Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

Published byJoseph Ellerman Modified over 9 years ago

Similar presentations

Presentation on theme: "October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha"— Presentation transcript:

1 October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha {vg,jha}@cs.wisc.edu University of Wisconsin-Madison David Chandler, David Melski, David Vitek {chandler,melski,dvitek}@grammatech.com Grammatech Inc., Ithaca, New York

2 October 30, 2003CCS 2003 - Vinod Ganapathy2 The Problem: Buffer Overflows Highly exploited class of vulnerabilities –Legacy programs in C are still vulnerable –“Safe” functions can be used unsafely Need: –Automatic techniques that will assure code is safe before it is deployed

3 October 30, 2003CCS 2003 - Vinod Ganapathy3 The Solution Use static program analysis Produce a list of possibly vulnerable program locations Couple buffer overrun warnings with code understanding techniques Source Code Source Code Possible Buffer Overrun s Possible Buffer Overrun s Static Analysis Code Understanding

4 October 30, 2003CCS 2003 - Vinod Ganapathy4 Our Contributions Program Analysis : –Incorporated buffer overrun detection in a program understanding tool Program slicing, Data predecessors,… –Use of procedure summaries to make buffer overrun analysis context- sensitive Constraint Resolution: –Use of linear programming to solve a range analysis problem

5 October 30, 2003CCS 2003 - Vinod Ganapathy5 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

6 October 30, 2003CCS 2003 - Vinod Ganapathy6 Tool Architecture C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

7 October 30, 2003CCS 2003 - Vinod Ganapathy7 CodeSurfer C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

8 October 30, 2003CCS 2003 - Vinod Ganapathy8 CodeSurfer Commercial tool from Grammatech Inc. Code understanding framework –Inter-procedural slicing, chopping… Internally constructs: –Control Flow Graph (CFG) –Program Dependence Graphs (PDG) –System Dependence Graph (SDG) Incorporates results of pointer analysis –Helps reduce the number of warnings

9 October 30, 2003CCS 2003 - Vinod Ganapathy9 The Role of CodeSurfer Program Analysis Framework: –Use internal data structures to generate constraints Detection Front-end: –Link each warning to corresponding lines of source code through the System Dependence Graph –Interactive front-end

10 October 30, 2003CCS 2003 - Vinod Ganapathy10 Constraint Generation C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

11 October 30, 2003CCS 2003 - Vinod Ganapathy11 Constraint Generation Four kinds of program points result in constraints: –Declarations –Assignments –Function Calls –Function Return

12 October 30, 2003CCS 2003 - Vinod Ganapathy12 Constraint Generation Four variables for each string buffer buf_len_max, buf_len_min buf_alloc_max, buf_alloc_min Operations on a buffer strcpy (tgt, src) tgt_len_max ≥ src_len_max tgt_len_min ≤ src_len_min

13 October 30, 2003CCS 2003 - Vinod Ganapathy13 Constraint Generation if(…) strcpy( tgt, srcA ) strcpy( tgt, srcB ) tgt_len_max ≥ srcA_len_max tgt_len_min ≤ srcA_len_min tgt_len_max ≥ srcB_len_max tgt_len_min ≤ srcB_len_min

14 October 30, 2003CCS 2003 - Vinod Ganapathy14 Constraint Generation Methods Order of statements: –Flow-Sensitive Analysis: Respects program order –Flow-Insensitive Analysis: Does not respect program order Function Calls: –Context-Sensitive modeling of functions: Respects the call-return semantics –Context-Insensitive modeling of functions: Ignores call-return semantics => imprecise

15 October 30, 2003CCS 2003 - Vinod Ganapathy15 Constraint Generation Constraints generated by our tool: –Flow-insensitive –Context-sensitive for some library functions –Partly Context-sensitive for user defined function Procedure summaries

16 October 30, 2003CCS 2003 - Vinod Ganapathy16 Taint Analysis C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

17 October 30, 2003CCS 2003 - Vinod Ganapathy17 Taint Analysis Removes un-initialized constraint variables –Un-modeled library calls –Un-initialized program variables Required for solvers to function correctly

18 October 30, 2003CCS 2003 - Vinod Ganapathy18 Constraint Solvers C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

19 October 30, 2003CCS 2003 - Vinod Ganapathy19 Constraint Solvers Abstract problem: –Given a set of constraints on max and min variables –Get tightest possible fit satisfying all the constraints Our approach: –Model and solve as a linear program

20 October 30, 2003CCS 2003 - Vinod Ganapathy20 Constraint Solvers We have developed two solvers: –Vanilla solver –Hierarchical solver Speed of Analysis Precision of results slow fast low high Vanilla Hierarchical

21 October 30, 2003CCS 2003 - Vinod Ganapathy21 Linear Programming An objective function F Subject to: A set of constraints C Example: Maximize: x Subject to : X <= 3

22 October 30, 2003CCS 2003 - Vinod Ganapathy22 Why Linear Programming? Can support arbitrary linear constraints Commercial linear program solvers are highly optimized and fast Use of linear programming duality for diagnostics –Can be used to produce a “witness” trace leading to the statement causing the buffer overrun

23 October 30, 2003CCS 2003 - Vinod Ganapathy23 Vanilla Constraint Solver Goal: Obtain values for buffer bounds Modeling as a Linear Program Minimize : max variable Subject to : Set of Constraints And Maximize : min variable Subject to : Set of Constraints Least Upper Bound Greatest Lower Bound Tightest possible fit

24 October 30, 2003CCS 2003 - Vinod Ganapathy24 Vanilla Constraint Solver However, it can be shown that: Min : Σ ( max vars) – Σ( min vars) Subject to : Set of Constraints yields the same solution for each variable Solve just one Linear Program and get values for all variables!

