry true X = 0 X 0 Is Y = 0? Y=0 X = 0 yes no X = 0 Y 0 X X + 1 X X - 1 Y=0 X = pos X = neg Y 0 no precision loss Y=0 X = pos Is Y = 0? Y 0 X = neg yes no X = neg Y 0 Y=0 X = pos refinement Is X < 0? exit yes no crash terminates... no false alarm soundly proved never crashes X = pos Y=0