Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program...
Transcript of Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program...
![Page 1: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/1.jpg)
ProgramAnalysisforSecurity
OriginalslidescreatedbyProf.JohnMitchell
![Page 2: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/2.jpg)
http://www.popphoto.com/news/2015/02/man-finds-easy-hack-to-delete-any-facebook-photo-album
[PopPhoto.com Feb 10]
Facebook missed a single security check…
![Page 3: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/3.jpg)
Appstores
![Page 4: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/4.jpg)
Howcanyoutellwhetherso>wareyou
– Develop– Buy
issafetoinstallandrun?
![Page 5: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/5.jpg)
TwoopDons
• StaDcanalysis– Inspectcodeorrunautomatedmethodtofinderrorsorgainconfidenceabouttheirabsence
• Dynamicanalysis– Runcode,possiblyunderinstrumentedcondiDons,toseeiftherearelikelyproblems
![Page 6: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/6.jpg)
ProgramAnalyzers
CodeReport Type Line
1 memleak 324
2 bufferoflow 4,353,245
3 sqlinjecDon 23,212
4 stackoflow 86,923
5 dangptr 8,491
… … …
10,502 infoleak 10,921
ProgramAnalyzer
Spec
![Page 7: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/7.jpg)
Entry
1
2 3
4
So.ware
Exit
Behaviors
Entry
1
2
4
Exit
1 2 41 2 4
1 3 4
1 2 4 1 2 4
1 2 3 1 2 4 1 3 4
1 2 4 1 2 3 1 3 4
1 2 3 1 2 3 1 3 4
1 2 4 1 2 4 1 3 4
...
1 2 4 1 3 4
ManualtesDngonlyexaminessmallsubsetofbehaviors
7
![Page 8: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/8.jpg)
StaDcvsDynamicAnalysis
• StaDc– Canconsiderallpossibleinputs– FindbugsandvulnerabiliDes– Canproveabsenceofbugs,insomecases
• Dynamic– Needtochoosesampletestinput– CanfindbugsvulnerabiliDes– Cannotprovetheirabsence
![Page 9: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/9.jpg)
CostofFixingaDefect
Development QA Release Maintenance
Credit: Andy Chou, Coverity
![Page 10: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/10.jpg)
Costofsecurityordataprivacyvulnerability?
![Page 11: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/11.jpg)
Dynamicanalysis
• InstrumentcodefortesDng– Heapmemory:Purify– PerltainDng(informaDonflow)– JavaracecondiDonchecking
• Black-boxtesDng– FuzzingandpenetraDontesDng– Black-boxwebapplicaDonsecurityanalysis
11
![Page 12: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/12.jpg)
StaDcAnalysis
• Longresearchhistory• Decadeofcommercialproducts
– FindBugs,ForDfy,Coverity,MStools,…
![Page 13: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/13.jpg)
StaDcAnalysis:Outline
• GeneraldiscussionofstaDcanalysistools– GoalsandlimitaDons– Approachbasedonabstractstates
• Moreaboutonespecificapproach– PropertycheckersfromEngleretal.,Coverity– Samplesecuritycheckersresults
• StaDcanalysisforofAndroidapps
Slidesfrom:S.Bugrahe,A.Chou,I&TDillig,D.Engler,J.Franklin,A.Aiken,…
![Page 14: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/14.jpg)
StaDcanalysisgoals
• Bugfinding– IdenDfycodethattheprogrammerwishestomodifyorimprove
• Correctness– Verifytheabsenceofcertainclassesoferrors
![Page 15: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/15.jpg)
Soundness,CompletenessProperty Defini8on
Soundness “SoundforreporDngcorrectness”Analysissaysnobugs→NobugsorequivalentlyThereisabug→Analysisfindsabug
Completeness “CompleteforreporDngcorrectness”Nobugs→Analysissaysnobugs
Recall:A→ Bisequivalentto(¬B)→ (¬A)
![Page 16: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/16.jpg)
Complete IncompleteSoun
dUnsou
nd
ReportsallerrorsReportsnofalsealarms
ReportsallerrorsMayreportfalsealarms
Undecidable Decidable
Decidable
MaynotreportallerrorsMayreportfalsealarms
Decidable
MaynotreportallerrorsReportsnofalsealarms
![Page 17: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/17.jpg)
SoundProgramAnalyzer
CodeReport Type Line
1 memleak 324
2 bufferoflow 4,353,245
3 sqlinjecDon 23,212
4 stackoflow 86,923
5 dangptr 8,491
… … …
10,502 infoleak 10,921
ProgramAnalyzer
Spec
Sound:mayreportmanywarnings
Mayemitfalsealarms
Analyzelargecodebases
falsealarm
falsealarm
![Page 18: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/18.jpg)
So.ware
...
