SUDS: An Infrastructure for Creating Bug Detection Tools

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Course Outline Traditional Static Program Analysis Software Testing

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

Program analysis Mooly Sagiv html://

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Program analysis Mooly Sagiv html://

Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Overview of program analysis Mooly Sagiv html://

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

5.3 Machine-Independent Compiler Features

MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )

Control Flow Resolution in Dynamic Language Author: Štěpán Šindelář Supervisor: Filip Zavoral, Ph.D.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.

COP4020 Programming Languages Semantics Prof. Xin Yuan.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Design and Implementation.

Unit-1 Introduction Prepared by: Prof. Harish I Rathod

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.

Static Analysis James Walden Northern Kentucky University.

Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta

Chapter 1 Introduction. Chapter 1 - Introduction 2 The Goal of Chapter 1 Introduce different forms of language translators Give a high level overview.

1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke Presented by: Xia Cheng.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

COP4020 Programming Languages Introduction Prof. Robert van Engelen (modified by Prof. Em. Chris Lacher)

1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)

Optimistic Hybrid Analysis

System Software Theory (5KS03).

Introduction to Compiler Construction

Review: Chapter 5: Syntax directed translation

Taint tracking Suman Jana.

Compiler Lecture 1 CS510.

UNO Static Analysis With a Simple Twist.

High Coverage Detection of Input-Related Security Faults

COP4020 Programming Languages

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

C. M. Overstreet Old Dominion University Spring 2006

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

point when a program element is bound to a characteristic or property

COP4020 Programming Languages

COP4020 Programming Languages

C. M. Overstreet Old Dominion University Fall 2005

C. M. Overstreet Old Dominion University Fall 2007

Dynamic Binary Translators and Instrumenters

SOFTWARE ENGINEERING INSTITUTE

Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Presentation transcript:

SUDS: An Infrastructure for Creating Bug Detection Tools Eric Larson October 1, 2007 Seattle University

What is SUDS? SUDS is an infrastructure to facilitate the construction of software bug detection tools. SUDS primarily used to create dynamic bug detection tools. Contains static analysis phases used to improve / focus dynamic bug detection. At the heart of SUDS is a C to (instrumented) C converter.

Program (preprocessed Overview of SUDS Program (preprocessed C source code) SUDS AST Parse Simplify Simplified AST Analyze Analysis Results Instrumentation Model Instrument Instrumented Source Code Instrumented Executable Link

Static Analysis Standard compiler analyses Tainted propagation Control flow graph / call graph Data flow analysis (mostly intraprocedural) Flow-sensitive pointer analysis (Hind et. al.) Tainted propagation Propagates tainted attribute of variables (forward) User can modify infrastructure to change what tainted means Program slicing Propagates interesting uses backwards User can modify slicing criterion (can be all statements that have this property or characteristic) Context-insensitive

Instrumentation Direct SUDS where to add instrumentation. Add instrumentation based on statement, expression, or event. Support functions allow users to easily pass parameters into the instrumentation functions. Write the instrumentation routines. Can use provided state table: allows the instrumented program to keep track of additional state when the program is running. Can take advantage of results from static analysis phases.

Example of how SUDS is used Goal: To detect buffer overflows for array references that uses data that came from input. Tainted analysis: All input data is tainted. Program slicing: All data that can lead to an array reference is in the slice. Instrumentation: Track all arrays and their sizes. Track pointers to arrays. Track integers that are tainted and in the slice. At array references, check for bugs.

Results: Finding Bugs Program SUDS SPLINT VALGRIND Bugs Same Bugs New Bugs anagram 2 ft ks 3 yacr2 betaftpd 1 gaim ghttpd openssh didn't work thttpd

Results: Performance 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% 0.18 Program Base line Valgrind SUDS Unoptimized SUDS Optimized Perf. Improve % Time Ratio anagram 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% ft 0.18 5.92 32.89 5.32 29.56 0.88 4.89 83.5% ks 0.05 4.16 83.20 3.96 79.20 0.45 9.00 88.6% yacr2 0.12 3.83 31.92 22.63 188.58 11.87 98.92 47.5% betaftpd 0.07 6.43 0.53 7.57 0.27 3.86 49.1% ghttpd 0.52 35.60 68.46 1.08 2.08 0.69 1.33 36.1% openssh 0.70 didn't work 1.00 1.43 0.91 1.30 9.0% thttpd 0.15 0.29 1.93 2.57 17.13 1.78 30.7%

Future Work Add phase(s) that attempt to detect bugs using static analysis. Certain types of bugs can use data flow analysis but need to prune false alarms. Develop static analysis phases that improve the quality of dynamic bug detection, not just the performance.

Questions