Analysis/Bug-finding/Verification for Security
|
|
- Ashlie Mills
- 5 years ago
- Views:
Transcription
1 Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013
2 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information flow) Java race condition checking Black-box testing Fuzzing and penetration testing Black-box web application security analysis Static code analysis FindBugs, Fortify, Coverity, MS tools, Model Checking tools NuSMV to verify program properties Slide courtesy John Mitchell 2
3 Manual Testing Doesn t Scale Entry Exit Software Slides courtesy John Mitchel 3
4 Manual Testing Doesn t Scale Entry Exit Software Behaviors Slides courtesy John Mitchel 3
5 Manual Testing Doesn t Scale Entry Exit Software Behaviors Slides courtesy John Mitchel 3
6 Manual Testing Doesn t Scale Entry Exit Software Behaviors Slides courtesy John Mitchel 3
7 Manual Testing Doesn t Scale Entry Exit Software Behaviors Slides courtesy John Mitchel 3
8 Manual Testing Doesn t Scale Entry Exit Software Behaviors Slides courtesy John Mitchel 3
9 Manual Testing Doesn t Scale Entry Manual testing only examines small subset of behaviors Exit Software Behaviors Slides courtesy John Mitchel 3
10 Bug in Swfdec Adobe Flash Movie Player clipconv8x8_u8_s16_c(ptr...){... for (i = 0; i < 8; i++) { for (j = 0; j < 8; j++) { x = BLOCK8x8_S16 (src,sstr,i,j); if (x < 0) x = 0; ptr comes from caller ptr references unallocated memory if (x > 255) x = 255; (*((uint8_t *)((void *) ptr + stride*row) + column)) = x; Code From LibOIL Library version 0.3.x (GNOME Windowing System)
11 Bug in Swfdec Adobe Flash Movie Player jpeg_decoder(jpegdecoder* dec) { dec->width_blocks = (dec->width + 8*max_h_sample - 1)/(8*max_h_sample); dec->height_blocks = (dec->height + 8*max_v_sample - 1)/(8*max_v_sample); int rowstride, image_size;... rowstride = dec->width_blocks * 8*max_h_sample / dec->comps[i].h_subsample; imagesize = rowstride * (dec->height_blocks * 8*max_v_sample/dec->comps[i].v_subsample); malloc OK But imagesize 0 dec->c[i].image=malloc(imagesize);... //LibOIL API function call clipconv8x8_u8_s16_c(dec->c[i].image...);... Code from Swfdec Shockwave Flash Movie Player
12 Bug in Swfdec Adobe Flash Movie Player jpeg_decoder(jpegdecoder* dec) { from input movie dec->width_blocks = (dec->width + 8*max_h_sample - 1)/(8*max_h_sample); dec->height_blocks = (dec->height + 8*max_v_sample - 1)/(8*max_v_sample); int rowstride, image_size;... rowstride = dec->width_blocks * 8*max_h_sample / dec->comps[i].h_subsample; imagesize = rowstride * (dec->height_blocks * 8*max_v_sample/dec->comps[i].v_subsample); malloc OK But imagesize 0 dec->c[i].image=malloc(imagesize);... //LibOIL API function call clipconv8x8_u8_s16_c(dec->c[i].image...);... Code from Swfdec Shockwave Flash Movie Player
13 Essence of this Bug Overflow in imagesize computation jpegdecode(image) { imagesize = f(image->height)*g(image->width); ptr = malloc(imagesize); LibraryCall(ptr, );
14 Difficulty of finding this Bug Deep in the program Stack depth 50 Number of instructions in path: ~ 7 million Program source (excluding libraries) ~70 KLOC Complex input format Movie file, arbitrarily large and complex Few regions of input (height, width) Construct a test input to find bug automatically
15 Random Fuzzing Input Movie File Multiple Fuzzed Movie Files The Fuzzer randomly mutates various fields in the file It can work sometimes However, often produces mal-formed inputs rejected by parser
16 Problem with Random Fuzzing Fuzzed Input Movie File Parsing And Syntactic Check Semantic Core of the Program Program under test
17 Problem with Random Fuzzing Fuzzed Input Movie File Parsing And Syntactic Check Semantic Core of the Program Random Fuzzed inputs often Rejected by Parser Program under test
18 Problem with Random Fuzzing Fuzzed Input Movie File Parsing And Syntactic Check Semantic Core of the Program Random Fuzzed inputs often Rejected by Parser Program under test Rejected In Parsing
19 Information-flow based Fuzzer Program Source Valid Seed Input BuzzFuzz Bug-revealing Input
20 Information-flow based Execution Instrument source for information-flow analysis (tainttracking) Track input regions to sinks Dynamic data dependency analysis Map from values to set of input bytes
