Presentation is loading. Please wait.

Presentation is loading. Please wait.

High Coverage Detection of Input-Related Security Faults

Published bySucianty Wibowo Modified over 5 years ago

Similar presentations

Presentation on theme: "High Coverage Detection of Input-Related Security Faults"— Presentation transcript:

1 High Coverage Detection of Input-Related Security Faults
Eric Larson and Todd Austin August 7, 2003 University of Michigan

2 Introduction Failing to properly bound input data can be exploited by malicious users bugs found in Windows especially important for network data Common security exploits array references string library functions Exploitable bugs are often difficult to find precise input is often necessary to expose the bug bug may not produce an error in the output

3 Static vs. Dynamic Bug Finding Approaches
Compile-time (static) bug detection + no dependence on input + can prove that a particular operation is safe in some cases often computationally infeasible  scope is limited Run-time (dynamic) bug detection + can analyze all variables (including those on the heap) + execution is on a real path  fewer false alarms depends on program input

4 Overview of Our Approach
Dynamic approach to detecting input-related security faults Program instrumentation tracks input derived data possible range of integer variables maximum size and termination of strings Dangerous operations are checked over entire range of possible values Found 16 bugs in 8 programs, including 2 known high security faults in OpenSSH Relaxes constraint that the user provides an input that exposes the bug

5 Testing Process Instrumentation specification Source Code Debug and
fix errors Compile (GCC w/MUSE) Error reports Instrumented Executable Run test suite

6 Detecting Array Buffer Overflows
Interval constraint variables are introduced when external inputs are read Holds the lower and upper bounds of each input value Initial values encompass the entire range of values Control points narrow the bounds Arithmetic operations adjust the bounds Potentially dangerous operations are checked: array indexing controlling a loop (to prevent DoS attacks) arithmetic operations (overflow)

7 Array Buffer Overflow Example
Code Segment Value of x Interval Constraint on x unsigned int x; int array[5]; scanf(“%d”, &x); if (x > 4) fatal(“bounds”); x++; a = array[x]; 2 3 0  x  MAX_UINT 0  x  4 1  x  5 ERROR! When x = 5, array reference is out of bounds!

8 Detecting Dangerous String Operations
Strings are shadowed by: max_str_size: largest possible size of the string known_null: set if string is known to contain a null character Checking string operations: source string will fit into the destination source strings are guaranteed to be null terminated Integers that store string lengths are shadowed by: base address of corresponding string difference between its value and actual string length Operations involving a string length can narrow the maximum string size

9 String Fault Detection Example
Code Segment String max_str_size known_null char *bad_strcopy(char *src) { char *dest; char temp[16]; if (strlen(src) > 16) return NULL; strncpy(temp, src, 16); dest = (char *)malloc(16); strcpy(dest, temp); return dest; } src temp dest MAX_INT 16 17 TRUE FALSE ERROR! temp may not be null terminated during strcpy

10 String Fault Detection Example
Code Segment String max_str_size known_null char *bad_strcopy(char *src) { char *dest; if (strlen(src) > 16) return NULL; dest = (char *)malloc(16); strcpy(dest, src); return dest; } src dest MAX_INT 17 16 TRUE FALSE ERROR! src may not fit into dest during strcpy

11 Implementation Our technique was implemented in MUSE
general-purpose instrumentation tool implemented in gcc at the abstract syntax tree (AST) level simplification phase removes C nuances instrumented code is not optimized (future work) Shadowed state for stored in hash tables separate tables for arrays and integers hash tables are indexed by address pointers are shadowed by base address Debug tracing mode can help find source of error

12 Results Program Description Defects Found Add’l False Alarms TOTAL
anagram anagram generator 2 ks graph partitioning 4 yacr2 channel router 1 betaftpd file transfer protocol daemon gaim (v0.59.8) instant messaging client ghttpd web server 3 openssh (v3.0.2) secure shell client / server thttpd (v2.20c) TOTAL 16 7

13 Performance Results Program Original (seconds) Instrumented Increase
Useless Instr. anagram 0.11 17.79 162 73.7% ks 8.75 219 50.1% yacr2 0.55 96.79 176 75.2% betaftpd 0.08 1.09 13 81.2% ghttpd 0.34 6.70 20 96.7% openssh 0.02 0.38 19 78.8% thttpd 0.32 8.47 26 77.8%

14 Future Work Improve performance by eliminating unnecessary instrumentation calls Interprocedural dataflow analysis will determine which variables never hold input data Inline instrumentation to avoid call overhead and hash table lookups Add symbolic analysis support to find more defects and reduce false alarms Address these common scenarios: pointer walking (manual string handling) multiple string concatenation into a single buffer

15 Conclusion Our dynamic approach shadows variables derived from input with additional state Integers: upper and lower bounds Strings: maximum string size and known null flag Found 16 bugs in 8 programs 2 known high security faults in OpenSSH Run-time performance overhead is high Instrumentation has not been optimized

16 Questions and Answers

Download ppt "High Coverage Detection of Input-Related Security Faults"

Similar presentations

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.

Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.

1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Chapter 1 Introduction Major Data Structures in Compiler

Chapter 1 Introduction Major Data Structures in Compiler

Similar presentations

Ads by Google