Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Similar documents
Language Security. Lecture 40

One-Slide Summary. Lecture Outline. Language Security

Foundations of Network and Computer Security

Static Vulnerability Analysis

Security Analyses For The Lazy Superhero

Foundations of Network and Computer Security

Static Analysis in Practice

Static Analysis in Practice

Software Security: Vulnerability Analysis

Finding User/Kernel Pointer Bugs with Type Inference p.1

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Memory Safety (cont d) Software Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Lecture 4 September Required reading materials for this class

Differential program verification

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

CSE 565 Computer Security Fall 2018

Statically Detecting Likely Buffer Overflow Vulnerabilities

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Lecture 9 Dynamic Compilation

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

System Security Class Notes 09/23/2013

Secure Software Development: Theory and Practice

CSE 565 Computer Security Fall 2018

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Splint Pre-History. Security Flaws. (A Somewhat Self-Indulgent) Splint Retrospective. (Almost) Everyone Hates Specifications.

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

Buffer overflow background

Static Program Analysis Part 1 the TIP language

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

CS 161 Computer Security

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Lecture 8 Data Structures

Stephen McLaughlin. From Uncertainty to Belief: Inferring the Specification Within

Eraser: Dynamic Data Race Detection

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Real-World Buffer Overflow Protection in User & Kernel Space

Lecture 9 Assertions and Error Handling CS240

A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities

A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities

Using Static Code Analysis to Find Bugs Before They Become Failures

Black Hat Webcast Series. C/C++ AppSec in 2014

Lecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis

Lecture 14 Pointer Analysis

Lecture 20 Pointer Analysis

System Administration and Network Security

MEMORY SAFETY ATTACKS & DEFENSES

Heap Arrays and Linked Lists. Steven R. Bagley

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually

Analysis of Pointers and Structures

Bringing Android to Secure SDRs

Advanced Systems Security: Symbolic Execution

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Static verification of program running time

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Thwarting unknown bugs: hardening features in the mainline Linux kernel

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Type Checking and Type Equality

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Buffer Overflows Defending against arbitrary code insertion and execution

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

Pointers and Memory 1

Automatic Software Verification

Buffer-Overflow Attacks on the Stack

Software Security: Misc and Principles

Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. {livshits,

CSE 374 Programming Concepts & Tools

Heap Arrays. Steven R. Bagley

ENCM 339 Fall 2017 Tutorial for Week 8

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C

CSE 303: Concepts and Tools for Software Development

Undefined Behaviour in C

Buffer Overrun Detection using Linear Programming and Static Analysis

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Improving Program Testing and Understanding via Symbolic Execution

CSC 252: Computer Organization Spring 2018: Lecture 9

The Importance of Benchmarks for Tools that Find or Prevent Buffer Overflows

Programming with MPI

Announcements. Working on requirements this week Work on design, implementation. Types. Lecture 17 CS 169. Outline. Java Types

C Bounds Non-Checking. Code Red. Reasons Not to Use C. Good Reasons to Use C. So, why would anyone use C today? Lecture 10: *&!

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Software Security: Buffer Overflow Attacks (continued)

Heartbleed Bug. Anthony Postiglione. Department of Electrical & Computer Engineering Missouri University of Science and Technology

Module: Future of Secure Programming

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Vector and Free Store (Vectors and Arrays)

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

CS527 Software Security

Memory Safety for Embedded Devices with nescheck

Data/Thread Level Speculation (TLS) in the Stanford Hydra Chip Multiprocessor (CMP)

VFS, Continued. Don Porter CSE 506

Computer Systems CEN591(502) Fall 2011

12/11/ The TOY Machine II. Data Representation. What We've Learned About TOY. What We Do Today. Adding and Subtracting Binary Numbers

Moving to Visual Studio 2005

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CS 161 Computer Security

CMPSC 497 Other Memory Vulnerabilities

Transcription:

Towards automated detection of buffer overrun vulnerabilities: a first step David Wagner Eric A. Brewer Jeffrey S. Foster Alexander Aiken NDSS 2000 Feb 3, 2000 1

Introduction The state of computer security today is depressing ::: and most holes arise from simple programming errors in legacy C code Buffer overruns are one of the worst offenders A common coding error with uncommonly-devastating effects Goal: eliminate buffer overruns from security-critical source code. 2

A puzzle: spot the bug Here s sendmail-8.9.3 source; can you spot the coding error? 3

Organization Introduction Background and motivation Techniques for automated detection of buffer overruns Evaluation of our prototype Summing up 4

Review An example code fragment vulnerable to buffer overruns: void foo(void) char buf[80]; strcpy(buf, gethostbyaddr(...)->hp_hname); } Exploits are possible by writing past the end of buf. Typically allows attacker to execute arbitrary code Hacker tools are very good; even an off-by-one error can be exploited 5

