Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Assertions in Security

Published byEdgar Harris Modified over 5 years ago

Similar presentations

Presentation on theme: "Program Assertions in Security"— Presentation transcript:

1 Program Assertions in Security
Prabhaker Mateti 1/1/2019

2 Mateti, Formal Methods in Security
Ack C. A. R. Hoare, Turing award winner Edsger Dijkstra , Turing award winner David Evans, David Larochelle, SPLINT group 1/1/2019 Mateti, Formal Methods in Security

3 Mateti, Formal Methods in Security
Approach Programmers add “annotations” Simple and precise. Describe programmers intent: Types, memory management, data hiding, aliasing, modification, null-ity, buffer sizes, security, etc. SPLINT detects inconsistencies between annotations and code. Fast dataflow analyses. 1/1/2019 Mateti, Formal Methods in Security

4 Mateti, Formal Methods in Security
Annotations requires, ensures maxSet highest index that can be safely written to maxRead highest index that can be safely read char buffer[100]; ensures maxSet(buffer) == 99 1/1/2019 Mateti, Formal Methods in Security

5 SPLINT Annotation Example
char *strncat (char *d, char *s, size_t n) requires maxSet(d) >= maxRead(s) + n @*/ 1/1/2019 Mateti, Formal Methods in Security

6 SPLINT Annotation Example
char *strcpy (char *s1, const char *s2) maxSet(s1) >= maxRead(s1) == maxRead(s2) /\ result == 1/1/2019 Mateti, Formal Methods in Security

7 SPLINT: Buffer Overflow Example
void func(char *str) { char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); } strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead strncat.c:4:29) <= 0 needed to satisfy precondition: requires maxSet strncat.c:4:29) >= maxRead strncat.c:4:29) + 255 1/1/2019 Mateti, Formal Methods in Security

8 Mateti, Formal Methods in Security
Warning Reported strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead <= 0 needed to satisfy precondition: requires maxSet strncat.c:4:29) >= maxRead + 255 derived from strncat precondition: requires maxSet (<parameter 1>) >= maxRead (<parameter1>) <parameter 3> 1/1/2019 Mateti, Formal Methods in Security

9 SPLINT generates preconditions
strcpy(ls_short,entry->arg[0]); strcpy requires maxSet(s1) >= maxRead(s2) substituting the actual parameters: maxSet ftpd.c:1112:14) >= maxRead ftpd.c:1112:23) 1/1/2019 Mateti, Formal Methods in Security

10 Mateti, Formal Methods in Security
SPLINT constraints 1 t++; 2 *t = ‘x’; 3 t++; leads to the constraints: requires 1:1) >= 1, ensures 3:4) >= -1 and ensures 3:4) = 1:1) + 2. The assignment to *t on line 2 produces the constraint requires 2:2) >= 0. The increment on line 1 produces the constraint ensures = The increment constraint is substituted into the maxSet constraint to produce requires maxSet + 1) >= 0. Using the constraint-specific simplification rule, this simplifies to requires maxSet - 1 >= 0 which further simplifies to requires 1:1) >= 1. 1/1/2019 Mateti, Formal Methods in Security

11 Overview of SPLINT checking
Intraprocedural But use annotations on called procedures and global variables to check calls, entry, exit points Expressions generate constraints C semantics, annotations Axiomatic semantics propagates constraints Simplifying rules e.g. maxRead(str+i) ==> maxRead(str) - i Produce warnings for unresolved constraints 1/1/2019 Mateti, Formal Methods in Security

12 Mateti, Formal Methods in Security
Loop Heuristics Recognize common loop idioms Use heuristics to guess number of iterations Analyze first and last iterations Example: for (init; *buf; buf++) Assume maxRead(buf) iterations Model first and last iterations 1/1/2019 Mateti, Formal Methods in Security

13 Mateti, Formal Methods in Security
Case studies wu-ftpd 2.5 and BIND 8.2.2p7 Detected known buffer overflows Unknown buffer overflows exploitable with write access to config files Performance wu-ftpd: 7 seconds/ 20,000 lines of code BIND: 33 seconds / 40,000 lines Athlon 1200 MHz 1/1/2019 Mateti, Formal Methods in Security

14 Mateti, Formal Methods in Security
Results Instances in wu-ftpd (grep) LCLint warnings with no annotations added LCLint warning with annotations strcat 27 19 12 strcpy 97 40 21 strncpy 55 4 4 Other Warnings - 132 writes 220 reads 95 writes 166 reads 1/1/2019 Mateti, Formal Methods in Security

15 SPLINT analysis of wu-ftp-2.5.0
ftpd.c:1112:2:Possible out-of-bounds store. Unable to resolve constraint: maxRead ftpd.c:1112:23)) <= (1023) needed to satisfy precondition: requires maxSet ftpd.c:1112:14)) >= maxRead ftpd.c:1112:23)) derived from strcpy precondition: requires maxSet (<param 1>) >= maxRead (<param 2>) 1/1/2019 Mateti, Formal Methods in Security

