Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Similar documents
Securing Legacy C Applications Using Dynamic Data Flow Analysis

Securing Legacy C Applications Using Dynamic Data Flow Analysis

Static Vulnerability Analysis

One-Slide Summary. Lecture Outline. Language Security

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

CSE Computer Security

Module: Future of Secure Programming

Module: Future of Secure Programming

CSE Computer Security (Fall 2006)

Language Security. Lecture 40

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

CMPSC 497: Static Analysis

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Inline Reference Monitoring Techniques

Wedge: Splitting Applications into Reduced-Privilege Compartments

Buffer overflow background

Secure Programming Lecture 15: Information Leakage

Secure Software Development: Theory and Practice

Buffer overflow prevention, and other attacks

Finding Vulnerabilities in Web Applications

Real-World Buffer Overflow Protection in User & Kernel Space

Program Security and Vulnerabilities Class 2

Memory Safety (cont d) Software Security

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Security Analyses For The Lazy Superhero

Protect your apps and your customers against application layer attacks

Practical Techniques for Regeneration and Immunization of COTS Applications

Outline STRANGER. Background

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Malicious Code Analysis II

Java Security HotJava to Netscape and Beyond

Inject malicious code Call any library functions Modify the original code

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Static Analysis in Practice

Static Analysis in Practice

Fundamentals of Computer Security

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Fortify Software Security Content 2017 Update 4 December 15, 2017

IntFlow: Integer Error Handling With Information Flow Tracking

ShiftLeft. OWASP SAST Benchmark

CSE 565 Computer Security Fall 2018

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

CS 161 Computer Security

Secure coding practices

EURECOM 6/2/2012 SYSTEM SECURITY Σ

How to Sandbox IIS Automatically without 0 False Positive and Negative

MEMORY SAFETY ATTACKS & DEFENSES

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Lecture 4 September Required reading materials for this class

Cyber Moving Targets. Yashar Dehkan Asl

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Secure Programming I. Steven M. Bellovin September 28,

Hugbúnaðarverkefni 2 - Static Analysis

Advanced System Security: Vulnerabilities

Advanced Systems Security: Ordinary Operating Systems

Secure Development After Security Bugs

ISA564 SECURITY LAB. Code Injection Attacks

CMPSC 497 Buffer Overflow Vulnerabilities

Baggy bounds with LLVM

in memory: an evolution of attacks Mathias Payer Purdue University

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Hacking by Numbers OWASP. The OWASP Foundation

ShiftLeft. Real-World Runtime Protection Benchmarking

Memory Safety for Embedded Devices with nescheck

Understanding Undefined Behavior

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CS 161 Computer Security

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Oracle Developer Studio Code Analyzer

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Confinement (Running Untrusted Programs)

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Plan for Today. Safe Programming Languages. What is a secure programming language?

ECS 153 Discussion Section. April 6, 2015

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Is Exploitation Over? Bypassing Memory Protections in Windows 7

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Software Security: Buffer Overflow Defenses

Low level security. Andrew Ruef

The Importance of Benchmarks for Tools that Find or Prevent Buffer Overflows

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

20: Exploits and Containment

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Labels and Information Flow

Static Analysis and Bugfinding

Secure Programming Techniques

SentinelOne Technical Brief

Transcription:

Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

Outline Introduction and Overview How DDFA Works Illustrative Example Scenarios Efficiency of DDFA Wrap Up OWASP 2

What is DDFA? DDFA is an extensible compiler-based system that automatically instruments input C programs to enforce a user-specified security policy Approach uses a complementary combination of static and dynamic data flow analysis along with the policy to produce secure programs with low runtime overhead OWASP 3

DDFA Development Team University U i it of Texas at Austin, Computer Science Fundamental research on Dynamic Dataflow Analysis Southwest Research Institute Applied research and tech transfer OWASP 4

Why is DDFA Needed? Widespread use of untrusted COTS / Open Source software Large legacy code bases Programs not designed with security in mind Difficult and costly to find software developers well-versed in application security OWASP 5

Research Goals Minimize the impact to software development Easy to use and deploy Provide separation of concerns Keep program runtime and size overhead as low as possible Support multi-level security Not just one binary state (e.g. bad, good) Provide extensibility for future threats OWASP 6

State of the Art Manual code inspection that support best practices Many automated approaches focus only on memory safety Less important as memory-safe languages such as Java become more popular Static Analysis Tools (e.g. Coverity) Statically detect bugs and vulnerabilities Admits both false positives and false negatives Only detects bugs, does not fix them Taint T i t Tracking approaches High runtime overhead (82% - 7.9 ) Not general enough for multi-level security OWASP 7

