Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.

Published byBlaise Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006."— Presentation transcript:

1 Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006 Speaker: Chang Huan Wu 2008/10/29

2 2 Outline Introduction Rule-Based Protocol Specification Analysis of Protocol Source Code Experiment Results Conclusions

3 3 Introduction - Motivation Network protocols must be reliable and secure – Most works focuses on abstract protocols – Implementation can introduce vulnerabilities Goal: Check that implementations match specifications

4 4 Introduction - Architecture

5 5 Rule-Based Protocol Specification A simple protocol 0. int main(void) { 1. int sock, val = 1, recval; 2. send(sock, &val, sizeof(int)); 3. while(1) { 4. recv(sock, &recval, sizeof(int)); 5. if (recval == val) 6. val += 2; 7. send(sock, &val, sizeof(int)); 8. } 9. } 1. Start by sending n = 1 2. If n is received, send n + 1 3. Otherwise resend n

6 6 Rule-Based Protocol Specification Developed rules from specification document such as an RFC or IETF standard Ex. (2) means “ if recv in, and in equals n, then we have to send out, which is in’s value plus 1, and we change current state by setting n:= out ” n: ghost variable, representing protocol state

7 7 Analysis of Protocol Source Code Construct a control-flow graph (CFG) from the program source code Each statement forms a node, and there is an edge from s 1 to s 2 if statement s 1 occurs immediately before statement s 2

8 8 Analysis – Rule 1 (1/3) Ø (empty hypothesis) => send(_, out, _) out[0..3] = 1 n := 1 Fact: {} (Matches the empty hypothesis)

9 9 Analysis – Rule 1 (2/3) Ø (empty hypothesis) => send(_, out, _) out[0..3] = 1 n := 1 Fact: {val = 1}

10 10 Analysis – Rule 1 (3/3) Ø (empty hypothesis) => send(_, out, _) out[0..3] = 1 n := 1 Fact: {val = 1, out = &val} Show: Fact → (out[0..3] = 1) Action: n := 1

11 11 Analysis – Rule 3 (1/3) recv(_, in, _) in[0..3] ≠ n => send(_, out, _) out[0..3] = n Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n}

12 12 Analysis – Rule 3 (2/3) recv(_, in, _) in[0..3] ≠ n => send(_, out, _) out[0..3] = n Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n, recval ≠ val}

13 13 Analysis – Rule 3 (3/3) recv(_, in, _) in[0..3] ≠ n => send(_, out, _) out[0..3] = n Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n, recval ≠ val, out = &val} Show: Fact → (out[0..3] = n)

14 14 Analysis – Rule 2 (1/4) recv(_, in, _) in[0..3] = n => send(_, out, _) out[0..3] = n Fact: {val = 1, n = 1, in = &recval, in[0..3] = n}

15 15 Analysis – Rule 2 (2/4) recv(_, in, _) in[0..3] = n => send(_, out, _) out[0..3] = n Fact: {val = 1, n = 1, in = &recval, in[0..3] = n, recval = val}

16 16 Analysis – Rule 2 (3/4) recv(_, in, _) in[0..3] = n => send(_, out, _) out[0..3] = n Fact: {val = 3, n = 1, in = &recval, in[0..3] = n, recval = val}

17 17 Analysis – Rule 2 (4/4) recv(_, in, _) in[0..3] = n => send(_, out, _) out[0..3] = n Fact: {val = 3, n = 1, in = &recval, in[0..3] = n, recval = val, out = &val} Show: Fact → (out[0..3] = in[0..3] +1) Fail!!!

18 18 Experiment Results (1/3) Evaluated Pistachio by analyzing the LSH implementation of SSH2 and the RCP implementation from Cygwin’s package Chose these systems because of their extensive bug databases and the number of different versions available

19 19 Experiment Results (2/3) 96 rules for SSH2 58 rules for RCP

20 20 Experiment Results (3/3) Add some rules that is strongly recommended but not required by specification 9 new for LSH, 7 new for RCP

21 21 Sample compatibility bug Spec: reply to every version In LSH version 0.2.9

22 22 Sample functionality bug Spec: can’t use “none” method In LSH version 0.1.3

23 23 Sample buffer overflow strcpy() is not safe In LSH version 0.9.1

24 24 Conclusion Defined a rule-based method for the specification of network protocols which closely mimics protocol descriptions in RFC or similar documents Shown how static analysis techniques can be employed in checking protocol implementations against the rule-based specification

25 25 Comments It is important that network protocols must be reliable and secure Can only handle rule violation False-positive rate is kind of high

Download ppt "Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006."

Similar presentations

Management Information Base for Version 2 of the Simple Network Management Protocol Presented by Zhou Ji (MIB for SNMPv2) By SNMPv2 Working Group.

Management Information Base for Version 2 of the Simple Network Management Protocol Presented by Zhou Ji (MIB for SNMPv2) By SNMPv2 Working Group.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>

Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Software Testing and Quality Assurance Lecture 13 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)

1 Software Testing and Quality Assurance Lecture 13 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,

Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Context-sensitive Analysis. Beyond Syntax There is a level of correctness that is deeper than grammar fie(a,b,c,d) int a, b, c, d; { … } fee() { int f[3],g[0],

Context-sensitive Analysis. Beyond Syntax There is a level of correctness that is deeper than grammar fie(a,b,c,d) int a, b, c, d; { … } fee() { int f[3],g[0],
Chapter Three THE RESEARCH PROCESS

Chapter Three THE RESEARCH PROCESS
BASE: Using Abstraction to Improve Fault Tolerance Rodrigo Rodrigues, Miguel Castro, and Barbara Liskov MIT Laboratory for Computer Science and Microsoft.

BASE: Using Abstraction to Improve Fault Tolerance Rodrigo Rodrigues, Miguel Castro, and Barbara Liskov MIT Laboratory for Computer Science and Microsoft.
Unit 1 Protocols Learning Objectives: 5.1.7 Understand the need to detect and correct errors in data transmission.

Unit 1 Protocols Learning Objectives: Understand the need to detect and correct errors in data transmission.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.
Detection and Resolution of Anomalies in Firewall Policy Rules

Detection and Resolution of Anomalies in Firewall Policy Rules

Similar presentations

Ads by Google