Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Static Analysis for Bug Finding Benjamin Livshits.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Static Analysis for Bug Finding Benjamin Livshits."— Presentation transcript:

1 1 Static Analysis for Bug Finding Benjamin Livshits

2 2 Compilers Can be Used for Bug Finding A trend of compiler research Started in 1991 with Intrinsa –Bug finding tool called Prefix –Looks for NULL dereferences –Memory leaks (double-deletes, dangling pointers) –Concurrency bugs (race conditions) –etc. Purchased by Microsoft –Became Prefix/Prefast –Used by MS internally on a regular basis

3 3 Why Compilers? Observation: –Many bugs can be found by analyzing the source code –Compilers have access to the source Security is an attractive application: –The cost of a break-in is very high –Sound static (compiler) analysis can find all bugs

4 4 Common Classes of Security Vulnerabilities Server-type software (C, C++) Application software (Java, C#, PHP) Buffer overruns Format string violations SQL injections Cross-site scripting attacks HTTP splitting attacks Directory traversal attacks Session hijacking attacks etc.

5 5 Buffer Overruns

6 6 How Buffer Overruns Work There is no array bounds checking in C Hackers can exploit that Different flavors of overruns –Simplest: overrun a static buffer –Idea: Don’t want user data to be copied to static buffers! 1.Arrange for suitable code to in program address space 2.Get the program to jump to that code overwrite a return address to point to the code 3.Put something interesting into the exploit code –such as exec(“sh”), etc.

7 7 Example: Buffer Overrun in gzip 0589 if (to_stdout && !test && !list && (!decompress ||... 0590 SET_BINARY_MODE(fileno(stdout)); 0591 } 0592 while (optind < argc) { 0593 treat_file(argv[optind++]); 0704 local void treat_file(iname) 0705 char *iname; 0706 {... 0716 if (get_istat(iname, &istat) != OK) return; 0997 local int get_istat(iname, sbuf) 0998 char *iname; 0999 struct stat *sbuf; 1000 {... 1009 strcpy(ifname, iname); gzip.c:593 gzip.c:1009 gzip.c:716 Need to have a model of strcpy

8 8 Need it to represent flow of date in C: Yes if we can prove that p cannot point to a Should we put a flow edge from 3 to a to represent potential flow? If we don’t –Analysis may miss bugs If we do –Analysis may end up being too imprecise a = 2; *p = 3; …  is the value of a still 2? A Glimpse of What Analysis is Needed

9 9 Application Level Vulnerabilities (SQL Injection & Friends)

10 10 blogger.com cracked Aug. 2005 Firefox marketing site hacked Jul. 2005 MS UK defaced in hacking attack Jul. 2005 Hacker hits Duke system Jun. 2005 MSN site hacked in South Korea Jun. 2005 MSN site hacking went undetected for days Jun. 2005 Phishers manipulate SunTrust site to steal data Sep. 2004 Tower Records settles charges over hack attacks Apr. 2004 Western Union Web site hacked Sep. 2000 Real-Life Hacking Stories 75% of all security attacks today are at the application level* 97% of 300+ audited sites were vulnerable to Web application attacks* $300K average financial loss from unauthorized access or info theft** Average $100K/hour of downtime lost * Source: Gartner Research *Source: Computer Security Institute survey

11 11 Simple Web App Web form allows user to look up account details Underneath – Java Web app. serving requests

12 12 Happy-go-lucky SQL statement: Leads to SQL injection –One of the most common Web application vulnerabilities caused by lack of input validation But how? –Typical way to construct a SQL query using concatenation –Looks benign on the surface –But let’s play with it a bit more… SQL Injection Example String query = “SELECT Username, UserID, Password FROM Users WHERE username =“ + user + “ AND password =“ + password;

13 13 Injecting Malicious Data (1) query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob' AND Password = ‘********‘” submit

14 14 Injecting Malicious Data (2) query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob‘-- ‘AND Password = ‘ ‘” submit

15 15 Injecting Malicious Data (3) submit query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob‘; DROP Users-- ‘AND Password = ‘‘”

16 16 Summary of Attacks Techniques 1.Inject (taint sources) Parameter manipulation Hidden field manipulation Header manipulation Cookie poisoning Second-level injection 2. Exploit (taint sinks) SQL injections Cross-site scripting HTTP request splitting HTTP request smuggling Path traversal Command injection 1. Header manipulation + 2. HTTP splitting = vulnerability Input and output validation are at the core of the issue

17 17 Focusing on Input/Output Validation 30% 19% 18% SQL injection and cross-site scripting are most prevalent Buffer overruns are losing their market share

18 18 public String getRawParameter(String name) throws ParameterNotFoundException { String[] values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); } Taint Propagation String session.ParameterParser.getRawParameter(String name) String session.ParameterParser.getRawParameter(String name, String def) ParameterParser.java:586 public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; } ParameterParser.java:570 String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query );... Element lessons.ChallengeScreen.doStage2(WebSession s) ChallengeScreen.java:194

19 19 Why Pointer Analysis? // get Web form parameter String param = request.getParameter(...);... // execute query con.executeQuery(query); Imagine manually auditing an application –Two statements somewhere in the program –Can these variables refer to the same object? Question answered by pointer analysis...

20 20 Stack Pointers in Java? Java references are pointers in disguise Heap

21 21 What Does Pointer Analysis Do for Us? Statically, the same object can be passed around in the program: –Passed in as parameters –Returned from functions –Deposited to and retrieved from data structures –All along it is referred to by different variables Pointer analysis “summarizes” these operations: –Doesn’t matter what variables refer to it –We can follow the object throughout the program a b c

22 22 Recurring Issues Static analysis is a powerful approach to finding bugs in program at the source 1.Soundness: find all bugs of a kind –Marking every line of the program as a problem achieves that 2.Precision: low rate of false positives –can have an extremely precise sound analysis but takes years to run 3.Scalability: Want to analyze programs 10,000-50,000 LOC Some analyses go up to 1M LOC

Download ppt "1 Static Analysis for Bug Finding Benjamin Livshits."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
“Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs” CMSC 838Z – Spring 2004 V. Benjamin Livshits and Monica S. Lam presented.

“Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs” CMSC 838Z – Spring 2004 V. Benjamin Livshits and Monica S. Lam presented.
Program Analysis for Security Suhabe Bugrara Stanford University.

Program Analysis for Security Suhabe Bugrara Stanford University.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs by V.Benjamin Livshits and Monica S. Lam {livshits,

Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs by V.Benjamin Livshits and Monica S. Lam {livshits,
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam.

CS5103 Software Engineering Lecture 18 Security Issues in Software Engineering & Final Exam.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google