Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S....
-
date post
18-Dec-2015 -
Category
Documents
-
view
220 -
download
5
Transcript of Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S....
![Page 1: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/1.jpg)
Detecting Format String Vulnerabilities with Type Qualifier
Umesh Shankar, Kunal Talwar,
Jeffrey S. Foster, David Wanger
University of California at Berkeley
![Page 2: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/2.jpg)
Format String Bugs
I/O functions in C use format strings
printf(“%s”, buf) print buf as string
But you can also do
printf(buf);
![Page 3: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/3.jpg)
Format String Bugs
Attacker may set the content in the bufferbuf = <data-from-network>
printf(buf);
Set buf = “%s%s%s%s%s” to crash program Set buf = “…%n…” to write to memory
may yield exploits to gain root access
![Page 4: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/4.jpg)
Format String Bugs
Application Found by Impact years
-------------------------------------------------------------------------------
wu-ftpd 2.* security.is remote root > 6
Linux rpc.statd security.is remote root > 4
IRIX telnetd LSD remote root > 8
Apache + PHP3 security.is remote user > 2
NLS / locale CORE SDI local root ?
screen Jouko Pynnonen local root > 5
BSD chpass TESO local root ?
OpenBSD fstat ktwo local root ?
![Page 5: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/5.jpg)
Traditional Techniques
Testing – how to ensure coverage? Manual code review – bugs too subtle
while (fgets(buf, sizeof buf, f)){
lreply(200, buf);
}
void lreply(int n, char* fmt,…){
vsnprintf(buf, sizeof buf, ftm, ap);
}
Re-implement – not possible for legacy system
![Page 6: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/6.jpg)
Using Type Qualifiers
Add qualifier annotations
int printf(untainted char *fmt, …);
tainted int getchar();
int main(int argc, tainted char *argv[]);
tainted = may be controlled by the attacker
untainted = must not be controlled by the attacker
![Page 7: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/7.jpg)
The Basic Idea
void f(tainted int);
untainted int a;
tainted int b;
f(a); // OK
f(b); // OK
void g(untainted int)
untainted int a;
tainted int b;
g(a); // OK
g(b); // Error
![Page 8: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/8.jpg)
Subtyping
void f(tainted int);
untainted int a;
f(a);
void g(untainted int)
tainted int b;
g(b);f accepts both tainted and untainted data.
g only accepts untainted data.
untainted < tainted
![Page 9: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/9.jpg)
Type System
Type system will prove judgments of the form
Γ ├ e :
“In type environment Γ, expression e has type ”
![Page 10: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/10.jpg)
Type Rules
├ e1: 1 2 ├ e2: 1
├ e1 e2: 2
“In type environment , if expression e1 has type from 1
to 2 and e2 has type 1, then application of e2 to e1 has
type 2”
![Page 11: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/11.jpg)
Partial Order
A partial order is a relation that satisfies the following three properties:
1. reflexivity: a a
2. antisymmetry: If a b and b a then a = b
3. transitivity: If a b, b c, then a c
![Page 12: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/12.jpg)
Lattice
A lattice is a partial order where any two
elements x and y have a least upper bound,
x y, and a greatest lower bound, x y.
a
b c
d
tainted
untainted
![Page 13: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/13.jpg)
Qualifier Subtyping Rule
Q1 Q2
Q1 int Q2 int
untainted tainted
untainted int tainted int
int can replaced by any C primitive data type: char, double ….
How about pointer?
![Page 14: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/14.jpg)
Pointer Qualifier Subtyping Rule
Q1 Q2 T1 T2
Q1 ptr(T1) Q2 ptr(T2) Wrong!