21 Information-flow based Execution jpeg_decoder(jpeg* dec) { dec->width_blocks = (dec->width + 8*max_h_sample - 1)/(8*max_h_sample); dec->height_blocks = (dec->height + 8*max_h_sample - 1)/(8*max_h_sample);... rowstride = dec->width_blocks * 8*max_h_sample / dec->comps[i].h_subsample; image_size = rowstride * (dec->height_blocks * 8*max_v_sample/dec->comps[i].v_subsample); dec->c[i].image=malloc(image_size);... //LibOIL API function call clipconv8x8_u8_s16_c(dec->c[i].image...);... //End of Movie Player Code Input Movie File Data Dependency from input bytes to computed values
22 Information-flow based Fuzzer Selecting Attack Points Library API as Sinks or Attack Points Program Source Valid Seed Input BuzzFuzz List of Program Attackpoints
23 Information-flow based Fuzzer Fuzzing with Extremal Values Extremal values for integers: 0,-1,int_max Valid Seed Input Fuzzer 0xffff Fuzzed Input 0xffff Height:1862,1863 Width: 1864,1865 Generated Taint Report
24 Information-flow based Fuzzer Smarter way to Fuzz 0xffff Fuzzed Input 0xffff Program under test CRASH!!
25 Program Analyzers Code Spec
26 Program Analyzers Code Program Analyzer Spec
27 Program Analyzers Code Report Type Line 1 mem leak 324 Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 Spec 5 dang ptr 8,491 10,502 info leak 10,921
28 Program Analyzers analyze large code bases Code Report Type Line 1 mem leak 324 Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 Spec 5 dang ptr 8,491 10,502 info leak 10,921
29 Program Analyzers analyze large code bases Code Report Type Line 1 mem leak 324 Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 Spec 5 dang ptr 8,491 10,502 info leak 10,921 potentially reports many warnings
30 Program Analyzers analyze large code bases Code Report Type Line 1 mem leak 324 Spec Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 false alarm false alarm 10,502 info leak 10,921 potentially reports many warnings
31 Program Analyzers analyze large code bases Code Report Type Line 1 mem leak 324 Spec Program Analyzer 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 false alarm false alarm 10,502 info leak 10,921 potentially reports many warnings may emit false alarms
32 Static Analysis Goals Bug finding Identify code that the programmer wishes to modify or improve Correctness Verify the absence of certain classes of errors Note: some fundamental limitations Slides courtesy John Mitchell
33 Soundness and Completeness Property Soundness Definition If the program contains an error, the analysis will report a warning. Sound for reporting correctness Completeness If the analysis reports an error, the program will contain an error. Complete for reporting correctness Slides courtesy John Mitchell
34 Complete Incomplete Unsound Sound Slides courtesy John Mitchell
35 Complete Incomplete Sound Reports all errors Reports no false alarms Unsound Slides courtesy John Mitchell
36 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Unsound Slides courtesy John Mitchell
37 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Unsound Slides courtesy John Mitchell
38 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable Unsound Slides courtesy John Mitchell
39 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable Unsound May not report all errors Reports no false alarms Slides courtesy John Mitchell
40 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable Unsound May not report all errors Reports no false alarms Decidable Slides courtesy John Mitchell
41 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable Unsound May not report all errors Reports no false alarms Decidable May not report all errors May report false alarms Slides courtesy John Mitchell
42 Complete Incomplete Sound Reports all errors Reports no false alarms Undecidable Reports all errors May report false alarms Decidable Unsound May not report all errors Reports no false alarms Decidable May not report all errors May report false alarms Decidable Slides courtesy John Mitchell
43 Static Analysis 20 Slides courtesy Andy Chou
44 Static Analysis Source Code char *p; if(x == 0) p = foo(); else p = 0; if(x!= 0) s=*p; else...; return; 20 Slides courtesy Andy Chou
45 Static Analysis Source Code char *p; if(x == 0) p = foo(); else p = 0; if(x!= 0) s=*p; else...; return; true p = 0 true... char *p if (x == 0) if(x!= 0) false p = foo() false s=*p 20 return Slides courtesy Andy Chou
46 Static Analysis Source Code Symbolic CFG Analysis Defects detected char *p; if(x == 0) p = foo(); else p = 0; if(x!= 0) s=*p; else...; return; true p = 0 true... char *p if (x == 0) if(x!= 0) false p = foo() false s=*p Assigning: p=0 x!=0 taking true branch Dereferencing null pointer p return Slides courtesy Andy Chou 20
