CSCE 548 Building Secure Software Software Analysis Basics

Transcription

1 CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018

2 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to repackage an app o Countermeasures 2. Android Permission System o Access control 2

3 Why should we learn software analysis? Learn methods to improve software quality reliability, security, performance, etc. Become a better software developer/tester Build specialized tools for software diagnosis and testing 3

4 The Ariane Rocket Disaster (1996)

5 Ariane Disaster Post Mortem Caused due to numeric overflow error Attempt to fit 64-bit format data in 16-bit space Cost $100M s for loss of mission Multi-year setback to the Ariane program Read more at

6 What is Program Analysis? Body of work to discover useful facts about programs Broadly classified into three kinds: Dynamic (execution-time) Static (compile-time) Hybrid (combines dynamic and static)

7 Dynamic Program Analysis Infer facts of program by monitoring its runs Examples: Array bound checking Purify Memory leak detection Valgrind Datarace detection Eraser Finding likely invariants Daikon

8 Static Program Analysis Infer facts of the program by inspecting its source (or binary) code Examples: Suspicious error patterns Lint, FindBugs, Coverity Memory leak detection Facebook Infer Checking API usage rules Microsoft SLAM Verifying invariants ESC/Java

9 Dynamic vs. Static Analysis Match each box with its corresponding feature. Cost Effectiveness Dynamic B. Proportional to program s execution time A. Incomplete (may miss errors) Static C. Proportional to program s size D. Unsound (may report spurious errors) A. Incomplete (may miss errors) B. Proportional to program s execution time C. Proportional to program s size D. Unsound (may report spurious errors)

10 Terminology Control-flow graph Basic block Execution path

11 Control-flow Graph (CFG) A control-flow graph is a representation of a program that makes certain analyses (including dataflow analyses) easier A CFG is a directed graph where Each node represents a statement Edges represent control flow 11

12 Control-flow Graph Example 12

13 Control-flow Graph with Basic Blocks May group statements into basic blocks 13

14 Terminology int foo (int a) { int r; if (a == 1234) { r = 1; else { r = 0; return r; A basic block An execution path int r; if (a == 1234) r = 1 r = 0 return r Control-flow graph 14

15 Example 1: Control-flow Graph Generation If-else statement While statement Switch-case statement 15

16 If-else statement 1 if (a == 1234) { 2 r = 1; else { 3 r = 0; 4 printf ( r=%d, r);

17 While statement 1 while ( x < 50 ) { 2 sum += x; 3 x++; 4 printf ( sum=%d, sum); 1 2;

18 Switch-case statement 1 switch (a) { case 0: 2 a += 2; case 1: 3 a += 20; default: 4 a += 10; 5 printf ( a=%d, a);

19 Practice: Draw a CFG while (x < 100) { if (a[x] % 2 == 0) { parity = 0; else { parity = 1; switch(parity) { case 0: println( even ); case 1: println( odd ); default: println( unexpected error ); x ++; p = true;

20 Example 2: Program Invariants int p(int x) { return x * x; An invariant at the end of the program is (z == c) for some constant c. What is c? void main() { int z; if (getc() == a ) z = p(6) + 6; else z = p(-7) 7; z =?

21 Example 2: Program Invariants int p(int x) { return x * x; An invariant at the end of the program is (z == c) for some constant c. What is c? void main() { int z; if (getc() == a ) z = p(6) + 6; else z = p(-7) 7; Disaster averted! if (z!= 42) disaster(); z = 42

22 Discovering Invariants By Dynamic Analysis int p(int x) { return x * x; (z == 42) might be an invariant (z == 30) is definitely not an invariant void main() { int z; if (getc() == a ) z = p(6) + 6; else z = p(-7) 7; if (z!= 42) disaster(); z = 42

23 Discovering Invariants By Static Analysis is definitely (z == 42) might be an invariant (z == 30) is definitely not an invariant int p(int x) { return x * x; void main() { int z; if (getc() == a ) z = p(6) + 6; else z = p(-7) 7; if (z!= 42) disaster(); z = 42

24 Static Analysis: Iterative Approximation Find variables that have a constant value (i.e., invariant) at a given program point void main() { z = 3; while (true) { if (x == 1) y = 7; else y = z + 4; assert (y == 7);

25 Iterative Approximation [x=?, y=?, z=?] z =3 [x=?, y=?, z=3] while (x > 0) true false [x=?, y=?, z=3] [x=?, y=?, z=3] [x=1, y=?, z=3] true if (x == 1) false [x=?, y=?, z=3] y =7 y = z + 4 [x=1, y=7, z=3] [x=?, y=7, z=3] assert (y == 7)

26 Iterative Approximation Fill in the value of variable b that the analysis infers at: [b=?] b = 1 1) the loop header 2) entry of loop body 3) exit of loop body Enter? if a definite value cannot be inferred. 1) 2) 3) [b=1] false [b=?] [b=?] [b=1] while ( x < 50 ) true [b=1][b=?] b = b + 1 [b=2] [b=?]

27 Who Needs Program Invariants? Three primary consumers: Compilers Software Quality Tools Integrated Development Environments (IDEs)

28 Compilers Bridge between high-level languages and architectures Use program analysis to generate efficient code int p(int x) { return x * x; void main(int arg) { int z; if (arg!= 0) z = p(6) + 6; else z = p(-7) - 7; print (z); z = 42 int p(int x) { return x * x; void main() { print (42); Runs faster More energy-efficient Smaller in size

29 Software Quality Tools Tools for testing, debugging, and verification Use program analysis for: Finding programming errors Proving program invariants Generating test cases Localizing causes of errors int p(int x) { return x * x; void main() { int z; if (getc() == a ) z = p(6) + 6; else z = p(-7) 7; if (z!= 42) disaster(); z = 42

30 Integrated Development Environments Examples: Eclipse and Microsoft Visual Studio Use program analysis to help programmers: Understand programs Refactor programs Restructuring a program without changing its behavior Useful in dealing with large, complex programs

31 Summary What is program analysis? Dynamic vs. static analysis: pros and cons Examples Example 1: CFG generation Example 2: Program invariants Iterative approximation method for static analysis Who needs program analysis?