Presentation is loading. Please wait.

Presentation is loading. Please wait.

February 2001OASIS --- Norfolk1 Dependence Graphs for Information Assurance Paul Anderson GrammaTech, Inc. Ithaca, NY

Published byGavin Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "February 2001OASIS --- Norfolk1 Dependence Graphs for Information Assurance Paul Anderson GrammaTech, Inc. Ithaca, NY"— Presentation transcript:

1 February 2001OASIS --- Norfolk1 Dependence Graphs for Information Assurance Paul Anderson paul@grammatech.com GrammaTech, Inc. Ithaca, NY http://www.grammatech.com Tim Teitelbaum tt@grammatech.com (Cornell)

2 February 2001OASIS --- Norfolk2 Problem –Understanding information flows important for solving security problems –But tool support for understanding information flows is poor too abstract / not code based / research languages too imprecise / don’t scale Opportunity –Dependence analysis sound and tractable basis for understanding information flows –Theory of dependence graphs and program slicing mature theory for compilers and software-engineering tools Objective –Effective information-flow analysis tools based on dependence graphs modest goal [less expressive than type-based approaches] ambitious goal [C/C++; interprocedural precision; scalable] –Apply to security problems

3 February 2001OASIS --- Norfolk3 Sample application 1: Covert Channel Analysis The “chop” between read_high and write_low shows possible information flows from HI to LO HI LO NRL PUMP read_high read_low write_high write_low ACK

4 February 2001OASIS --- Norfolk4 Covert Channel Analysis, continued

5 February 2001OASIS --- Norfolk5 Sample application 2: Buffer Overrun Analysis External strings Unbounded string copies “foo”“bar” Bounded string copies strcpy strncpy Internal strings “internal string” The “chop” between external strings and unbounded copies shows possible exploitable overruns

6 February 2001OASIS --- Norfolk6 Sample policy Sends –never preceded by a read => necessarily in state 1 omit code to check state –always preceded by a read => necessarily in state 2 replace code with error Reads –always preceded by a read => necessarily in state 2 omit code to change state –never followed by a send => no subsequent violation possible omit code to change state Sample Application 3: Analysis for Efficient IRM Insertion 12 ¬read read ¬send –Simple implementation [Schneider] inline the security automaton everywhere partial evaluation –Efficient implementation exploit dependence information

7 February 2001OASIS --- Norfolk7 a = a in Control Flow Graphs void main() { int sum, i; sum = 0; i = 1; while (i<11) { sum = add(sum,i); i = add(i, 1); } printf(“sum=%d\n”, sum); printf(“i=%d\n”, i); } static int add(int a, int b) { return (a+b); } entry main entry add sum = 0i = 1while i < 11print sumprint i call add result = a + b a in = sum b in = i sum= reta in = ib in = 1 ret = resultb = b in i= ret

8 February 2001OASIS --- Norfolk8 Legend: control data a = a in Dependence Graphs void main() { int sum, i; sum = 0; i = 1; while (i<11) { sum = add(sum,i); i = add(i, 1); } printf(“sum=%d\n”, sum); printf(“i=%d\n”, i); } static int add(int a, int b) { return (a+b); } i= ret entry main entry add sum = 0i = 1while i < 11print sumprint i call add result = a + b a in = sum b in = i sum= reta in = ib in = 1 ret = resultb = b in Legend: control data

9 February 2001OASIS --- Norfolk9 a in = i a = a in Dependence Graphs [ and Slicing ] void main() { int sum, i; sum = 0; i = 1; while (i<11) { sum = add(sum,i); i = add(i, 1); } printf(“sum=%d\n”, sum); printf(“i=%d\n”, i); } static int add(int a, int b) { return (a+b); } i= ret entry main entry add sum = 0i = 1while i < 11print sumprint i call add result = a + b a in = sum b in = i sum= retb in = 1 ret = resultb = b in The “backward slice” from a statement shows all influences on that statement. Legend: control data

10 February 2001OASIS --- Norfolk10 a in = i a = a in Dependence Graphs [ and Slicing ] void main() { int sum, i; sum = 0; i = 1; while (i<11) { sum = add(sum,i); i = add(i, 1); } printf(“sum=%d\n”, sum); printf(“i=%d\n”, i); } static int add(int a, int b) { return (a+b); } i= ret entry main entry add sum = 0i = 1while i < 11print sumprint i call add result = a + b a in = sum b in = i sum= retb in = 1 ret = resultb = b in The “backward slice” from a statement shows all influences on that statement. Legend: control data

11 February 2001OASIS --- Norfolk11 Wide-Spectrum Program Representation FE 1 Builder Pre-IR FE m... front ends EDG - ANSI C - other C - C++ - Java assembler / binaries UML (Rose/RT) Verilog VHDL Jovial Analysis operations Synthesis operations Scheme scripts C client code GUI IR APIAPI Code : done ; current ; designed ; prototyped by others; IASET / OASIS ASTs symbol table local def, use, conditional kill, pointer ref-deref info CFGs source positions Support for: make, libraries and archives, loader Pre-IR + points-to sets call multigraph GMOD / GREF summary edges PDGs / SDG Precise interprocedural queries - predecessors and successors - slice - chop - model checking Sets of PDG nodes - Boolean operations - persistent storage