47 Example int double (int v) { return 2*v; void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR;
48 Example int double (int v) { return 2*v; N 2*y == x Y void testme (int x, int y) { z = double (y); if (z == x) { N x > y+10 Y if (x > y+10) { ERROR; ERROR
49 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { x = 22, y = 7 x = x 0, y = y 0 if (x > y+10) { ERROR;
50 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0
51 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { 2*y 0!= x 0 if (x > y+10) { ERROR; x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0
52 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; Solve: 2*y 0 == x 0 Solution: x 0 = 2, y 0 = 1 x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0 2*y 0!= x 0
53 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0 2*y 0 == x 0
54 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; 2*y 0 == x 0 x 0 > y x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0
55 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; Solve: (2*y 0 == x 0 ) AND (x 0 > y ) Solution: x 0 = 30, y 0 = 15 2*y 0 == x 0 x 0 y x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0
56 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { x = 30, y = 15 x = x 0, y = y 0 if (x > y+10) { ERROR;
57 Concolic Testing Approach int double (int v) { return 2*v; concrete state Concrete Execution symbolic state Symbolic Execution path condition void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR; Program Error x = 30, y = 15 x = x 0, y = y 0 2*y 0 == x 0 x 0 > y 0 +10
58 Explicit Path (not State) Model Traverse all execution paths one by one to F T detect errors assertion violations F T F T program crash uncaught exceptions T F T combine with valgrind to discover memory errors T F T
59 Reliability through Logical Reasoning Engineering, Usability, Novelty Program Specification Logic Formulas Program Reasoning Tool Solver SAT/UNSAT Program is Correct? or Generate Counterexamples (Test cases) 33
60 What is at the Core? The SAT/SMT Problem Logic Formula (q p r) (q p r)... Solver SAT UNSAT Rich logics (Modular arithmetic, Arrays, Strings,...) NP-complete, PSPACE-complete,... Practical, scalable, usable, automatic Enable novel software reliability approaches 34
61 Programs Reasoning & STP Why Bit-vectors and Arrays STP logic tailored for software reliability applications Support symbolic execution/program analysis Int Var Char Var Arithmetic operation (x+y, x-y, x*y, x/y,...) assignments x = expr; C/C++/Java/... if conditional if(cond) x = expr 1 else x = expr 2 inequality Memory read/write x = *ptr + i; Structure/Class Function Loops 32 bit variable 8 bit variable Bit-vectors and Arrays Arithmetic function (x+y,x-y,x*y,x/y,...) equality x = expr; if-then-else construct x = if(cond) expr 1 else expr 2 inequality predicate Array read/write ptr[]; x = Read(ptr,i); Serialized bit-vector expressions Symbolic execution Bounding 35
62 How to Automatically Crash Programs? Concolic Execution & STP Problem: Automatically generate crashing tests given only the code Program Automatic Tester Symbolic Execution Engine with Implicit Spec Formulas SAT/UNSAT STP Crashing Tests 36
63 How to Automate Testing? Concolic Execution & STP Structured input processing code: PDF Reader, Movie Player,... Buggy_C_Program(int* data_field, int len_field) { int * ptr = malloc(len_field*sizeof(int)); int i; //uninitialized while (i++ < process(len_field)) { //1. Integer overflow causing NULL deref //2. Buffer overflow *(ptr+i) = process_data(*(data_field+i)); Formula captures computation Tester attaches formula to capture spec 37
64 How to Automate Testing? Concolic Execution & STP Structured input processing code: PDF Reader, Movie Player,... Buggy_C_Program(int* data_field, int len_field) { int * ptr = malloc(len_field*sizeof(int)); int i; //uninitialized while (i++ < process(len_field)) { //1. Integer overflow causing NULL deref //2. Buffer overflow *(ptr+i) = process_data(*(data_field+i)); Equivalent Logic Formula derived using symbolic execution data_field, mem_ptr : ARRAY; len_field : BITVECTOR(32); //symbolic i, j, ptr : BITVECTOR(32);//symbolic.. mem_ptr[ptr+i] = process_data(data_field[i]); mem_ptr[ptr+i+1] = process_data(data_field[i+1]);.. Formula captures computation Tester attaches formula to capture spec 37