Architecture of DDFA System DDFA Compiler System Unsecured C Program Static Analysis Instrumentation Engine Secured C Program Security Policy Specification DDFA Runtime Library OWASP 8

Development with DDFA Security policy separate from source code Security DDFA Expert Security Policy Static dataflow analysis minimizes instrumentation Runtime library provides the dynamic data flow analysis capability DDFA Runtime Library Policy and ddynamic data flow analysis provide customized error mitigation Develops DDFA Compiler Enhanced Conventional DDFA Enhanced Conventional Compiler C Code Compiler Enhanced Executable Software Engineer C Code OWASP 9

Primary Benefits of DDFA Application dataflow is tracked at compile and run time Very low runtime overhead (many cases < 1%) Leverages semantic information from policy Configurable error mitigation at run time (e.g. fight through) Policy is separate from the source code Removes security concerns when developing new applications Including 3 rd party and open-source development Can secure existing legacy applications Requires one additional step in an automated t build process Defined once and used many times Policy can change and be re-applied as threats evolve OWASP 10

Generality of the DDFA Approach Traditional Tainted Data Attacks Format t String Attacks SQL Injection Command Injection Cross-Site Scripting Other Security Problems File Disclosure Vulnerabilities Labeled b l d Security Enforcement Role-Based Access Control, Mandatory Access Control Accountable Information Flow OWASP 11

Outline Introduction and Overview How DDFA Works Illustrative Example Scenarios Efficiency of DDFA Wrap Up OWASP 12

Format String Vulnerability (FSV) int sock; char buf[100]; sock = socket(af_inet, SOCK_STREAM, 0); recv(sock, buf, 100, 0); String containing malicious formatting directives introduced into program from outside the system printf(buf); Formatted output family of functions can cause target computer to execute arbitrary commands e.g. g printf(), sprintf() OWASP 13

Property Definition for FSV Security policy begins by defining one or more property p Taint : { Tainted, { Untainted } } initially Untainted properties Each property represents a lattice Lattice with Two Nodes Lattices intrinsic to data flow analysis Lattice nodes represent possible flow values Flow values are meta-data attached to program objects Untainted Tainted OWASP 14

Annotations for Library/System Calls (Focus is on Three Areas) Introduction Associates property values (or metadata) to memory objects as they are introduced into a program Propagation Tracks the flow of memory objects and their property values throughout h t the program Violation Identifies if a violation i occurs at runtime based on the memory objects property values, which static analysis alone is not able to do OWASP 15

Policy - Annotating the Library Procedures (FSV) Original Source Code Introduction int sock; char buf[100]; sock = socket(af_inet, SOCK_STREAM, 0); recv(sock, buf, 100, 0); buf2 = strdup(buf); Propagation Annotated Procedures procedure recv(s, buf, len, flags) { on_entry { buf buffer } analyze Taint { buffer Tainted } } procedure strdup(s) { on_entry { s string } on_exit { return string_copy analyze Taint { string_copy string } } procedure printf(format, args) { on_entry { format format_string } Policy Violation error if ( Taint: format_string could-be Tainted ) { error_handler = fsv_error() printf(buf2); ( certify = fsv_check(format, args) } } OWASP 16

Static Data Flow Analysis (Works Backwards) In this case, data flow analysis proves that dynamic data flow analysis is not necessary. No instrumentation is needed. Introduction char buf[100] = safe string ; In this case, data flow analysis determines that dynamic data flow analysis is necessary. Source code must be instrumented. Introduction recv(sock,, buf, 100, 0); buf2 = strdup(buf); Propagation buf2 = strdup(buf); Propagation printf(buf2); 2 Policy Violation printf(buf2); Policy Violation OWASP 17

Instrumentation for Dynamic Data Flow Analysis Introduction Program is augmented with calls to DDFA library to perform dynamic data flow analysis. recv(sock, buf, 100, 0); ddfa_insert(ltaint, buf, strlen(buf), LTAINT_TAINTED); Propagation buf takes on flow value Tainted, since comes from outside system buf2 = strdup(buf); ddfa_copy_flowval(ltaint, buf2, buf, strlen(buf2)); Policy Violation Copies flow value from buf to buf2 if ( (ddfa_check_flowval(ltaint, buf2, LTAINT_TAINTED)) && (! fsv_check(buf2)) ) { fsv_error(); } else { printf(buf2); } For this flow path, buf2 will be Tainted, but policy allows Fight Through capability using fsv_check() so error handler called only as last resort OWASP 18

Outline Introduction and Overview How DDFA Works Illustrative Example Scenarios Efficiency of DDFA Wrap Up OWASP 19

