Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Similar documents
CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Bugs in software. Using Static Analysis to Find Bugs. David Hovemeyer

Static Analysis in Practice

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Language Security. Lecture 40

Static Analysis in Practice

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Static Vulnerability Analysis

Memory Safety for Embedded Devices with nescheck

Type Checking Systems Code

Static program checking and verification

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

One-Slide Summary. Lecture Outline. Language Security

Security Analyses For The Lazy Superhero

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Static Program Analysis Part 1 the TIP language

Today. Instance Method Dispatch. Instance Method Dispatch. Instance Method Dispatch 11/29/11. today. last time

Lightweight Verification of Array Indexing

Static Analysis and Bugfinding

Verification Using Static Analysis

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Analysis Tool Project

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

CSE Computer Security (Fall 2006)

Module: Future of Secure Programming

Module: Future of Secure Programming

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

CSE Computer Security

Static Analysis of C++ Projects with CodeSonar

C Source Code Analysis for Memory Safety

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

Advances in Programming Languages

Static Analysis in C/C++ code with Polyspace

CMPSC 497: Static Analysis

Hugbúnaðarverkefni 2 - Static Analysis

The Importance of Benchmarks for Tools that Find or Prevent Buffer Overflows

Finding Concurrency Bugs in Java

Automatic Generation of Program Specifications

Software Testing CS 408. Lecture 11: Review 2/20/18

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

COMP 181. Agenda. Midterm topics. Today: type checking. Purpose of types. Type errors. Type checking

Buffer Overflow Defenses

Gaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness

CS 6371: Advanced Programming Languages

Status Report. JSR-305: Annotations for Software Defect Detection. William Pugh Professor

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CS 161 Computer Security

Secure Programming Lecture 15: Information Leakage

The Checker Framework: pluggable static analysis for Java

CS61C Machine Structures. Lecture 3 Introduction to the C Programming Language. 1/23/2006 John Wawrzynek. www-inst.eecs.berkeley.

Lecture 9 Assertions and Error Handling CS240

Program Verification. Aarti Gupta

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Jonathan Aldrich Charlie Garrod.

Automatic Software Verification

Announcements. Working on requirements this week Work on design, implementation. Types. Lecture 17 CS 169. Outline. Java Types

Statically Detecting Likely Buffer Overflow Vulnerabilities

Advances in Programming Languages

CS 161 Computer Security

18-642: Code Style for Compilers

Lecture 14 Pointer Analysis

CS2110 Fall 2011 Lecture 25. Under the Hood: The Java Virtual Machine, Part II

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

JSR-305: Annotations for Software Defect Detection

Software Security: Vulnerability Analysis

Code verification. CSE 331 University of Washington. Michael Ernst

Language Techniques for Provably Safe Mobile Code

Verifying the Safety of Security-Critical Applications

Simply-Typed Lambda Calculus

CCured in the Real World

18-642: Code Style for Compilers

Implementation of Customized FindBugs Detectors

Finding User/Kernel Pointer Bugs with Type Inference p.1

Visualizing Type Qualifier Inference with Eclipse

Testing, code coverage and static analysis. COSC345 Software Engineering

More Lambda Calculus and Intro to Type Systems

Counterexample Guided Abstraction Refinement in Blast

COS 320. Compiling Techniques

Using Static Code Analysis to Find Bugs Before They Become Failures

A Type System for Regular Expressions

CS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview

Oracle Developer Studio Code Analyzer

Introduction A Tiny Example Language Type Analysis Static Analysis 2009

Program Analysis Tools

Static Program Analysis

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

Secure Software Development: Theory and Practice

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Memory Safety (cont d) Software Security

Lecture 4 September Required reading materials for this class

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

CS2141 Software Development using C/C++ Debugging

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

Types and Type Inference

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Pointer Analysis in the Presence of Dynamic Class Loading. Hind Presented by Brian Russell

Static Program Analysis

Program Analysis. CSCE Lecture 16-03/03/2016

Transcription:

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2 Problem What is a bug? a path in the code that causes a run-time exception a path through the code that causes incorrect results Issues exponential many paths cannot statically determine the path a program will take Program testing can be used to find the presence of bugs, but never to show their absence. [Dijkstra 1972] Undecidability soundness and completeness together is undecidable confusion in literature: which is which? every reported error is genuine (no false positives) if the program has any errors then the checker will report some error (no false negatives) CS553 Lecture Finding Bugs 3 1