Behaviors
SoundOver-approxima8onof
Behaviors
FalseAlarm
ReportedError
approximaDonistoocoarse……yieldstoomanyfalsealarms
Modules
![Page 19: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/19.jpg)
Outline
• Generaldiscussionoftools– GoalsandlimitaDons– Approachbasedonabstractstates
• Moreaboutonespecificapproach– PropertycheckersfromEngleretal.,Coverity– Samplesecurity-relatedresults
• StaDcanalysisforAndroidmalware– …
Slidesfrom:S.Bugrahe,A.Chou,I&TDillig,D.Engler,J.Franklin,A.Aiken,…
![Page 20: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/20.jpg)
entry
Xß0
IsY=0?
XßX+1 XßX-1
IsY=0?
IsX<0? exit
crash
yes
noyes
no
yes no
Doesthisprogramevercrash?
![Page 21: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/21.jpg)
entry
Xß0
IsY=0?
XßX+1 XßX-1
IsY=0?
IsX<0? exit
crash
yes
noyes
no
yes no
infeasiblepath!…programwillnevercrash
Doesthisprogramevercrash?
![Page 22: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/22.jpg)
entry
Xß0
IsY=0?
XßX+1 XßX-1
IsY=0?
IsX<0? exit
crash
yes
noyes
no
yes no
X=0
X=0
X=1
X=1
X=1
X=1
X=1
X=2
X=2
X=2
X=2
X=2
X=3
X=3
X=3
X=3
non-termina8on!…therefore,needtoapproximate
TryanalyzingwithoutapproximaDng…
![Page 23: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/23.jpg)
XßX+1 f
din
dout
dout=f(din)
X=0
X=1
dataflowelements
transferfunc8ondataflowequa8on
![Page 24: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/24.jpg)
XßX+1 f1
din1
dout1=f1(din1)
IsY=0? f2
dout2
dout1
din2 dout1=din2
dout2=f2(din2)
X=0
X=1
X=1
X=1
![Page 25: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/25.jpg)
dout1=f1(din1)
djoin=dout1⊔ dout2
dout2=f2(din2)f1 f2
f3
dout1
din1 din2
dout2djoindin3
dout3
djoin=din3dout3=f3(din3)
leastupperboundoperatorExample:unionofpossiblevalues
Whatisthespaceofdataflowelements,Δ?Whatistheleastupperboundoperator,⊔?
![Page 26: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/26.jpg)
entry
Xß0
IsY=0?
XßX+1 XßX-1
IsY=0?
IsX<0? exit
crash
yes
noyes
no
yes no
X=0
X=0
X=posX=T
X=neg
X=0
X=T X=T
X=T
Tryanalyzingwith“signs”approximaDon…
terminates...…butreportsfalsealarm…therefore,needmoreprecision
lostprecision
X=T
![Page 27: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/27.jpg)
X=T
X=pos X=0 X=neg
X=⊥
X≠neg X≠postrue
Y=0 Y≠0
false
X=T
X=pos X=0 X=neg
X=⊥
signslaUce BooleanformulalaUcerefinedsignslaUce
![Page 28: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/28.jpg)
entry
Xß0
IsY=0?
XßX+1 XßX-1
IsY=0?
