1. Detecting C Program Vulnerabilities Tomsk State University Anton Ermakov, Natalia Kushik Presented by Olga Kondratyeva

2. 2 Program vulnerabilities Vulnerability is a property of the program that allows a user to disturb confidentiality, integrity, and/or availability of this software Detection methods Static methods The source code of a program is analyzed without running the program Dynamic methods Requires program runs

3. 3 Source codes for detecting program vulnerabilities We experimented with student implementations of array algorithms of a various use - C implementation of average value calculating (contains type overflow vulnerability) - C implementation of the bubble sort (contains array overflow vulnerability) - C implementation of the insertion sort (contains array overflow vulnerability)

4. 4 Average value calculatingThe bubble sortThe insertion sort int main(){ unsigned short n=0, a[10]; printf("Input size of array, please:"); scanf("%d",&n); for (int i=0; i<n; i++) {printf("%d. ",i); scanf("%d",&a[i]); } unsigned short sred=0; for (int i=0; i<n; i++) { sred+=a[i]; } sred/=n; printf("Middle:%d",sred); system("pause"); return sred; } int main() { unsigned short length,key,arr[10]; int i=0, j=0, tmp=0; cout<<"Vvedite celoe chislo:"; cin>>length; for (i=0; i<length; i++) { cout<<i<<" = "; cin>>arr[i]; } for (i=0; i < length; i++) { tmp = arr[i]; for (j=i-1;j>=0&&arr[j]>tmp;j--) arr[j+1] = arr[j]; arr[j+1] = tmp; } for (i=0;i<length; i++) { cout<<i<<"="<<arr[i]<<endl; } system("pause"); return 1; } int main() { unsigned short j=0,i=0,n, a[10]; cout<<"Vvedite celoe chislo:"; cin>>n; for (i=0; i<n; i++) { cout<<i<<" = "; cin>>a[i]; } unsigned short temp; bool t = true; while (t==true) { t = false; for (j=0;j<n-1; j++) { if (a[j]>a[j+1]) { temp=a[j]; a[j]=a[j+1]; a[j+1]=temp; t=true; } for (i=0;i<n; i++) { cout<<i<<"="<<a[i]<<endl; } system("pause");return1; } Source codes for detecting program vulnerabilities

5. 5 Static code analyzers (1) AnalyzerPropertiesVulnerabilities being detected ITS4 (Cigital company, USA, 1992) Relies on database of potentially dangerous C functions ITS4 has reported that “scanf() is a function of a high risk for a buffer overflow vulnerability” Flawfinder (David A. Wheeler, 2004) Relies on the list of potentially dangerous C instructions Flawfinder report has only one dangerous function – system() Graudit (Grep Utility)Returns a colorful report where some dangerous instructions are blue colored Graudit colored functions scanf(), printf() and stream input/output operators cin and cout

6. 6 Static code analyzers (2) AnalyzerPropertiesVulnerabilities being detected CppCheck 1.46 (Daniel Marjamäki and Cppcheck team, 2007-2010) Memory leakage vulnerabilities “No errors found” AEGIS (SPbSPU, Digitek Labs, since 2008) Memory leakage, incorrect pointers, incorrect array indexes, uninitialized variables, the use of potentially dangerous functions etc - For average value calculating program AEGIS has detected an incorrect array index - For array sorts programs AEGIS has mentioned only that there is a call of an unsafe function system()

7. 7 SPIN based approach for detecting vulnerabilities (1) - SPIN is an well-known model checker - Vulnerability is described as a property to be verified - If the program is vulnerable, i.e., possesses a “bad” feature, then SPIN produces a counterexample - The property is specified as a corresponding assertion

8. 8 - Type overflow vulnerability has been detected in average value calculating program (counterexample produced by SPIN has the value 10005 for each array item value) - Array overflow vulnerability has been detected in both sorting programs (counterexample produced by SPIN has the value 11 for array dimension as well as for each array item value) - Type overflow vulnerability has been detected in both sorting programs (counterexamples produced by SPIN have values 70035 and 80040 for array item values)  For some kinds of C code vulnerabilities static analysis can be insufficient and SPIN based approach for vulnerability detection seems to be perspective SPIN based approach for detecting vulnerabilities (2)

9. 9 Thank you for attention!