Motivation for the Automatic Detection of Bugs Time spent in program maintenance most software engineers spend the majority of their time doing maintenance most time spent doing maintenance is time spent debugging Costs due to bugs that allow security exploits (approximations published at CNET News.com, Jan 31 2003) Slammer (950 million) Code Red (2.6 billion productivity loss) LoveLetter (8.8 billion) Klez virus (9.0 billion) CS553 Lecture Finding Bugs 4 Approaches to Finding Bugs Approaches strengthening the type system static analysis to detect bug patterns automated theorem proving dynamic analysis catch errors before they occur find the cause for failures after the fact Evaluating the different approaches how many false positives? how many false negatives? extent of user intervention or ease of use efficiency of approach CS553 Lecture Finding Bugs 5 2

Example Bugs null dereference if (p==null) { p->open() } array bounds error int a[20]; a[20] =...; untrusted access format string vulnerability fgets(buffer, size, file); printf(buffer); CS553 Lecture Finding Bugs 6 Type Qualifiers [Shankar, et al 01] Idea Add tainted and untainted types to library function signatures fgets(tainted char *buffer, int size, FILE *f); printf(untainted char *format,...); Use type constraint solver to find errors Errors are type mismatches Issues What is the type of strdup()? What happens when the value of strings change? CS553 Lecture Finding Bugs 7 3

Static Analysis FindBugs project at University of Maryland for finding bugs in Java they observe that bugs found in student programs are also found in production code implementation steps: 1. think of the simplest technique that would find occurrences of the bug 2. implement it 3. apply it to real software. Hopefully find some real bugs. Will probably produce some false warnings. 4. add heuristics to reduce percentage of false warnings Their experience: new detectors can usually be implemented quickly (somewhere between a few minutes and a few days). Often, detectors find more bugs than you would expect Kinds of analysis in implementing detectors: Examination of method names, signatures, class hierarchy Linear scan of bytecode instructions using a state machine Method control flow graphs, dataflow anlysis No interprocedural flow analysis or sophisticated heap analysis CS553 Lecture Finding Bugs 8 How FindBugs Handles the Example Bugs Null pointer dereferences found 37 in rt.jar 1.5-b59, 55 in eclipse-3.0 Array bounds checking not an issue in Java Untrusted Code Can static fields (or the objects they refer to) be modified by untrusted code? Public, non-final static fields Public static fields pointing to an array Warnings: 254 in rt.jar 1.5-b59, 967 in eclipse-3.0 CS553 Lecture Finding Bugs 9 4

Automated Theorem Proving SAL at Microsoft Standard Annotation Language for interface pre and post conditions focus is on buffer overruns and pointer usage SALinfer is a tool that determines specifications automatically CS553 Lecture Finding Bugs 10 SAL Example CS553 Lecture Finding Bugs 11 5

Dynamic Analysis Ccured: Taming C Pointers by George Necula, Scott McPeak, and Wes Weimer, May 22, 2002 adds run-time checks to C programs for cathcing memory safety errors requires user annotations the only thing that happens statically is figuring out what special type a pointer should be, want fastest possible type that still can catch any possible dynamic errors around 15-50 times faster than purify Halt: Memory Safety Violation C Program CCured Translator Instrumented C Program Compile & Execute Success CS553 Lecture Finding Bugs 12 How CCured Handles the Example Bugs New Pointer Types SAFE pointer: on use does a null pointer check SEQ pointer: on use does a null pointer check and an array bounds check DYN pointer: on use does a null pointer check, a bounds check, and a type check (checks type casts) Null Pointer Dereference use SAFE pointer Array Bounds use SEQ pointer Untrusted Access doesn t handle this, really just handling memory issues CS553 Lecture Finding Bugs 13 6

Remaining Issues Evaluation of new techniques is tedious must have a human determine if problem reported is an actual bug getting developers to fix the bug is another battle how can we determine if one bug detection system is better than another? might analyze different languages experiments performed on different benchmarks (version of the software make a different benchmark) approach: people are starting to put together bug benchmarks Static Analysis whole program versus partial program analysis quality of alias analysis affects quality number of false positives CS553 Lecture Finding Bugs 14 Concepts Approaches to bug detection augmenting the type system static analysis automated theorem proving dynamic analysis Comparing bug detection techniques is tricky what is considered a real bug? how can we compare false positives with false negatives? how can we determine them at all CS553 Lecture Finding Bugs 15 7

Next Time Lecture This is it! review of what we covered this quarter how does it all fit together? any requests? CS553 Lecture Finding Bugs 16 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback