Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

Published byIra Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu."— Presentation transcript:

1 1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu

2 2 Buffer overflow: 20 years since Morris Worm, still the most common exploit Challenge: eliminate exploitable buffer overflows – Detect where buffer overflow can occur – Determine cause and remove it 2 Motivation

3 3 Detection Precision: false positives Report for errors does not provide much information for diagnosis – report an overflow point in the program Not fully automatic: manual annotation 3 Problems of Static Approaches

4 4 Goal: automatically identify paths on which a buffer overflow can occur and report the path segment that causes the overflow Challenge: huge number of paths Approach: – interprocedual path-sensitive for precision and help diagnosis – demand-driven for scalability 4 Our Goals and Approaches

5 5 Infeasible: no input can exercise the path Safe: no input can overflow the buffer Vulnerable: users can write any content to the buffer Overflow-user-independent: the buffer content is statically determinable Don’t-know: the buffer status cannot be judged statically 5 Five Types of Paths

6 6 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn Safe Overflow Infeasible wu-ftpd 2.6.2 realpath.c 1 23 4 5 6 7 8 An Example \0 wbuf resolved \0 LEN = 6

7 7 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn 1 23 4 5 6 7 8 Demand-Driven Analysis …… char resolved [LEN ] Q 1 (s+1<l, f) Q1Q1 Q 052 (LEN-1<l, f) Q 05 (LEN-1-rootd<l, f) Q 1 5 (LEN-rootd<l, f) Solved Q0Q0 Infeasible Q 0 (s<l, f) s: strlen(resolved)+strlen(wbuf) l: sizeof(resolved) f: wbuf Q 053 (LEN-1<l, f) Q 15 3 (LEN<l, f)

8 8 PVS ( potentially vulnerable statement) strcpy(a,b) Query sizeof(a) > strlen(b), flag Information for Updating Queries char a[9] Propagation Rules interprocedural, loop, join point, infeasible Resolving the Query false, flag = user input 8 The Demand-Driven Model

9 9 Raise Query Yes Propagate Query Update Query Resolve Query Propagate Results Label Paths No Feasibility Detection Infeasible Paths Node Information PVS Program Overflow Properties 9 Approach

10 10 Purpose − Existence of the 5 types of paths − Benefit of demand-driven analysis Implementation: Microsoft Phoenix APIs [phoenix] Benchmarks − 9 programs, size 0.4-97.3K LOC − the BugBench [06lu] and Buffer Overflow Benchmark [03Zitser] 10 Experiments

11 11 Experimental Results BenchmarkPath Types VulCNSTUnKSafe polymorph-0.4.0966000 ncompress-4.2.4288000 man-1.5h1160024 gzip-1.2.41000 bc-1.060>50,0000>30,000 squid-2.30042 wu-ftp43200018,624 sendmail4800648 BIND0020

12 12 All defined types of paths exist Problematic paths manifest certain complexity Memory usage: 9-65MB Time cost: 0.24-102.6s Experimental Results

13 13 Entry PVS User Scenario

14 14 Entry PVS Vulnerable Overflow User Independent User Scenario

15 15 Entry PVS Vulnerable Overflow User Independent User Scenario

16 16 Entry PVS Root Cause Vulnerable Overflow User Independent User Scenario BenchmarkAverage Path Size #P#B polymorph-0.4.02.525.9 ncompress-4.2.42.027.8 man-1.5h11.814.3 gzip-1.2.43.05 squid-2.31.06.8 wu-ftp3.833.6 sendmail2.035.5 BIND2.023.5

17 17 Static Detection for Buffer Overflow ARCHER [03xie] BOON [00wagner] ESPx [06hackett] Prefast [ms] Prefix [00bush] Splint [96evans] Path-Sensitive Analysis for Defects ARCHER [03xie] ESPx [06hackett] ESP [02das] IPSSA [03livshits] MOPS [02check] Prefix [00bush] Demand-Driven Approach − A general framework [96Duesterwald] − Application for dataflow computation [96Duesterwald], infeasible detection [97bodik], memory leak [06Orlovich], postmortem analysis [04Manevich] Related Work

18 18 A categorization of five types of paths for buffer overflow An interprocedual demand-driven path- sensitive diagnosis tool for identifying the type of paths through a potential overflow Experimental results that demonstrate the path types existing in real program 18 Conclusions

19 19 Thank you and Questions?

Download ppt "1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
3/27/2017 10:01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

3/27/ :01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Usage of the memoQ web service API by LSP – a case study

Usage of the memoQ web service API by LSP – a case study
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.

Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
Static code check – Klocwork

Static code check – Klocwork
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.

1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.
Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.

Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Similar presentations

Ads by Google