16 Mateti, Formal Methods in Security
wu-ftpd vulnerablity int acl_getlimit(char *class, char *msgpathbuf) { struct aclmember *entry = NULL; while (getaclentry("limit", &entry)) { strcpy(msgpathbuf, entry->arg[3]); } 1/1/2019 Mateti, Formal Methods in Security

17 Mateti, Formal Methods in Security
I/O Streams Challenge Many properties can be described in terms of state attributes A file is open or closed fopen: returns an open file fclose: open  closed fgets, etc. require open files Reading/writing – must reset between certain operations 1/1/2019 Mateti, Formal Methods in Security

18 Mateti, Formal Methods in Security
Defining Openness attribute openness context reference FILE * oneof closed, open annotations open ==> open closed ==> closed transfers open as closed ==> error closed as open ==> error merge open + closed ==> error losereference open ==> error "file not closed" defaults reference ==> open end Object cannot be open on one path, closed on another Cannot abandon FILE in open state 1/1/2019 Mateti, Formal Methods in Security

19 Specifying I/O Functions
FILE *fopen (const char *filename, const char *mode); int fclose FILE *stream) closed ; char *fgets (char *s, int n, FILE *stream); 1/1/2019 Mateti, Formal Methods in Security

20 Reading, ‘Riting, ‘Rithmetic
attribute rwness context reference FILE * oneof rwnone, rwread, rwwrite, rweither annotations read ==> rwread write ==> rwwrite rweither ==> rweither rwnone ==> rwnone merge rwread + rwwrite ==> rwnone rwnone + * ==> rwnone rweither + rwread ==> rwread rweither + rwwrite ==> rwwrite transfers rwread as rwwrite ==> error "Must reset file between read and write." rwwrite as rwread ==> error "Must reset file between write and read." rwnone as rwread ==> error "File in unreadable state." rwnone as rwwrite ==> error "File in unwritable state." rweither as rwwrite ==> rwwrite rweither as rwread ==> rwread defaults reference ==> rweither end 1/1/2019 Mateti, Formal Methods in Security

21 Mateti, Formal Methods in Security
Reading, ‘Righting FILE *fopen (const char *filename, const char *mode) ; int fgetc FILE *f) ; int fputc (int, FILE *f) ; /* fseek resets the rw state of a stream */ int fseek FILE *stream, long int offset, int whence) rweither ; 1/1/2019 Mateti, Formal Methods in Security

22 Mateti, Formal Methods in Security
Checking Simple dataflow analysis Intraprocedural – except uses annotations to alter state around procedure calls Integrates with other LCLint analyses (e.g., nullness, aliases, ownership, etc.) 1/1/2019 Mateti, Formal Methods in Security

23 Mateti, Formal Methods in Security
Example f:openness = open f:rwness = rweither Possibly null reference f passed where non-null expected FILE *f = fopen (fname, “rw”); int i = fgetc (f); if (i != EOF) { fputc (i, f); fclose (f); } f:openness = open, f:rwness = rwread Attribute mismatch – passed read where write FILE * expected. f:openness = closed, f:rwness = rwnone Branches join in incompatible states: f is closed on true branch,open on false branch 1/1/2019 Mateti, Formal Methods in Security

24 Mateti, Formal Methods in Security
IO Stream Results on … wu-ftpd (20K lines, ~4 seconds) No annotations: 7 warnings After adding ensures clause for ftpd_pclose 4 spurious warnings 1 used function pointer to close FILE 1 reference table 2 convoluted logic involving function static variables 2 real bugs (failure to close ftpservers file on two paths) 1/1/2019 Mateti, Formal Methods in Security

25 Mateti, Formal Methods in Security
Taintedness attribute taintedness context reference char * oneof untainted, tainted annotations tainted reference ==> tainted untainted reference ==> untainted anytainted parameter ==> tainted transfers tainted as untainted ==> error merge tainted + untainted ==> tainted defaults reference ==> tainted literal ==> untainted null ==> untainted end 1/1/2019 Mateti, Formal Methods in Security

26 Mateti, Formal Methods in Security
tainted.xh int fprintf (FILE *stream, char *format, ...) ; char *fgets (char *s, int n, FILE *) tainted ; char *strcpy char *s1, char *s2) s1:taintedness = ; char *strcat char *s1, s1:taintedness = s1:taintedness | ; 1/1/2019 Mateti, Formal Methods in Security

27 Mateti, Formal Methods in Security
Automated Tools Run-time solutions StackGuard[USENIX 7], gcc bounds-checking, libsafe[USENIX 2000] Performance penalty Turns buffer overflow into a DoS attack Compile-time solutions - static analysis No run-time performance penalty Checks properties of all possible executions 1/1/2019 Mateti, Formal Methods in Security

28 Mateti, Formal Methods in Security
Where Does SPLINT Fit? all Formal Verifiers Bugs Detected LCLint Compilers none Low Unfathomable Effort Required 1/1/2019 Mateti, Formal Methods in Security

29 Mateti, Formal Methods in Security
SPLINT Design Goals Tool that can be used by typical programmers as part of the development process Fast, Easy to Use Tool that can be used to check legacy code Handles typical C programs Encourage a proactive security methodology Document key assumptions 1/1/2019 Mateti, Formal Methods in Security