Example 1 - Format String Vulnerability Introduction Propagation Violation int sock; char buf[100]; sock = socket(af_inet, ); recv(sock, buf, 100, 0); buf2 = strdup(buf); printf(buf2); root# _ Hacker introduces mal-formed printf() format string via web DDFA marks data entering from the web as Tainted DDFA tracks the flow of this Tainted data throughout the execution Tainted string arrives at printf() statement DDFA flags a runtime violation, preventing the vulnerability from being exploited by the hacker OWASP 20

Example 1 - Format String Vulnerability What you can t see Static ti analysis dramatically prunes the amount of dynamic data flow tracking Pruning is enabled by the annotation-based compilation system This pruning requires precise pointer analysis OWASP 21

Pointer Analysis Pointer analysis: Tells the compiler which regions in memory pointers point to Pointer P i t analysis is fundamental to all static ti analyses, not just DDFA A difficult problem: Severe tradeoff between precision and scalability DDFA requires a fairly precise degree of precision (flow-sensitivity) OWASP 22

Alternative Scenario for Example 1 Security expert wants to fight through attacks rather than simply detect attacks Takes existing security policy Modifies policy to include call to new C code to sanitize Tainted data if (procedure printf(fmt, args) { on_entry { fmt --> format_string } error if (Taint: format_string could-be Tainted) Error! printf(sanitize(fmt), Tainted format args); string! } OWASP 23

Example 2 File Disclosure Vulnerability Introduction Hacker sends malformed finger packet to retrieve contents of a password file DDFA marks Trust of finger packet as Remote Propagation int sock; char buf[100]; sock = socket(af_inet, ); recv(sock, ( k buf, 100, 0); buf2 = strdup(buf); DDFA tracks the flow of this finger packet throughout the code Violation fd=fopen(buf2); /etc/passwd Data tagged as File originating from a Remote source arrives at a socket write() DDFA prevents vulnerability from being exploited OWASP 24

Example 2 File Disclosure Example What is interesting in this example Must track both Trustedness of data and Origin of data Two properties instead of one are defined in policy DDFA is able to enforce multiple l properties simultaneously OWASP 25

Example 3 Role Based Access Control Introduction Propagation Violation ac_level = authenticate(); launch(); safety_check(); Beetle Bailey logs on to Missile system to perform safety checks DDFA registers him to the system as grunt level DDFA tracks the flow of all Beetle s activities throughout the missile system application Beetle accidentally attempts to invoke launch() DDFA flags a runtime violation, preventing missile from being launched OWASP 26

Example 3 Role Based Access Control What s interesting in this example? New functionality added to the system after development Separation of concerns Software is difficult to build and maintain Software developer should focus on core functionality Security expert focuses on security (site-specific security) Compiler ensures that security code is correctly and thoroughly applied Separation of concerns simplifies each task OWASP 27

Outline Introduction and Overview How DDFA Works Illustrative Example Scenarios Efficiency of DDFA Wrap Up OWASP 28

Efficiency for Server Applications (FSV) Program Original DDFA Overhead pfinger 3.07s 3.19s 3.78% muh 11.23ms 11.23ms < 0.01% wu-ftp 2.745MB/s 2.742MB/s 0.10% bind 3.58ms 3.57ms < 0.01% apache 6.048MB/s 6.062MB/s < 0.01% 01% Average Increase 0.65% Compare with 80% - 35 overhead for previous state of the art in software-based approaches OWASP 29

Efficiency for Compute Bound Applications (FSV) Program Overhead gzip 51.35% vpr 0.44% mcf < 0.01% crafty 0.25% Average Increase 12.93% Synthetic vulnerabilities were inserted into programs Original programs contained no FS vulnerabilities; true overhead is 0% OWASP 30

Static Code Overhead (FSV) Program Original DDFA Overhead pfinger 49,655 49,655 0% muh 59,880 60,488 1.01% wu-ftp 205,487 207,997 1.22% bind 215,669 219,765 1.90% apache 552,114 554,514514 0.43% Average Increase 0.91% (Size in bytes) Table excludes other programs where static analysis proves that no instrumentation is needed OWASP 31

Outline Introduction and Overview How DDFA Works Illustrative Example Scenarios Efficiency of DDFA Wrap Up OWASP 32

Other Potential Uses of DDFA Fault Tolerance Computing Privacy Testing OWASP 33

Future Plans Retarget for popular open-source compiler infrastructure, t LLVM (Low-Level L Virtual Machine) Supports C, C++, Java on the way Support other languages, and possibly bytecode or binary as input OWASP 34

Questions OWASP 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback