Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis for Security Suhabe Bugrara Stanford University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Program Analysis for Security Suhabe Bugrara Stanford University."— Presentation transcript:

1 Program Analysis for Security Suhabe Bugrara Stanford University

2 Web Application Code 1. javax.sql.Connection con =...; 2. javax.servlet.http.HttpServletRequest request =...; 3. String username = request.getParameter(“username”); 4. String query = “SELECT * FROM Users “ + “ WHERE name = ‘” + username + ”’”; 5. con.execute(query);

3 Program Analyzers Code ReportTypeLine 1mem leak324 2buffer oflow4,353,245 3sql injection23,212 4stack oflow86,923 5dang ptr8,491 ……… 10,502info leak10,921 Program Analyzer Spec potentially reports many warnings may emit false alarms need to be able to analyze large code bases false alarm

4 Soundness, Completeness DimensionDefinition SoundnessIf the program contains an error, the analysis will report a warning. CompletenessIf the analysis reports an error, the program will contain an error.

5 CompleteIncomplete Sound Unsound Reports all errors Reports no false alarms Reports all errors May report false alarms UndecidableDecidable May not report all errors May report false alarms Decidable May not report all errors Reports no false alarms

6 Entry 1 23 4 Software Exit Behaviors Entry 1 2 4 Exit 124124134 124134 123124134 124123134 123123134 124124134... 124134 Manual testing only examines small subset of behaviors 6

7 Software... Behaviors Sound Over-approximation of Behaviors False Alarm Reported Error approximation is too coarse… …yields too many false alarms Traditional Static Analysis Modules

8 entry X  0 Is Y = 0 ? X  X + 1X  X - 1 Is Y = 0 ? Is X < 0 ?exit crash yes no yes no yesno Does this program ever crash?

9 entry X  0 Is Y = 0 ? X  X + 1 X  X - 1 Is Y = 0 ? Is X < 0 ? exit crash yes no yes no yesno infeasible path! … program will never crash Does this program ever crash?

10 entry X  0 Is Y = 0 ? X  X + 1X  X - 1 Is Y = 0 ? Is X < 0 ?exit crash yes no yes no yesno X = 0 X = 1 X = 2 X = 3 non-termination! … therefore, need to approximate Try analyzing without approximating…

11 X  X + 1 f d in d out d out = f(d in ) X = 0 X = 1 dataflow elements transfer function dataflow equation

12 X  X + 1 f1 d in1 d out1 = f 1 (d in1 ) Is Y = 0 ? f2 d out2 d out1 d in2 d out1 = d in2 d out2 = f 2 (d in2 ) X = 0 X = 1

13 d out1 = f 1 (d in1 ) d join = d out1 ⊔ d out2 d out2 = f 2 (d in2 ) f1f1 f2f2 f3f3 d out1 d in1 d in2 d out2 d join d in3 d out3 d join = d in3 d out3 = f 3 (d in3 ) least upper bound operator What is the space of dataflow elements,  ? What is the least upper bound operator, ⊔ ?

14 -2 0 1 2 … … { a, b, c } { a, b } { a, c } { b, c } { b }{ c }{ a } { } zero posneg   012-2……   … … X = 2 X = 1 X = 0 X = -1 X = -2 X = T X = posX = 0X = neg X =  x y means x  y x ⊔ y = max(x, y)  = ℤ ? partially ordered set

15 entry X  0 Is Y = 0 ? X  X + 1X  X - 1 Is Y = 0 ? Is X < 0 ?exit crash yes no yes no yesno X = 0 X = posX = T X = negX = 0X = T Try analyzing with “signs” approximation… terminates... … but reports false alarm … therefore, need more precision lost precision X = T

16 X = posX = 0X = neg X =  X  negX  pos true Y = 0 Y  0 false X = T X = posX = 0X = neg X =  signs lattice Boolean formula lattice refined signs lattice

17 entry X  0 Is Y = 0 ? X  X + 1X  X - 1 Is Y = 0 ? Is X < 0 ?exit crash yes no yes no yesno X = 0trueX = 0trueX = posY=0X = neg Y0Y0 X = posY=0 X = neg Y0Y0 X = posY=0 X = posY=0X = neg Y0Y0 X = 0true Try analyzing with “path-sensitive signs” approximation… terminates... … no false alarm … soundly proved never crashes no precision loss refinement

18 Tainted Object Propagation String username = req.getParameter(“username”); StringBuffer buf = new StringBuffer(); buf.append(“SELECT * FROM Users “); buf.append(“WHERE name = ‘”); buf.append(username); buf.append(“’”); String query = buf.toString(); con.execute(query); taint source derivations taint sink

19 Tainted Object Propagation TermDescriptorExample Source ObjectMethodHttpServletRequest.getParameter(String) Parameterreturn Access path  Sink ObjectMethodConnection.execute(String) Parameterfirst argument Access path  DerivationMethodStringBuffer.append(String) From Parameterfirst argument From Access Path  To Parameterthis To Access Path 

20 Security Violation o1o1 o2o2... okok taint source taint sink derived(o 1, o 2 )

21 Complication of Aliasing String username = req.getParameter(“username”); StringBuffer buf1 = new StringBuffer(); StringBuffer buf2 = buf1; buf1.append(username); String query = buf2.toString(); con.execute(query); analyzer must know about aliasing relationship between buf1 and buf2 to find vulnerability  o. points-to( buf1,o)  points-to( buf2,o) No security violation found!

