Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

Slides:



Advertisements
Similar presentations
CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.
Advertisements

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Elementary Data Types Prof. Alamdeep Singh. Scalar Data Types Scalar data types represent a single object, i.e. only one value can be derived. In general,
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
Chapter 10.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Reference Book: Modern Compiler Design by Grune, Bal, Jacobs and Langendoen Wiley 2000.
Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.
Elementary Data Types Scalar Data Types Numerical Data Types Other
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Data Structures Using C++ 2E Chapter 3 Pointers and Array-Based Lists.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
1 Semantic Analysis Aaron Bloomfield CS 415 Fall 2005.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.
CS Midterm Study Guide Fall General topics Definitions and rules Technical names of things Syntax of C++ constructs Meaning of C++ constructs.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
CS536 Semantic Analysis Introduction with Emphasis on Name Analysis 1.
1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Chapter 1 Introduction Major Data Structures in Compiler
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Compiler Construction CPCS302 Dr. Manal Abdulaziz.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
CHAPTER 6 ARRAYS IN C 1 st semester King Saud University College of Applied studies and Community Service Csc 1101 F. Alakeel.
1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Memory-Related Perils and Pitfalls in C
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Content Coverity Static Analysis Use cases of Coverity Examples
Major Problem Areas for Secure Programming
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Chapter 6 CS 3370 – C++ Functions.
Testing and Debugging PPT By :Dr. R. Mall.
Module 30 (Unix/Linux Security Issues II)
Compiler Construction (CS-636)
Ik-Soon Kim December 18, 2010 Embedded Software Platform Team
Secure Software Development: Theory and Practice
Taint tracking Suman Jana.
C Basics.
High Coverage Detection of Input-Related Security Faults
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
SUDS: An Infrastructure for Creating Bug Detection Tools
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Introduction to Static Analyzer
Course Overview PART I: overview material PART II: inside a compiler
Testing & Security Dr. X.
SOFTWARE ENGINEERING INSTITUTE
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson and Todd Austin August 7, 2003 University of Michigan

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 2 Introduction Failing to properly bound input data can be exploited by malicious users –bugs found in Windows –especially important for network data Common security exploits –array references –string library functions Exploitable bugs are often difficult to find –precise input is often necessary to expose the bug –bug may not produce an error in the output

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 3 Static vs. Dynamic Bug Finding Approaches Compile-time (static) bug detection +no dependence on input +can prove that a particular operation is safe in some cases –often computationally infeasible  scope is limited Run-time (dynamic) bug detection +can analyze all variables (including those on the heap) +execution is on a real path  fewer false alarms –depends on program input

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 4 Overview of Our Approach Dynamic approach to detecting input-related security faults Program instrumentation tracks input derived data –possible range of integer variables –maximum size and termination of strings Dangerous operations are checked over entire range of possible values Found 16 bugs in 8 programs, including 2 known high security faults in OpenSSH Relaxes constraint that the user provides an input that exposes the bug

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 5 Testing Process Source Code Instrumentation specification Instrumented Executable Error reports Compile (GCC w/MUSE) Run test suite Debug and fix errors

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 6 Detecting Array Buffer Overflows Interval constraint variables are introduced when external inputs are read –Holds the lower and upper bounds of each input value –Initial values encompass the entire range of values –Control points narrow the bounds –Arithmetic operations adjust the bounds Potentially dangerous operations are checked: –array indexing –controlling a loop (to prevent DoS attacks) –arithmetic operations (overflow)

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 7 Array Buffer Overflow Example Code SegmentValue of xInterval Constraint on x unsigned int x; int array[5]; scanf(“%d”, &x); if (x > 4) fatal(“bounds”); x++; a = array[x];  x  MAX_UINT  x    x  5 1  x  5 ERROR! When x = 5, array reference is out of bounds!