tainted char *t; // T2 = tainted char
untainted char *u; // T1 = untainted char
t = u; // allowed by the wrong rule
*t = <tainted data>; // t is alias of u
![Page 15: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/15.jpg)
Pointer Aliasing
We have multiple names for the same memory location But they have different types And we can write into memory at different types
tainted untaintedt u
![Page 16: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/16.jpg)
Pointer Qualifier Subtyping Rule
The right rule
Q1 Q2 T1 = T2
Q1 ptr(T1) Q2 ptr(T2)
![Page 17: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/17.jpg)
Type Qualifier Inference
Recall the format string vulnerabilities We have legacy C program that had no information
about qualifiers We add qualifier annotation for the standard library
functions Then we check whether there were any contradiction
This requires type qualifier inference
![Page 18: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/18.jpg)
Qualifier Inference
A small number of annotations at key places in the program
Generate a fresh qualifier variable at every position for a type
Analyze and generate sub-typing constraints Check if the constraints have a valid solution
![Page 19: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/19.jpg)
Qualifier Inference Example
tainted char *getenv (const char *name)
int printf(untaintd const char *fmt, …)
char *s, *t
s = getenv(“LD_LIBRARY_PATH”);
t = s;
printf(t);
getenv_ret_p = tainted
printf_arg0_p = untainted
getenv_ret s
getenv_ret_p s_p
s t
s_p t_p
t printf_arg0
t printf_arg0_p
tainted = getenv_ret_p s_p t_p printf_arg0_p = untainted
tainted untainted Error!
![Page 20: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/20.jpg)
Type Rules So Far
Primitive types
Q1 Q2
Q1 int Q2 int
Pointer Q1 Q2 T1 = T2
Q1 ptr(T1) Q2 ptr(T2)
![Page 21: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/21.jpg)
Qualifier Inference Extension 1
Leaf Polymorphismchar id (char x) { return x }
…
tainted char t;
untainted char u;
char a, b;
a = id (t);
b = id (u);
x is tainted, id_ret is tainted
b is tainted
However id() is just a identity function. It preserves the qualifiers.
![Page 22: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/22.jpg)
Polymorphism
Add in a qualifier variable to id() function
char id ( char x)
Instantiate the to the correct qualifier for each function call
a = id (t) tainted char id (tainted char x)
b = id (u) untainted char id (untainted char x)
![Page 23: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/23.jpg)
Polymorphism - Subtyping
Use naming trick to specify subtyping relation for polymorphism
$_1_2 char* strcat($_1_2 char*, $_1 const char*)
{1} {1, 2} $_1 $_1_2
![Page 24: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/24.jpg)
Qualifier Inference Extension 2
Explicit Type Casts Type cast should preserve the qualifier
void *y;
char *x = (char*) y; // if y is tainted, x should be tainted
Preserve by collapsing qualifierschar **s, **t;
void *v = (void *) s; s_p = s_p_p = v_p
t = (char **)v; v_p = t_p = t_p_p
If either *s or **s is tainted, then *v is tainted and *t and **t is tainted
![Page 25: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/25.jpg)
Cast Type Qualifier
Allow qualifier castvoid *y;
char *x = (untainted char*) y;
![Page 26: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/26.jpg)
Qualifier Inference Extension 3
Variable Argument Functions Annotate the varargs specifier …
int printf(untainted char*, untainted …);
Use naming trick to specify the subtyping relation
int sprintf($_1_2 char*, untainted char *, $_2 …);
![Page 27: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/27.jpg)
Qualifier Inference Extension 4
Constf(const char *x);
char *unclean, *clean;
unclean = getenv(“PATH”); // returns tainted
f(unclean);
f(clean);
unclean is tainted
clean is tainted
Pointer Rule
Q1 Q2 T1 = T2
Q1 ptr(T1) Q2 ptr(T2)
![Page 28: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/28.jpg)
Pointer Rule for Const
Const make sure the input data is not modified
If the pointer has a const qualifier, the pointer rule becomes
Q1 Q2 T1 < T2
Q1 ptr(T1) Q2 ptr(T2)
![Page 29: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/29.jpg)
Evaluation
![Page 30: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/30.jpg)
Conclusion
Qualifier is a generic static analysis technique User-Space/Kernel-Space Trust Errors Deadlock Detection
Has low false positive and negative rates
![Page 31: Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.](https://reader036.fdocuments.in/reader036/viewer/2022062515/56649d235503460f949f989b/html5/thumbnails/31.jpg)
Demo of Cqual