Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities.

Published byArlene Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities."— Presentation transcript:

1 Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky

2 Preliminaries Students will group in teams of 2-3 students. Each group will do one of the projects presented.

3 Administration Workshop meetings will take place only on Thursdays 12-14 o No meetings (with us) during other hours Attendance in all meetings is mandatory Grading: 100% of grade will be given after final project submission. Projects will be graded based on: Code correctness and functionality Original and innovative ideas Level of technical difficulty of solution

4 Administration Workshop staff should be contacted by email. Please address all emails to all of the staff: Noam Rinetzky - maon@cs.tau.ac.il Nurit Dor - nurit.dor@gmail.com Shir Landau Feibish – lfshir@gmail.com Follow updates on the workshop website: http://www.cs.tau.ac.il/~maon/teaching/2014-2015/workshop/workshop1415b.html

5 Tentative Schedule Meeting 1, 11/03/2015 (today) – Project presentation Meeting 2, 16/04/2015 – Each group presents its initial design Meeting 3, 14/05/2015 – Progress report – meeting with each group Meeting 4, 18/06/2015 – First phase submission Submission: 01/09/2015 Presentation: ~08/09/2015 – Each group separately

6 Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters

7 Programming Errors “As soon as we started programming, we found to our surprise that it wasn’t as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.” —Maurice Wilkes, Inventor of the EDSAC, 1949 “As soon as we started programming, we found to our surprise that it wasn’t as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.” —Maurice Wilkes, Inventor of the EDSAC, 1949

8 Compiler bugs? Most programmers treat compiler as a 100% correct program Why? – Never found a bug in a compiler Even if they do, they don’t understand it and solve the problem by “voodoo programming” – A compiler is indeed rather thoroughly tested Tens of thousands of testcases Used daily by so many users

9 Small Example int foo (void) { signed char x = 1; unsigned char y = 255; return x > y; } int foo (void) { signed char x = 1; unsigned char y = 255; return x > y; } Bug in GCC for Ubuntu compiles this function to return 1

10 FUZZERS

11 What is Fuzzing? Fuzzing is a testing approach – Test cases generated by a program. – Software under test in activated on those testcases – Monitored at run-time for failures

12 Naïve Fuzzing Miller et al 1990 Send “random” data to application. – Long printable and non-printable characters with and without null byte 25-33% of utility programs (emacs, ftp,…) in unix crashed or hanged

13 Naïve Fuzzing Advantages: – Amazingly simple Disadvantage: – inefficient Input often requires structures – random inputs are likely to be rejected Inputs that would trigger a crash is a very small fraction, probability of getting lucky may be very low Today's security awareness is much higher

14 Mutation Based Fuzzing Little or no knowledge of the structure of the inputs is assumed Anomalies are added to existing valid inputs Anomalies may be completely random or follow some heuristics Requires little to no set up time Dependent on the inputs being modified May fail for protocols with checksums, those which depend on challenge response, etc.

15 Mutation Based Example: PDF Fuzzing Google.pdf (lots of results) Crawl the results and download lots of PDFs Use a mutation fuzzer: 1.Grab the PDF file 2.Mutate the file 3.Send the file to the PDF viewer 4.Record if it crashed (and the input that crashed it)

16 Generation Based Fuzzing Test cases are generated from some description of the format: RFC, documentation, etc. Anomalies are added to each possible spot in the inputs Knowledge of protocol should give better results than random fuzzing Can take significant time to set up

17 Example Specification for ZIP file Src: http://www.flinkd.org/2011/07/fuzzing-with-peach-part-1/

18 Mutation vs Generation Mutation Based Easy to implement, no need to understand the input structure General implementation Effectiveness is limited by the initial testcases Coverage is usually not improved Generation based Can be labor intensive to implement epically for complex input (file formats) Implementation for specific inputCan produce new testcasesCoverage is usally improved

19 Constraint Based Fuzzing Mutation and generation based fuzzing will probably not reach the crash void test(char *buf) { int n=0; if(buf[0] == 'b') n++; if(buf[1] == 'a') n++; if(buf[2] == 'd') n++; if(buf[3] == '!') n++; if(n==4) { crash(); }

20 Constraint Based Fuzzing

21 CSMITH

22 Csmith From the University of Utah Csmith is a tool that can generate random C programs – Only valid C99 standard

23 Random Generator: Csmith gcc -O0gcc -O2clang -Os … vote minority majority C program results 23

24 24

25 25

26 Why Csmith Works Unambiguous: avoid undefined or unspecified behaviors that create ambiguous meanings of a program Integer operations Loops (with break/continue) Conditionals Function calls Const and volatile Structs and Bitfields Pointers and arrays Goto Expressiveness: support most commonly used C features 26 Integer undefined behavior Use without initialization Unspecified evaluation order Use of dangling pointer Null pointer dereference OOB array access

27 27

28 Avoiding Undefined/unspecified Behaviors 28 ProblemGeneration Time SolutionRun Time Solution Integer undefined behaviors Constant folding/propagation Algebraic simplification Safe math wrappers Use without initialization explicit initializers OOB array accessForce index within rangeTake modulus Null pointer dereference Inter-procedural points-to analysis Use of dangling pointers Inter-procedural points-to analysis Unspecified evaluation order Inter-procedural effect analysis

29 Code Generator 29 assign call func_2 validate ok? Generation Time Analyzer no *q … RHS LHS

30 Code Generator 30 assign call func_2 Generation Time Analyzer … RHS LHS

31 *p 31 *p Code Generator update facts assign call func_2 validate ok? yes Generation Time Analyzer … RHS LHS

32 From March, 2008 to present: Do they matter? – 25 priority 1 bugs for GCC – 8 of reported bugs were re-reported by others CompilerBugs reported (fixed) GCC104 (86) LLVM228 (221) Others (Compcert, icc, armcc, tcc, cil, suncc, open64, etc) 50 Total382 32 Accounts for 1% total valid GCC bugs reported in the same period Accounts for 3.5% total valid LLVM bugs reported in the same period

33 Bug Dist. Across Compiler Stages GCCLLVM Front end111 Middle end7193 Back end2878 Unclassified446 Total104228 33

34 34 Coverage of GCCCoverage of LLVM/Clang

35 Common Compiler Bug Pattern Analysis Safety Check Transformation Y N if (condition1 && condition2 ) 35 missing safety condition Compiler Optimization

36 Optimization Bug void foo (void) { int x; for (x = 0; x < 5; x++) { if (x) continue; if (x) break; } printf ("%d", x); } void foo (void) { int x; for (x = 0; x < 5; x++) { if (x) continue; if (x) break; } printf ("%d", x); } Bug in LLVM in scalar evolution analysis computed x is 1 after the loop executed

37 UNDEFINED BEHAVIOR

38 Example int foo(int a) { return (a+1) > a; } int foo(int a) { return (a+1) > a; } foo: movl $1, %eax ret foo: movl $1, %eax ret

39 Undefined Behavior Executing an erroneous operation The program may : – fail to compile – execute incorrectly – crash – do exactly what the programmer intended

40 Undefined Behavior - challenges Programmers are not aware of all undefined behavior Code may be compiled for a different environment with a different compiler – Which undefined behavior are different?

41 PROJECT IDEAS

42 1.Add features that are not supported by Csmith – C++ constructs – Heap allocation – Recursive – String Operation – Use of common libraries 2.Generate programs that takes input – Use another fuzzer (constraint-based) to generate inputs to the generated program 3.Generate programs with undefined behavior – Automatically understand them – Use reduce testcase tools 4.Enhance Csmith by incorporating other fuzzing techniques (mutation, genetic) 5.Apply approach for different languages 6.….Your idea…

43 RESOURCES

44 Fuzzer survey https://fuzzinginfo.files.wordpress.com/2012/05/dsto-tn-1043-pr.pdf Csmith Website: https://embed.cs.utah.edu/csmith/ paper: http://www.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf http://www.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf Undefined behavior – http://blog.regehr.org/archives/213

Download ppt "Automatic program generation for detecting vulnerabilities and errors in compilers and interpretersAutomatic program generation for detecting vulnerabilities."

Similar presentations

Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
CS16 Week 2 Part 2 Kyle Dewey. Overview Type coercion and casting More on assignment Pre/post increment/decrement scanf Constants Math library Errors.

CS16 Week 2 Part 2 Kyle Dewey. Overview Type coercion and casting More on assignment Pre/post increment/decrement scanf Constants Math library Errors.
Debugging: Catching Bugs ( I ) Ying Wu Electrical & Computer Engineering Northwestern University ECE230 Lectures Series.

Debugging: Catching Bugs ( I ) Ying Wu Electrical & Computer Engineering Northwestern University ECE230 Lectures Series.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.

1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
Lecture 1CS 380C 1 380C Last Time –Course organization –Read Backus et al. Announcements –Hadi lab Q&A Wed 1-2 in Painter 5.38N –UT Texas Learning Center:

Lecture 1CS 380C 1 380C Last Time –Course organization –Read Backus et al. Announcements –Hadi lab Q&A Wed 1-2 in Painter 5.38N –UT Texas Learning Center:
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Unit Testing & Defensive Programming. F-22 Raptor Fighter.

Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
1 Boot Camp Dave Eckhardt 1 This Is a Hard Class ● Traditional hazards – 410 letter grade one lower than other classes – All other.

1 Boot Camp Dave Eckhardt 1 This Is a Hard Class ● Traditional hazards – 410 letter grade one lower than other classes – All other.
Presentation of Failure- Oblivious Computing vs. Rx OS Seminar, winter 2005 by Lauge Wullf and Jacob Munk-Stander January 4 th, 2006.

Presentation of Failure- Oblivious Computing vs. Rx OS Seminar, winter 2005 by Lauge Wullf and Jacob Munk-Stander January 4 th, 2006.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
CSCI 51 Introduction to Computer Science Dr. Joshua Stough January 20, 2009.

CSCI 51 Introduction to Computer Science Dr. Joshua Stough January 20, 2009.

Similar presentations

Ads by Google