30 Mateti, Formal Methods in Security
SPLINT Lightweight static analysis tool Simple dataflow analyses Unsound and Incomplete Several thousand users…perhaps ¼ adding annotations to code: gradual learning curve Detects inconsistencies between code and specifications Examples: memory management (leaks, dead references), null dereferences, information hiding, undocumented modifications, etc. 1/1/2019 Mateti, Formal Methods in Security

31 Mateti, Formal Methods in Security
SPLINT checks … type abstractions, modifications globals, memory leaks, dead storage, naming conventions, undefined behavior, incomplete definition... 1/1/2019 Mateti, Formal Methods in Security

32 Mateti, Formal Methods in Security
SPLINT approach Document assumptions about buffer sizes Semantic comments Provide annotated standard library Allow user's to annotate their code Find inconsistencies between code and assumptions Make compromises to get useful checking Use simplifying assumptions to improve efficiency Use heuristics to analyze common loop idioms Accept some false positives and false negatives (unsound and incomplete analysis) 1/1/2019 Mateti, Formal Methods in Security

33 SPLINT Implementation
Extended LCLint Open source checking tool [FSE ‘94] [PLDI ‘96] Uses annotations Detects null dereferences, memory leaks, etc. Integrated to take advantage of existing checking and annotations (e.g., modifies) Added new annotations and checking for buffer sizes 1/1/2019 Mateti, Formal Methods in Security

34 Mateti, Formal Methods in Security
SPLINT performance Can check >100K line programs checks about 1K lines per second Detects real bugs in real programs including itself, of course Wu-ftpd Several buffer overflow vulnerabilities 1/1/2019 Mateti, Formal Methods in Security

35 Mateti, Formal Methods in Security
SPLINT Detecting Buffer Overflows: Annotations express constraints on buffer sizes e.g., maxSet is the highest index that can safely be written to Checking uses axiomatic semantics with simplification rules Heuristics for analyzing common loop idioms Detected known and unknown vulnerabilities in wu-ftpd and BIND 1/1/2019 Mateti, Formal Methods in Security

36 Mateti, Formal Methods in Security
SPLINT Status David Evans, and his students CS, U of Virginia 1/1/2019 Mateti, Formal Methods in Security

37 Mateti, Formal Methods in Security
Related Work Lexical analysis grep, its4, RATS, FlawFinder Wagner, Foster, Brewer [NDSSS ‘00] Integer range constraints Flow insensitive analysis Dor, Rodeh and Sagiv [SAS ‘01] Source-to-source transformation with asserts and additional variables. 1/1/2019 Mateti, Formal Methods in Security

38 Mateti, Formal Methods in Security
Correctness Via Proof Once done, easy enough to maintain Solve significant portions of the problem Many years to do 1/1/2019 Mateti, Formal Methods in Security

39 Low Quality Programming. Why?
Ignorance of programmers. C is difficult to use securely. Unsafe functions. Confusing APIs. Even security aware programmers make mistakes. Security knowledge has not been codified into the development process. 1/1/2019 Mateti, Formal Methods in Security

40 Impediments to wide spread adoption
People are lazy Programmers are especially lazy Adding annotations is too much work (except for security weenies) 1/1/2019 Mateti, Formal Methods in Security

41 Assumptions about Team?
Meticulous (inherent attribute) Excellent programmers (inherent + learnable) Highly trained (teachable) Patient (inherent? Or, be ‘mature’ enough?) 1/1/2019 Mateti, Formal Methods in Security

42 Mateti, Formal Methods in Security
Will they …? == 2014 In the year 2014: Will buffer overflows still be common? Format strings? Will programmers annotate? Will programmers study others code? 1/1/2019 Mateti, Formal Methods in Security

43 Mateti, Formal Methods in Security
C Language circa 1974: char *strcpy (); 1978: char *strcpy (char *s1, char *s2); 1989: char *strcpy (char *s1, const char *s2); 1999: char *strcpy (char * restrict s1, const char * restrict s2); 1/1/2019 Mateti, Formal Methods in Security

44 Mateti, Formal Methods in Security
C in 2010? nullterminated char *strcpy ( returned char *restrict s1, nullterminated const char *restrict s2) requires maxSet(s1) >= maxRead(s2) ensures s1:taintedness = s2:taintedness ensures maxRead(s1) = maxRead(s2); 1/1/2019 Mateti, Formal Methods in Security

45 Buffer Overflow Exploits
1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 servers 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers Single largest cause of vulnerabilities in CERT advisories 1/1/2019 Mateti, Formal Methods in Security

46 Buffer Overflow Attack on WSJ
(January 30, 2001) 1/1/2019 Mateti, Formal Methods in Security

Download ppt "Program Assertions in Security"

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Examining the Code [Reading assignment: Chapter 6, pp. 91-104]

Examining the Code [Reading assignment: Chapter 6, pp ]
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
CSCI 5801: Software Engineering

CSCI 5801: Software Engineering
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Similar presentations

Ads by Google