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 8 Detecting Dangerous String Operations Strings are shadowed by: – max_str_size : largest possible size of the string – known_null : set if string is known to contain a null character Checking string operations: –source string will fit into the destination –source strings are guaranteed to be null terminated Integers that store string lengths are shadowed by: –base address of corresponding string –difference between its value and actual string length Operations involving a string length can narrow the maximum string size

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 9 String Fault Detection Example Code SegmentString max_str_sizeknown_null char *bad_strcopy(char *src) { char *dest; char temp[16]; if (strlen(src) > 16) return NULL; strncpy(temp, src, 16); dest = (char *)malloc(16); strcpy(dest, temp); return dest; } src temp src temp dest MAX_INT TRUE FALSE TRUE FALSE ERROR! temp may not be null terminated during strcpy

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 10 String Fault Detection Example Code SegmentString max_str_sizeknown_null char *bad_strcopy(char *src) { char *dest; if (strlen(src) > 16) return NULL; dest = (char *)malloc(16); strcpy(dest, src); return dest; } src dest MAX_INT TRUE FALSE ERROR! src may not fit into dest during strcpy

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 11 Implementation Our technique was implemented in MUSE –general-purpose instrumentation tool –implemented in gcc at the abstract syntax tree (AST) level –simplification phase removes C nuances –instrumented code is not optimized (future work) Shadowed state for stored in hash tables –separate tables for arrays and integers –hash tables are indexed by address –pointers are shadowed by base address Debug tracing mode can help find source of error

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 12 Results ProgramDescription Defects Found Add’l False Alarms anagramanagram generator20 ksgraph partitioning40 yacr2channel router21 betaftpdfile transfer protocol daemon11 gaim (v0.59.8)instant messaging client11 ghttpdweb server32 openssh (v3.0.2)secure shell client / server31 thttpd (v2.20c)web server01 TOTAL 167

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 13 Performance Results ProgramOriginal (seconds) Instrumented (seconds) IncreaseUseless Instr. anagram % ks % yacr % betaftpd % ghttpd % openssh % thttpd %

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 14 Future Work Improve performance by eliminating unnecessary instrumentation calls –Interprocedural dataflow analysis will determine which variables never hold input data –Inline instrumentation to avoid call overhead and hash table lookups Add symbolic analysis support to find more defects and reduce false alarms Address these common scenarios: –pointer walking (manual string handling) –multiple string concatenation into a single buffer

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 15 Conclusion Our dynamic approach shadows variables derived from input with additional state –Integers: upper and lower bounds –Strings: maximum string size and known null flag Found 16 bugs in 8 programs –2 known high security faults in OpenSSH Run-time performance overhead is high –Instrumentation has not been optimized

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 16 Questions and Answers

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 17 Manipulating Interval Constraints RuleInput Interval Constraint a’ = x’ + ya’.lb = max(MIN_VAL(a’), x’.lb + y) a’.ub = min(MAX_VAL(a’), x’.ub + y) a’ = x’ + y’a’.lb = max(MIN_VAL(a’), x’.lb + y’.lb) a’.ub = min(MAX_VAL(a’), x’.ub + y’.ub) if (x’ < y’) (CONDITION IS TRUE) x’.lb = x’.lb x’.ub = min(x’.ub, y’.ub - 1) y’.lb = max(y’.lb, x’.lb + 1) y’.ub = y’.ub while (x’ < y)TRUE: x’.lb = x’.lb, x.ub = min(x’.ub, y-1) FALSE: x’.lb = max(x’.lb, y), x.ub = x’.ub Ticked variables (a’, x’, y’) hold input data. y does not hold input data.

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 18 Array Creation Rules Rule actual_sizemax_str_size known _null s = argv[i]strlen(s)+1INT_MAXTRUE char s[n]nnFALSE s = malloc(n)nnFALSE s = malloc(n’’) ( n’’ is a string length) n’’ (n’’.string).max_str_size + n’’.size_diff FALSE NOTE: Pointers to the middle of the array will have shadowed state containing the base address

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 19 String Functions strcpy(d,s)Assert: s.known_null == TRUE Assert: s.max_str_size <= SIZE(d) d.max_str_size = s.max_str_size; d.known_null = TRUE; strncpy(d,s,n)Assert: s.known_null == TRUE Assert: n <= SIZE(d) d.max_str_size = MIN(s.max_str_size, n); d.known_null = (s.max_str_size <= n); SIZE(d) = MAX(d.actual_size, d.max_str_size)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.