65 How to Automate Testing? Concolic Execution & STP Structured input processing code: PDF Reader, Movie Player,... Buggy_C_Program(int* data_field, int len_field) { int * ptr = malloc(len_field*sizeof(int)); int i; //uninitialized while (i++ < process(len_field)) { //1. Integer overflow causing NULL deref //2. Buffer overflow *(ptr+i) = process_data(*(data_field+i)); Equivalent Logic Formula derived using symbolic execution data_field, mem_ptr : ARRAY; len_field : BITVECTOR(32); //symbolic i, j, ptr : BITVECTOR(32);//symbolic.. mem_ptr[ptr+i] = process_data(data_field[i]); mem_ptr[ptr+i+1] = process_data(data_field[i+1]);.. Formula captures computation Tester attaches formula to capture spec 37
66 How to Automate Testing? Concolic Execution & STP Structured input processing code: PDF Reader, Movie Player,... Buggy_C_Program(int* data_field, int len_field) { int * ptr = malloc(len_field*sizeof(int)); int i; //uninitialized while (i++ < process(len_field)) { //1. Integer overflow causing NULL deref //2. Buffer overflow *(ptr+i) = process_data(*(data_field+i)); Equivalent Logic Formula derived using symbolic execution data_field, mem_ptr : ARRAY; len_field : BITVECTOR(32); //symbolic i, j, ptr : BITVECTOR(32);//symbolic.. mem_ptr[ptr+i] = process_data(data_field[i]); mem_ptr[ptr+i+1] = process_data(data_field[i+1]);.. //INTEGER OVERFLOW QUERY 0 <= j <= process(len_field); ptr + i + j = 0? Formula captures computation Tester attaches formula to capture spec 37
Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationHAMPI A String Solver for Testing, Analysis and Vulnerability Detection. Vijay Ganesh MIT July 16, 2011
HAMPI A String Solver for Testing, Analysis and Vulnerability Detection Vijay Ganesh MIT July 16, 2011 Software Engineering & SMT Solvers An Indispensable Tactic Formal Methods Program Analysis Program
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationSMT Solvers and Applications
SMT Solvers and Applications University of Waterloo Winter 2013 Talk Outline Topics covered in Lecture on SAT Solvers Motivation for SAT/SMT solvers in software engineering Software engineering (SE) problems
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationProgram Analysis for Security
CS 155 Spring 2016 Program Analysis for Security John Mitchell Acknowledgments: Lecture slides are from the Computer Security course thought by Dan Boneh at Stanford University. When slides are obtained
More informationThree Important Testing Questions
Testing Part 2 1 Three Important Testing Questions How shall we generate/select test cases? Did this test execution succeed or fail? How do we know when we ve tested enough? 65 1. How do we know when we
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationFinding vulnerabilifes CS642: Computer Security
Finding vulnerabilifes CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Finding vulnerabilifes Manual analysis Simple
More informationHAMPI A Solver for String Theories
HAMPI A Solver for String Theories Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst) Dagstuhl, 2010 Motivation for String Theories String-manipulating programs ü String
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationFinding vulnerabilifes CS642: Computer Security
Finding vulnerabilifes CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Finding vulnerabilifes Manual analysis Simple
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationStatic Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU
Static Analysis methods and tools An industrial study Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU Outline Why static analysis What is it Underlying technology Some tools (Coverity, KlocWork,
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationDART: Directed Automated Random Testing
DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC Presented by Wei Fang January 22, 2015 PLDI 2005 Page 1 June 2005 Motivation Software testing:
More informationSAT/SMT Solvers and Applications
SAT/SMT Solvers and Applications University of Waterloo Winter 2013 Today s Lecture Lessons learnt so far Implementation-related attacks (control-hazard, malware,...) Program analysis techniques can detect
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationROBUST AND SECURE APPLICATION CODE THROUGH ANALYSIS. Dr. Benjamin Livshits
ROBUST AND SECURE APPLICATION CODE THROUGH ANALYSIS Dr. Benjamin Livshits 2 Cost of Fixing a Defect 3 How Do We Find Bugs? 4 Static Analysis Static code analysis toos Coverity Tools from Microsoft like
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationDART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley Verification and esting We would like to prove programs correct Verification and esting We