Why are buffer overruns important? 35 Total vulnerabilities Buffer overrun vulnerabilities 100 Percentage of vulneabilities that are buffer overruns 30 80 25 20 60 15 40 10 20 5 0 1988 1990 1992 1994 1996 1998 2000 Absolute number of vulnerabilities reported 0 1988 1990 1992 1994 1996 1998 2000 Relative frequency of buffer overruns Overruns account for 40% 50% of recent holes! Compare: this is 2 what can be blamed on poor crypto 6 Upwards trend due to development of hacker tools

Organization Introduction Background and motivation Techniques for automated detection of buffer overruns Evaluation of our prototype Summing up 7

Overview Our approach: A lint-like tool for analyzing C source code Finds potential buffer overruns But might issue false alarms, and might miss some bugs no guarantees! Key technique: whole-program static analysis Borrow ideas from program analysis and theory literature (Avoid unnecessary innovation.) 8

Why static analysis? How do you look for potential vulnerabilities? Runtime testing? (i.e., dynamic checking) + Some tools already exist [fuzz,purify, ::: ] But hard to generate test cases, and hard to know when you re done Compile time warnings? (i.e., static checking) + Opportunity to find and eliminate holes proactively But implementation is a challenge ) Static analysis is potentially very attractive, but how to do it? 9

Our tool Approach: Simplify! e.g.: flow-insensitive analysis ) Trade off precision for ease of prototyping and scalability. Architecture: Constraint-based analysis Two phases: constraint generation, constraint solving 10

Notation Each dynamic quantity of interest gets a set-variable. If s is a string variable, let len(s) (resp., alloc(s)) denote the set of possible lengths (resp., number of bytes allocated) for s during a run of the program. We find a conservative approximation for len(s) and alloc(s). Then, checking the safety condition len(s)» alloc(s) is easy. 11

Constraints Let [m; n] denote the range fm; m + 1;::: ;ng. Constraints take the form, e.g., X Y, where X; Y are range-variables. For example, strcpy(dst,src); ) len(src) len(dst) 12

buf[128]; char (fgets(buf, 128, stdin)) while (!strchr(buf, ' n')) if error[128]; char }... "Line too long: %s n", buf); sprintf(error, die(error); Constraint generation Constraint generation is best described by example So here is a code snippet to illustrate the analysis: } 13

(!strchr(buf, ' n')) if error[128]; char }... "Line too long: %s n", buf); sprintf(error, + 16 len(error) len(buf) The example, with annotations Original source code The constraints we generate char buf[128]; [128; 128] alloc(buf) while (fgets(buf, 128, stdin)) [1; 128] len(buf) [128; 128] alloc(error) die(error); } Notice how we focus on primitive string operations? We largely ignore pointer ops; we treat strings as abstract datatypes (We don t always catch ' 0' missing terminators or unsafe pointer dereferences, but in principle we could, with more effort) 14

The constraint solver Uses graph-based algorithms Fast, precise, and scalable ) Runs in linear time in practice And that s all I ll say. See the paper for more. 15

Organization Introduction Background and motivation Techniques for automated detection of buffer overruns Evaluation of our prototype Summing up 16

Results We implemented the analysis We used the tool to find new vulnerabilities in real programs Linux nettools: 7k lines, previously hand-audited Found several new holes, exploitable from remote hosts Latest sendmail: 32k lines, previously hand-audited Found several new buffer overruns, most likely not exploitable Re-discovered old serious holes in e.g. sendmail-8.7.5, popd, ::: (Could have prevented some widespread attacks, if tool had been available) Just a prototype, many rough edges, but it s already useful 17

Lots of false alarms: Limitations Example: 44 warnings for sendmail, only 4 real coding errors Mostly because we traded precision for simplicity; see next slide. But this still compares quite favorably to the alternatives grep Comparison: shows 700 calls to unsafe string ops, so we reduce the manual auditing effort 15 by grep over A few false negatives: But false negatives appear to be relatively rare. Of ( the 10) bugs in sendmail 8.7.5 that have been fixed, the tool missed only one 18

Possibilities for future improvements Classifying the cause of false alarms in sendmail: Improved analysis False alarms eliminated flow-sensitive 47.5% flow- and context-sensitive, with pointer analysis 95% and inter-variable invariant inference (flow-sens. = models control flow; context-sens. = doesn t merge function call sites) Might do 20 better, using only known techniques? ) Know how to build a much better second system. 19

Solution to the puzzle Shows an overrun. Red spots = lines of code you must understand to find it. Bug has been there for > 3 years, and has survived several hand audits. 20

Summary A successful research prototype Already finding new vulnerabilities in real programs But lots of room for improvement A promising new methodology: static analysis for code auditing Key advantages: proactive security for legacy code; possibility of compensating for language deficiencies 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback