Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Overview of program analysis Mooly Sagiv html://
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Static Analysis for Security Amir Bazine Per Rehnberg.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Embedded Software Programming and Implementation Guidelines Software Engineering for Embedded System Ch.7 Robert Oshana and Mark Kraeling Presented by.
Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.
David Evans These slides: Introduction to Static Analysis.
David Evans CS551/651: Dependable Computing University of Virginia Computer Science Static Analysis.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
David Evans The Bugs and the Bees Research in Swarm Programming and Security University of Virginia.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle and David Evans USENIX'01 David Larochelle and David Evans IEEE Software Jan/Feb.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on.
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
Content Coverity Static Analysis Use cases of Coverity Examples
Sabrina Wilkes-Morris CSCE 548 Student Presentation
CSE 143 Error Handling [Section 2.8] 3/30/98 CSE 143.
High Coverage Detection of Input-Related Security Faults
Improving Security Using Extensible Lightweight Static Analysis
Program Assertions in Security
Chapter 15 Debugging.
CS703 - Advanced Operating Systems
Introduction to Static Analyzer
Annotation-Assisted Lightweight Static Checking
Presentation transcript:

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported by USENIX Student Grant and NASA LRC

2 16 August 2001 David Larochelle 1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 servers 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers –Single largest cause of vulnerabilities in CERT advisories –Buffer overflow threatens Internet- WSJ(1/30/01)

3 16 August 2001 David Larochelle Why aren’t we better off than we were 13 years ago? Ignorance C is difficult to use securely –Unsafe functions –Confusing APIs Even security aware programmers make mistakes. Security Knowledge has not been codified into the development process

4 16 August 2001 David Larochelle Automated Tools Run-time solutions –StackGuard[USENIX 7], gcc bounds-checking, libsafe[USENIX 2000] –Performance penalty –Turns buffer overflow into a DoS attack Compile-time solutions - static analysis –No run-time performance penalty –Checks properties of all possible executions

5 16 August 2001 David Larochelle Design Goals Tool that can be used by typical programmers as part of the development process –Fast, Easy to Use Tool that can be used to check legacy code –Handles typical C programs Encourage a proactive security methodology –Document key assumptions

6 16 August 2001 David Larochelle Our approach Document assumptions about buffer sizes –Semantic comments –Provide annotated standard library –Allow user's to annotate their code Find inconsistencies between code and assumptions Make compromises to get useful checking –Use simplifying assumptions to improve efficiency –Use heuristics to analyze common loop idioms –Accept some false positives and false negatives (unsound and incomplete analysis)

7 16 August 2001 David Larochelle Implementation Extended LCLint –Open source checking tool [FSE ‘94] [PLDI ‘96] –Uses annotations –Detects null dereferences, memory leaks, etc. Integrated to take advantage of existing checking and annotations (e.g., modifies) Added new annotations and checking for buffer sizes

8 16 August 2001 David Larochelle Annotations requires, ensures maxSet –highest index that can be safely written to maxRead –highest index that can be safely read char buffer[100]; –ensures maxSet(buffer) == 99

9 16 August 2001 David Larochelle SecurityFocus.com Example void func(char *str){ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); return; } char *strncat (char *s1, char *s2, size_t n) maxSet(s1) >=maxRead(s1) + uninitialized array Source: Secure Programming working document, SecurityFocus.com

10 16 August 2001 David Larochelle strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead strncat.c:4:29) <= 0 needed to satisfy precondition: requires maxSet strncat.c:4:29) >= maxRead strncat.c:4:29) derived from strncat precondition: requires maxSet ( ) >= maxRead ( ) + Warning Reported char * strncat (char *s1, char *s2, size_t n) maxSet(s1) >= maxRead(s1) + char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1);

11 16 August 2001 David Larochelle Overview of checking Intraprocedural –But use annotations on called procedures and global variables to check calls, entry, exit points Expressions generate constraints –C semantics, annotations Axiomatic semantics propagates constraints Simplifying rules (e.g. maxRead(str+i) ==> maxRead(str) - i) Produce warnings for unresolved constraints

12 16 August 2001 David Larochelle Loop Heuristics Recognize common loop idioms Use heuristics to guess number of iterations Analyze first and last iterations Example: for (init; *buf; buf++) –Assume maxRead(buf) iterations –Model first and last iterations

13 16 August 2001 David Larochelle Case studies wu-ftpd 2.5 and BIND 8.2.2p7 –Detected known buffer overflows –Unknown buffer overflows exploitable with write access to config files Performance –wu-ftpd: 7 seconds/ 20,000 lines of code –BIND: 33 seconds / 40,000 lines –Athlon 1200 MHz

14 16 August 2001 David Larochelle Results 95 writes 166 reads 132 writes 220 reads - Other Warnings LCLint warnings with no annotations added 455strncpy 2197strcpy 1227strcat LCLint warning with annotations Instances in wu-ftpd (grep)

15 16 August 2001 David Larochelle int acl_getlimit(char *class, char *msgpathbuf) { struct aclmember *entry = NULL; while (getaclentry("limit", &entry)) { … strcpy(msgpathbuf, entry->arg[3]); LCLint reports a possible buffer overflow for strcpy(msgpathbuf, entry->arg[3]); LCLint reports an error at a call site of acl_getlimit wu-ftpd vulnerablity maxSet(msgpathbuf) >= strncpy(msgpathbuf, entry->arg[3], 1023); msgpathbuf[1023] = ‘\0’; strncpy(msgpathbuf, entry->arg[3], 199); msgpathbuf[199] = ‘\0’; maxSet(msgpathbuf) >= int access_ok( int msgcode) { char class[1024], msgfile[200]; int limit; … limit = acl_getlimit(class, msgfile);

16 16 August 2001 David Larochelle Related Work Lexical analysis –grep, its4, RATS, FlawFinder Wagner, Foster, Brewer [NDSSS ‘00] –Integer range constraints –Flow insensitive analysis Dor, Rodeh and Sagiv [SAS ‘01] –Source-to-source transformation with asserts and additional variables.

17 16 August 2001 David Larochelle Impediments to wide spread adoption People are lazy Programmers are especially lazy Adding annotations is too much work (except for security weenies) Working on techniques for automating the annotation process

18 16 August 2001 David Larochelle Conclusion 2014:??? –Will buffer overflows still be common? –Codify security knowledge in tools real programmers can use Beta version now available: David Larochelle David Evans

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.