IsX<0? exit
crash
yes
noyes
no
yes no
X=0true
X=0Y=0
X=posY=0 X=neg Y≠0
X=posY=0X=negY≠0
X=posY=0
X=pos Y=0
X=neg Y≠0
X=0 Y≠0
Tryanalyzingwith“path-sensiDvesigns”approximaDon…
terminates...…nofalsealarm…soundlyprovednevercrashes
noprecisionloss
refinement
![Page 29: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/29.jpg)
Outline
• Generaldiscussionoftools– GoalsandlimitaDons– Approachbasedonabstractstates
• Moreaboutonespecificapproach– PropertycheckersfromEngleretal.,Coverity– Samplesecurity-relatedresults
• StaDcanalysisforAndroidmalware– …
Slidesfrom:S.Bugrahe,A.Chou,I&TDillig,D.Engler,J.Franklin,A.Aiken,…
![Page 30: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/30.jpg)
UnsoundProgramAnalyzer
CodeReport Type Line
1 memleak 324
2 bufferoflow 4,353,245
3 sqlinjecDon 23,212
4 stackoflow 86,923
5 dangptr 8,491
… … …
ProgramAnalyzer
Spec
mayemitfalsealarms
analyzelargecodebases
falsealarm
falsealarm
Notsound:maymisssomebugs
![Page 31: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/31.jpg)
![Page 32: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/32.jpg)
Demo
• Coverityvideo:hnp://youtu.be/_Vt4niZfNeA• ObservaDons
– Codeanalysisintegratedintodevelopmentworkflow– Programcontextimportant:analysisinvolvessequenceoffuncDoncalls,surroundingstatements
– Thisisasalesvideo:nodiscussionoffalsealarms
![Page 33: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/33.jpg)
Bugs to Detect
Some examples • Crash Causing Defects • Null pointer dereference • Use after free • Double free • Array indexing errors • Mismatched array new/delete • Potential stack overrun • Potential heap overrun • Return pointers to local variables • Logically inconsistent code
• Uninitialized variables • Invalid use of negative values • Passing large parameters by value • Underallocations of dynamic data • Memory leaks • File handle leaks • Network resource leaks • Unused values • Unhandled return codes • Use of invalid iterators
Slidecredit:AndyChou
33
![Page 34: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/34.jpg)
Example: Check for missing optional args
• Prototype for open() syscall:
• Typical mistake:
• Result: file has random permissions
• Check: Look for oflags == O_CREAT without mode argument
int open(const char *path, int oflag, /* mode_t mode */...);
fd = open(“file”, O_CREAT);
34
![Page 35: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/35.jpg)
Example: Chroot protocol checker
• Goal: confine process to a “jail” on the filesystem − chroot() changes filesystem root for a process
• Problem − chroot() itself does not change current working directory
chroot() chdir(“/”)
open(“../file”,…)
35
Error if open before chdir
![Page 36: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/36.jpg)
TOCTOU
• Race condition between time of check and use
• Not applicable to all programs
check(“foo”) use(“foo”)
36
![Page 37: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/37.jpg)
Tainting checkers
37
![Page 38: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/38.jpg)
Example code with function def, calls
#include <stdlib.h> #include <stdio.h> void say_hello(char * name, int size) { printf("Enter your name: "); fgets(name, size, stdin); printf("Hello %s.\n", name); } int main(int argc, char *argv[]) { if (argc != 2) { printf("Error, must provide an input buffer size.\n"); exit(-1); } int size = atoi(argv[1]); char * name = (char*)malloc(size); if (name) { say_hello(name, size); free(name); } else { printf("Failed to allocate %d bytes.\n", size); } }
38
![Page 39: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/39.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Callgraph
39
![Page 40: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/40.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Reverse Topological Sort
1 2
3 4 5 6 7
8
Idea: analyze function before you analyze caller
40
![Page 41: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/41.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Apply Library Models
1 2
3 4 5 6 7
8
Tool has built-in summaries of library function behavior
41
![Page 42: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/42.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Bottom Up Analysis
1 2
3 4 5 6 7
8
Analyze function using known properties of functions it calls
42
![Page 43: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/43.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Bottom Up Analysis
1 2
3 4 5 6 7
8
Analyze function using known properties of functions it calls
43
![Page 44: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/44.jpg)
atoi
main
exit free malloc
printf fgets
say_hello
Bottom Up Analysis
1 2
3 4 5 6 7
8
Finish analysis by analyzing all functions in the program
44
![Page 45: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/45.jpg)
Finding Local Bugs
#define SIZE 8 void set_a_b(char * a, char * b) { char * buf[SIZE]; if (a) {
b = new char[5]; } else {
if (a && b) { buf[SIZE] = a; return; } else { delete [] b; } *b = ‘x’;
} *a = *b; }
45
![Page 46: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/46.jpg)
char * buf[8];
if (a)
b = new char [5]; if (a && b)
buf[8] = a; delete [] b;
*b = ‘x’;
END
*a = *b;
a !a
a && b !(a && b)
Control Flow Graph
Represent logical structure of code in graph form
46
![Page 47: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/47.jpg)
char * buf[8];
if (a)
b = new char [5]; if (a && b)
buf[8] = a; delete [] b;
*b = ‘x’;
END
*a = *b;
a !a
a && b !(a && b)
Path Traversal
Conceptually: Analyze each path through control graph separately
Actually Perform some checking computation once per node; combine paths at merge nodes
Conceptually
Actually
47
![Page 48: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/48.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
See how three checkers are run for this path
• • Defined by a state diagram, with state
transitions and error states
Checker
• • Assign initial state to each program var • State at program point depends on
state at previous point, program actions • Emit error if error state reached
Run Checker
48
![Page 49: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/49.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
49
![Page 50: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/50.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
“a is null”
50
![Page 51: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/51.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
“a is null”
Already knew a was null
51
![Page 52: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/52.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
“a is null”
“b is deleted”
52
![Page 53: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/53.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
“a is null”
“b is deleted”
“b dereferenced!”