25 October 30, 2003CCS 2003 - Vinod Ganapathy25 Vanilla Constraint Solver Why is this method imprecise? –Infeasible linear programs –Why do such linear programs arise? Deals with infeasibility using an approximation algorithm See paper for details

26 October 30, 2003CCS 2003 - Vinod Ganapathy26 Detection Front-End C Source Code CFGs, PDGs, SDG Buffer Overrun Warnings Linear Constraints Ranges for Variables Linear Constraints CodeSurfer Constraint Generator Taint Analyzer Constraint Solver Detection Front-End

27 October 30, 2003CCS 2003 - Vinod Ganapathy27 Detection Front-End 0 1 buf_alloc_min buf_len_max Scenario I: ‘’Possible’’ buffer overflow

28 October 30, 2003CCS 2003 - Vinod Ganapathy28 Detection Front-End 0 1 buf_alloc_min buf_len_max Scenario II: Sure buffer overflow

29 October 30, 2003CCS 2003 - Vinod Ganapathy29 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

30 October 30, 2003CCS 2003 - Vinod Ganapathy30 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

31 October 30, 2003CCS 2003 - Vinod Ganapathy31 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

32 October 30, 2003CCS 2003 - Vinod Ganapathy32 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

33 October 30, 2003CCS 2003 - Vinod Ganapathy33 Context-Insensitive Analysis foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } False Path Result: x = y = [6..31]

34 October 30, 2003CCS 2003 - Vinod Ganapathy34 Adding Context Sensitivity Make user functions context-sensitive –e.g. wrappers around library calls Inefficient method: Constraint inlining Can separate calling contexts  Large number of constraint variables  Cannot support recursion

35 October 30, 2003CCS 2003 - Vinod Ganapathy35 Adding Context Sensitivity Efficient method: Procedure summaries Basic Idea: –Summarize the called procedure –Insert the summary at the call-site in the caller –Remove false paths

36 October 30, 2003CCS 2003 - Vinod Ganapathy36 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; }

37 October 30, 2003CCS 2003 - Vinod Ganapathy37 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } Summary: i = z + 1 x = 5 + 1 y = 30 + 1

38 October 30, 2003CCS 2003 - Vinod Ganapathy38 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } Jump Functions

39 October 30, 2003CCS 2003 - Vinod Ganapathy39 Adding Context Sensitivity foo () { bar () { int x; int y; x = foobar(5); y = foobar(30); } } int foobar (int z) { int i; i = z + 1; return i; } No false paths x = [6..6] y = [31..31] i = [6..31]

40 October 30, 2003CCS 2003 - Vinod Ganapathy40 Adding Context Sensitivity Computing procedure summaries: –In most cases, reduces to a shortest path problem –Other cases, Fourier-Motzkin variable elimination

41 October 30, 2003CCS 2003 - Vinod Ganapathy41 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

42 October 30, 2003CCS 2003 - Vinod Ganapathy42 Results: Overruns Identified ApplicationLOCWarningsVulnerabilityDetected? WU-FTPD-2.5.016000139CA-1999-13Yes WU-FTPD-2.6.218000178None14 New Sendmail-8.7.638000295 Identified by Wagner et al. Yes Sendmail-8.11.668000453CA-2003-07Yes, but…

43 October 30, 2003CCS 2003 - Vinod Ganapathy43 Results: Context Sensitivity WU-FTPD-2.6.2: 7310 ranges identified Constraint Inlining: –5.8x number of constraints –8.7x number of constraint variables –406 ranges refined in at least one calling context Function Summaries: –72 ranges refined

44 October 30, 2003CCS 2003 - Vinod Ganapathy44 Roadmap of Talk Tool Architecture –Constraint Generation –Constraint Resolution –Producing Warnings Adding Context Sensitivity Results Future work and Conclusions

45 October 30, 2003CCS 2003 - Vinod Ganapathy45 Conclusions Built a tool to detect buffer overruns Incorporated in a program understanding framework Current work: –Adding Flow Sensitivity –Reducing the number of false warnings while still maintaining scalability

46 October 30, 2003CCS 2003 - Vinod Ganapathy46 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha {vg,jha}@cs.wisc.edu University of Wisconsin-Madison David Chandler, David Melski, David Vitek {chandler,melski,dvitek}@grammatech.com Grammatech Inc., Ithaca, New York

Download ppt "October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha"

Similar presentations

Static Analysis for Security

Static Analysis for Security
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Static Analysis for Memory Safety Salvatore Guarnieri

Static Analysis for Memory Safety Salvatore Guarnieri
1 Static Testing: defect prevention SIM3302. 2 objectives Able to list various type of structured group examinations (manual checking) Able to statically.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Static Detection of Buffer Overrun In C Code Lucas Silacci CSE 231 Spring 2000 University of California San Diego.

Static Detection of Buffer Overrun In C Code Lucas Silacci CSE 231 Spring 2000 University of California San Diego.
Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday 15-16.

Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday
Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.

Similar presentations

Ads by Google