22 Statements StatementCodeDescription object creationo i : T v = new T(); Creates a new heap object o i of type T, and makes variable v point to o i copy v = w; Makes v point to whatever heap object w currently points to field store v.f = w; Let v point to heap object o 1. Let w point to heap object o 2. Makes the field f in o 1 now point to o 2. field load v = w.f; Let w point to heap object o 1. Makes v point to whatever the field f in o 1 points to.

23 Pointer Analysis PredicateDescription points-to ( v,o)variable v can point to heap object o heap-points-to (o 1, f,o 2 )field f of heap object o 1 can point to heap object o 2 PredicateRule points-to ( v, o 1 )“o 1 : T v = new T();” points-to ( v, o 1 )“ v = w;” points-to ( w, o 1 ) heap-points-to (o 1, f,o 2 ) “v.f = w; ” points-to ( v, o 1 ) points-to ( w, o 2 ) points-to ( v, o 2 ) “v = w.f; ” points-to ( w, o 2 ) heap-points-to (o 1, f,o 2 )

24 Statementsql-injection (o src, o sink ) 1: user = req.getParam(“user”); ret (i 1, v 1 ) call (i 1,” HttpServletRequest.getParameter(String) ”) points-to (v 1, o src ) 2: buf.append(user); actual (i 2, v 2, 0) actual (i 2, v 3, 1) call (i 2, “ StringBuffer.append(String) ”) points-to (v 2, o temp ) points-to (v 3, o src ) 3: query = buf.toString(); actual (i 3, v 4, 0) ret (i 3, v 5 ) call (i 3, “ StringBuffer.toString(String) ”) points-to (v 4, o temp ) points-to (v 5, o sink ) 4: con.execute(query); actual (i 4, v 6, 1) call (i 4, “ Connection.execute(String) ”) points-to (v 6, o sink )

25 Context Sensitivity String passedUrl = request.getParameter(“...”); DataSource ds1 = new DataSource(passedUrl); String localUrl = “http://localhost/”; DataSource ds2 = new DataSource(localUrl); String s1 = ds1.getUrl(); String s2 = ds2.getUrl(); StringBuffer buf1 = new StringBuffer(); buf1.append(s2); String query = buf1.toString(); Connection con =...; con.execute(query); class DataSource { private String url; public DataSource(String url) { this.url = url; } String getUrl() { return this.url; } false alarm!

26 CompleteIncomplete Sound Unsound Reports all errors Reports no false alarms Reports all errors May report false alarms UndecidableDecidable May not report all errors May report false alarms Decidable May not report all errors Reports no false alarms

27 int bad_abs (int x) { if (x < 0) return –x; if (x == 12345678) return –x; return x; } Constraint (x >= INT_MIN) && (x <= INT_MAX) && (x < 0) && (ret = -x) Solution x = -1

28 int bad_abs (int x) { if (x < 0) return –x; if (x == 12345678) return –x; return x; } Constraint (x >= INT_MIN) && (x = 0) && (x = 12345678) && (ret = -x) Solution x = 12345678

29 int bad_abs (int x) { if (x < 0) return –x; if (x == 12345678) return –x; return x; } Constraint (x >= INT_MIN) && (x = 0) && (x != 12345678) && (ret = x) Solution x = 4

30 int bad_abs (int x) { if (x < 0) return –x; if (x == 12345678) return –x; return x; } KLEE automatically generated test cases for each path… x = -1 x = 12345678 x = 4

31 1: int symbolic_bad_abs (int x) { 2:add_constraints(x >= INT_MIN, x <= INT_MAX); 3: ret = new symbol; 4: 5:if (fork() == child) { 6:add_constraints(x < 0, ret = -x); 7:return ret; 8: //(x >= INT_MIN) && (x <= INT_MAX) && (x < 0) && (ret = -x) 9:} else 10:add_constraints(x >= 0); 11: 12:if (fork() == child) { 13:add_constraints(x = 12345678, ret = -x); 14:return ret; 15: //(x >= INT_MIN) && (x = 0) && (x = 12345678) 16: //&& (ret = -x) 17:} else 18:add_constraints(x != 12345678); 19: 20:add_constraints(ret = x); 21:return ret; 22: //(x >= INT_MIN) && (x = 0) && (x != 12345678) 23: && (ret = x) 24:}

32 1: int main (void) { 2:unsigned i, t, a[4] = { 1, 3, 5, 2}; 3:make_symbolic(&i); 4: 5:if (i >= 4) 6:exit(0); 7: 8:char *p = (char *) a + i * 4; 9:*p = *p – 1; 10: 11:t = a[*p]; 12: 13:t = t / a[i]; 14: 15:if (t == 2) 16: assert (i == 1); 17:else 18: assert (i == 3); 19: } (i >= 4) a[*p] a[i] (t == 2) (i == 1) (i == 3)

33 Questions

Download ppt "Program Analysis for Security Suhabe Bugrara Stanford University."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.

Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
Program Analysis for Security

Program Analysis for Security
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.

Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.
Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.

Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.
Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://

Similar presentations

Ads by Google