More informationDynamic Memory Allocation: Advanced Concepts
Dynamic Memory Allocation: Advanced Concepts Keeping Track of Free Blocks Method 1: Implicit list using length links all blocks 5 4 6 Method : Explicit list among the free blocks using pointers 5 4 6 Kai
More informationTI2725-C, C programming lab, course
Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationTesting, Fuzzing, & Symbolic Execution
Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationTesting & Symbolic Execution
Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior
More informationApplication of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim
Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim 2 Solving Various Problems using SAT Solver Sudoku Puzzle Encoding 1 Encoding 2 Verify/Testing C Programs Encoding 3
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationDynamic Allocation in C
Dynamic Allocation in C C Pointers and Arrays 1 The previous examples involved only targets that were declared as local variables. For serious development, we must also be able to create variables dynamically,
More informationStatic Analysis of C++ Projects with CodeSonar
Static Analysis of C++ Projects with CodeSonar John Plaice, Senior Scientist, GrammaTech jplaice@grammatech.com 25 July 2017, Meetup C++ de Montréal Abstract Static program analysis consists of the analysis
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationUnleashing D* on Android Kernel Drivers. Aravind Machiry
Unleashing D* on Android Kernel Drivers Aravind Machiry (@machiry_msidc) $ whoami Fourth year P.h.D Student at University of California, Santa Barbara. Vulnerability Detection in System software. machiry.github.io
More informationCS2141 Software Development using C/C++ Debugging
CS2141 Software Development using C/C++ Debugging Debugging Tips Examine the most recent change Error likely in, or exposed by, code most recently added Developing code incrementally and testing along
More informationCS 241 Data Organization Binary Trees
CS 241 Data Organization Binary Trees Brooke Chenoweth University of New Mexico Fall 2017 Binary Tree: Kernighan and Ritchie 6.5 Read a file and count the occurrences of each word. now is the time for
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationCSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community
CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community http://csc.cs.rit.edu History and Evolution of Programming Languages 1. Explain the relationship between machine
More informationToday Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationCS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/
CS61C Machine Structures Lecture 4 C Pointers and Arrays 1/25/2006 John Wawrzynek (www.cs.berkeley.edu/~johnw) www-inst.eecs.berkeley.edu/~cs61c/ CS 61C L04 C Pointers (1) Common C Error There is a difference
More informationWHY TEST SOFTWARE?...
2 At a glance 1 PREFACE... 3 2 AT A GLANCE... 5 3 TABLE OF CONTENTS... 9 4 INTRODUCTION... 17 5 WHY TEST SOFTWARE?... 19 5.1 WHY TEST SOFTWARE?... 19 5.2 LIMITATIONS OF TESTING... 20 5.3 ALTERNATIVE TO
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationDynamic Allocation in C
Dynamic Allocation in C 1 The previous examples involved only targets that were declared as local variables. For serious development, we must also be able to create variables dynamically, as the program
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/25/2017 1 Anti-Patterns: Coding Style: Language Use Code compiles with warnings Warnings are turned off or over-ridden Insufficient warning level set Language safety
More informationLecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?
Lecture 14 No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions? Friday, February 11 CS 215 Fundamentals of Programming II - Lecture 14 1 Outline Static
More informationRequired reading: StackGuard: Simple Stack Smash Protection for GCC
Continuing with Software Security Writing & testing for Secure Code Required reading: StackGuard: Simple Stack Smash Protection for GCC Optional reading: Basic Integer Overflows Exploiting Format String
More informationFoundations of Software Engineering
Foundations of Software Engineering Dynamic Analysis Christian Kästner 1 15-313 Software Engineering Adminstrativa Midterm Participation Midsemester grades 2 15-313 Software Engineering How are we doing?