53
![Page 54: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/54.jpg)
char * buf[8];
if (a)
if (a && b)
delete [] b;
*b = ‘x’;
END
*a = *b;
!a
!(a && b)
Apply Checking
Null pointers Use after free Array overrun
“buf is 8 bytes”
“a is null”
“b is deleted”
“b dereferenced!”
No more errors reported for b
54
![Page 55: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/55.jpg)
False Positives
• What is a bug? Something the user will fix.
• Many sources of false positives − False paths − Idioms − Execution environment assumptions − Killpaths − Conditional compilation − “third party code” − Analysis imprecision − …
55
![Page 56: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/56.jpg)
char * buf[8];
if (a)
b = new char [5]; if (a && b)
buf[8] = a; delete [] b;
*b = ‘x’;
END
*a = *b;
a !a
a && b !(a && b)
A False Path
56
![Page 57: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/57.jpg)
char * buf[8];
if (a)
if (a && b)
buf[8] = a;
END
!a
a && b
False Path Pruning
Integer Range Disequality Branch
57
![Page 58: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/58.jpg)
char * buf[8];
if (a)
if (a && b)
buf[8] = a;
END
!a
a && b
False Path Pruning
“a in [0,0]” “a == 0 is true”
Integer Range Disequality Branch
58
![Page 59: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/59.jpg)
char * buf[8];
if (a)
if (a && b)
buf[8] = a;
END
!a
a && b
False Path Pruning
“a in [0,0]” “a == 0 is true”
“a != 0”
Integer Range Disequality Branch
59
![Page 60: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/60.jpg)
char * buf[8];
if (a)
if (a && b)
buf[8] = a;
END
!a
a && b
False Path Pruning
“a in [0,0]” “a == 0 is true”
“a != 0”
Impossible
Integer Range Disequality Branch
60
![Page 61: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/61.jpg)
Environment Assumptions
• Should the return value of malloc() be checked?
int *p = malloc(sizeof(int)); *p = 42;
OS Kernel: Crash machine.
File server: Pause filesystem.
Spreadsheet: Lose unsaved changes.
Game: Annoy user.
Library: ?
Medical device: malloc?!
Web application: 200ms downtime
IP Phone: Annoy user.
61
![Page 62: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/62.jpg)
Statistical Analysis
• Assume the code is usually right
int *p = malloc(sizeof(int)); *p = 42;
int *p = malloc(sizeof(int)); if(p) *p = 42;
int *p = malloc(sizeof(int)); *p = 42;
int *p = malloc(sizeof(int)); *p = 42;
int *p = malloc(sizeof(int)); if(p) *p = 42;
int *p = malloc(sizeof(int)); *p = 42;
int *p = malloc(sizeof(int)); if(p) *p = 42;
int *p = malloc(sizeof(int)); if(p) *p = 42;
3/4 deref
1/4 deref
62
![Page 63: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/63.jpg)
Example security holes
/* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd; ... while ((skb = skb_dequeue(&card->rcvq))) { msg = skb->data; ... memcpy(cmd.parm.setup.phone, msg->msg.connect_ind.addr.num, msg->msg.connect_ind.addr.len - 1);
• Remote exploit, no checks
63
![Page 64: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/64.jpg)
Example security holes
/* 2.4.5/drivers/char/drm/i810_dma.c */ if(copy_from_user(&d, arg, sizeof(arg))) return –EFAULT; if(d.idx > dma->buf_count) return –EINVAL; buf = dma->buflist[d.idx]; Copy_from_user(buf_priv->virtual, d.address, d.used);
• Missed lower-bound check:
64
![Page 65: Program Analysis for Security - cs.columbia.edusuman/6183_slides/program-tools.pdf · Program Analysis for Security Original slides created by Prof. John Mitchell](https://reader030.fdocuments.in/reader030/viewer/2022040310/5d4b664688c993dd2f8bb272/html5/thumbnails/65.jpg)
Summary
• StaDcvsdynamicanalyzers• GeneralproperDesofstaDcanalyzers
– FundamentallimitaDons– Basicmethodbasedonabstractstates
• Moredetailsononespecificmethod– PropertycheckersfromEngleretal.,Coverity– Samplesecurity-relatedresults
• StaDcanalysisforAndroidmalware– STAMPmethod,samplestudies
Slidesfrom:S.Bugrahe,A.Chou,I&TDillig,D.Engler,J.Franklin,A.Aiken,…