12 February 2001OASIS --- Norfolk12 Pointer Analysis Flow insensitive, context insensitive –Andersen –Steensgaard / Das Improvements –Structure fields –Context sensitive PCC-like application for IRM

13 February 2001OASIS --- Norfolk13 Andersen Pointer p = &q; p = q; p = *q; *p = q; pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2 normalized statements of program (base facts) program-independent rules iterate to a fixpoint

14 February 2001OASIS --- Norfolk14 Steensgaard / Das Andersen –time: cubic in # variables Steensgaard –time: almost linear in # variables keep at most one out edge; form unions on p=q; –precision : << Andersen Das –time: ~Steensgaard –precision (size of points-to sets) : ~Andersen GrammaTech implementation of Steensgaard / Das –tentative finding performance gain often substantial precision loss often unacceptable –current plan: continue improving Andersen p R S q R  S p q

15 February 2001OASIS --- Norfolk15 Need for Discrimination by Structure Field backward slice from here Which assignments through p should be in the slice? Current release: all fields participate in every operation on any field Must discriminate among fields Must consider unions and casts Offsets –Cannot use for portable analysis –Should use for precise platform dependent analysis

16 February 2001OASIS --- Norfolk16 Need for Context Sensitive Pointer Analysis points-to(p) = {c, d} shouldn’t be in slice backward slice here buf = c; buf = d;

17 February 2001OASIS --- Norfolk17 PCC-like Pointer-Analysis for IRM B FP object code base facts fixpoint solution iteration Generate pointer analysis for object code Ship B and FP with code Receiver verifies –B corresponds to the program –B  FP –FP is a fixpoint Receiver avoids the iteration subset lattice of points-to info

18 February 2001OASIS --- Norfolk18 PCC-like Pointer-Analysis for IRM, continued B FP source code base facts fixpoint solution object code iteration B FP B’ base facts FP  B’ start here fixpoint solution iteration

19 February 2001OASIS --- Norfolk19 Need for Variable-Based Queries Security analysts need information flows per variable Point-based backward slice (implicitly w.r.t. p, a, and b ) a = 1; b = 2; if ( … ) p = &a; else p = &b; x = *p; Point-and-variable backward slice w.r.t. a a = 1; b = 2; if ( … ) p = &a; else p = &b; x = *p;

20 February 2001OASIS --- Norfolk20 Non-Structured Control Constructs [Horwitz] Unstructured jumps are a source of imprecision in slicing based on dependence graphs Importance –in C / C++ switch, break, continue, goto –in assembler and binaries Solution –distinguish between transitive closure of direct control dependence generalized control dependence

21 February 2001OASIS --- Norfolk21 Boolean combinations of primitive queries are not sufficient –e.g., chop(p,q,)  forward-slice(p)  backward-slice(q) Need a language for posing generalized path queries Example: Find tell-tale signs of Trojan-horse in login shell Approach: use model checking on CFGs and dependence graph –Model checker for CTL (interprocedurally imprecise) prototyped –Model checker for Modal Mu Calculus (interprocedurally precise) Model Checking start exec authenticate

22 February 2001OASIS --- Norfolk22 Summary Extensive static-analysis infrastructure –constructing dependence graphs –performing precise interprocedural information-flow queries –inspecting flows Applicable today to real C programs [demo] Limitations being addressed now –precision pointer analysis non-structured control constructs variable-based queries –performance –query expressiveness Upcoming inquiry – verifiable static analysis for efficient IRM insertion

Download ppt "February 2001OASIS --- Norfolk1 Dependence Graphs for Information Assurance Paul Anderson GrammaTech, Inc. Ithaca, NY"

Similar presentations

October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
SSA and CPS CS153: Compilers Greg Morrisett. Monadic Form vs CFGs Consider CFG available exp. analysis: statement gen's kill's x:=v 1 p v 2 x:=v 1 p v.

SSA and CPS CS153: Compilers Greg Morrisett. Monadic Form vs CFGs Consider CFG available exp. analysis: statement gen's kill's x:=v 1 p v 2 x:=v 1 p v.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Intermediate Code Generation

Intermediate Code Generation
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.

Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.
Overview of Previous Lesson(s) Over View  Front end analyzes a source program and creates an intermediate representation from which the back end generates.

Overview of Previous Lesson(s) Over View  Front end analyzes a source program and creates an intermediate representation from which the back end generates.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.

Parallel Inclusion-based Points-to Analysis Mario Méndez-Lojo Augustine Mathew Keshav Pingali The University of Texas at Austin (USA) 1.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.

Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://

Similar presentations

Ads by Google