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationAutomatic Test Generation. Galeotti/Gorla/Rau Saarland University
Automatic Test Generation Galeotti/Gorla/Rau Saarland University Testing : Find inputs that make the program fail Debugging : The process of finding the cause of a failure. Test Case Values/Test Input/Test
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationMemory Analysis tools
Memory Analysis tools PURIFY The Necessity TOOL Application behaviour: Crashes intermittently Uses too much memory Runs too slowly Isn t well tested Is about to ship You need something See what your code
More informationStatus Report. JSR-305: Annotations for Software Defect Detection. William Pugh Professor
JSR-305: Annotations for Software Defect Detection William Pugh Professor Status Report Univ. of Maryland pugh@cs.umd.edu http://www.cs.umd.edu/~pugh/ 1 This JSR is under active development Slides have
More informationTHE GOOD, BAD AND UGLY ABOUT POINTERS. Problem Solving with Computers-I
THE GOOD, BAD AND UGLY ABOUT POINTERS Problem Solving with Computers-I The good: Pointers pass data around efficiently Pointers and arrays 100 104 108 112 116 ar 20 30 50 80 90 ar is like a pointer to
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationInformation page for written examinations at Linköping University
Information page for written examinations at Linköping University Examination date 2017-01-14 Room (1) Time 8-12 Course code Exam code Course name Exam name Department Number of questions in the examination
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationC++ Undefined Behavior
C++ Undefined Behavior What is it, and why should I care? A presentation originally by Marshal Clow Original: https://www.youtube.com/watch?v=uhclkb1vkay Original Slides: https://github.com/boostcon/cppnow_presentations_2014/blob/master/files/undefined-behavior.pdf
More informationMEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationCSCE 548 Building Secure Software Software Analysis Basics
CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to
More informationtypedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }
Dawn Song Fall 2012 CS 161 Computer Security Practice Questions 1. (6 points) Control Hijacking Indicate whether the statement is always valid. Indicate true or false, and give a one sentence explanation.
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationCRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw Motivation Symbolic Execution is effective to crash applications
More informationTypes and Type Inference
Types and Type Inference Mooly Sagiv Slides by Kathleen Fisher and John Mitchell Reading: Concepts in Programming Languages, Revised Chapter 6 - handout on the course homepage Outline General discussion
More informationStatic Program Checking
Bounded Verification Jalloy Automated Software Analysis Group, Institute of Theoretical Informatics Jun.-prof. Mana Taghdiri June 5, 2014 KIT University of the State of Baden-Wuerttemberg and National
More informationCSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018 Previous Class Buffer overflows can be devastating It occurs when the access
More informationMaking C Less Dangerous
Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees ( Case ) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/danger.pdf Agenda Background Kernel
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationo Code, executable, and process o Main memory vs. virtual memory
Goals for Today s Lecture Memory Allocation Prof. David August COS 217 Behind the scenes of running a program o Code, executable, and process o Main memory vs. virtual memory Memory layout for UNIX processes,
More informationTypes and Type Inference
CS 242 2012 Types and Type Inference Notes modified from John Mitchell and Kathleen Fisher Reading: Concepts in Programming Languages, Revised Chapter 6 - handout on Web!! Outline General discussion of
More informationProgram Analysis. CSCE Lecture 16-03/03/2016
Program Analysis CSCE 747 - Lecture 16-03/03/2016 Axiom of Testing Program testing can be used to show the presence of bugs, but never their absence. - Dijkstra Gregory Gay CSCE 747 - Spring 2016 2 Holy
More informationStanford University Computer Science Department CS 295 midterm. May 14, (45 points) (30 points) total
Stanford University Computer Science Department CS 295 midterm May 14, 2008 This is an open-book exam. You have 75 minutes. Write all of your answers directly on the paper. Make your answers as concise
More informationDetecting Integer Overflow Vulnerabilities in Binaries. Tielei Wang Institute of Computer Science and Technology, Peking University
Detecting Integer Overflow Vulnerabilities in Binaries Tielei Wang Institute of Computer Science and Technology, Peking University About Me 4 th Ph.D. student in Peking Univ. Interested in binary program
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/6/2018 2017-2018 Philip Koopman Programming can be fun, so can cryptography; however they should not be combined. Kreitzberg and Shneiderman 2017-2018 Philip Koopman
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 4a Andrew Tolmach Portland State University 1994-2017 Semantics and Erroneous Programs Important part of language specification is distinguishing valid from
More information