50 %
50 %
Information about usenix

Published on June 18, 2007

Author: WoodRock


Statically Detecting Likely Buffer Overflow Vulnerabilities:  Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported by USENIX Student Grant and NASA LRC Slide2:  1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 servers 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers Single largest cause of vulnerabilities in CERT advisories Buffer overflow threatens Internet- WSJ(1/30/01) Why aren’t we better off than we were 13 years ago? :  Why aren’t we better off than we were 13 years ago? Ignorance C is difficult to use securely Unsafe functions Confusing APIs Even security aware programmers make mistakes. Security Knowledge has not been codified into the development process Automated Tools:  Automated Tools Run-time solutions StackGuard[USENIX 7], gcc bounds-checking, libsafe[USENIX 2000] Performance penalty Turns buffer overflow into a DoS attack Compile-time solutions - static analysis No run-time performance penalty Checks properties of all possible executions Design Goals:  Design Goals Tool that can be used by typical programmers as part of the development process Fast, Easy to Use Tool that can be used to check legacy code Handles typical C programs Encourage a proactive security methodology Document key assumptions Our approach:  Our approach Document assumptions about buffer sizes Semantic comments Provide annotated standard library Allow user's to annotate their code Find inconsistencies between code and assumptions Make compromises to get useful checking Use simplifying assumptions to improve efficiency Use heuristics to analyze common loop idioms Accept some false positives and false negatives (unsound and incomplete analysis) Implementation:  Implementation Extended LCLint Open source checking tool [FSE ‘94] [PLDI ‘96] Uses annotations Detects null dereferences, memory leaks, etc. Integrated to take advantage of existing checking and annotations (e.g., modifies) Added new annotations and checking for buffer sizes Annotations:  Annotations requires, ensures maxSet highest index that can be safely written to maxRead highest index that can be safely read char buffer[100]; ensures maxSet(buffer) == 99 Example: Example void func(char *str){ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); return; } char *strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) andgt;=maxRead(s1) + n@*/ Source: Secure Programming working document, Warning Reported:  strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead (buffer @ strncat.c:4:29) andlt;= 0 needed to satisfy precondition: requires maxSet (buffer @ strncat.c:4:29) andgt;= maxRead (buffer @ strncat.c:4:29) + 255 derived from strncat precondition: requires maxSet (andlt;parameter 1andgt;) andgt;= maxRead (andlt;parameter1andgt;) + andlt;parameter 3andgt; Warning Reported char * strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) andgt;= maxRead(s1) + n @*/ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); Overview of checking:  Overview of checking Intraprocedural But use annotations on called procedures and global variables to check calls, entry, exit points Expressions generate constraints C semantics, annotations Axiomatic semantics propagates constraints Simplifying rules (e.g. maxRead(str+i) ==andgt; maxRead(str) - i) Produce warnings for unresolved constraints Loop Heuristics:  Loop Heuristics Recognize common loop idioms Use heuristics to guess number of iterations Analyze first and last iterations Example: for (init; *buf; buf++) Assume maxRead(buf) iterations Model first and last iterations Case studies:  Case studies wu-ftpd 2.5 and BIND 8.2.2p7 Detected known buffer overflows Unknown buffer overflows exploitable with write access to config files Performance wu-ftpd: 7 seconds/ 20,000 lines of code BIND: 33 seconds / 40,000 lines Athlon 1200 MHz Results:  Results 95 writes 166 reads 132 writes 220 reads - Other Warnings 4 40 19 LCLint warnings with no annotations added 4 55 strncpy 21 97 strcpy 12 27 strcat LCLint warning with annotations Instances in wu-ftpd (grep) wu-ftpd vulnerablity:  int acl_getlimit(char *class, char *msgpathbuf) { struct aclmember *entry = NULL; while (getaclentry('limit', andamp;entry)) { … strcpy(msgpathbuf, entry-andgt;arg[3]); LCLint reports a possible buffer overflow for strcpy(msgpathbuf, entry-andgt;arg[3]); LCLint reports an error at a call site of acl_getlimit wu-ftpd vulnerablity /*@requires maxSet(msgpathbuf) andgt;= 1023 @*/ strncpy(msgpathbuf, entry-andgt;arg[3], 1023); msgpathbuf[1023] = ‘\0’; strncpy(msgpathbuf, entry-andgt;arg[3], 199); msgpathbuf[199] = ‘\0’; /*@requires maxSet(msgpathbuf) andgt;= 199 @*/ int access_ok( int msgcode) { char class[1024], msgfile[200]; int limit; … limit = acl_getlimit(class, msgfile); Related Work:  Related Work Lexical analysis grep, its4, RATS, FlawFinder Wagner, Foster, Brewer [NDSSS ‘00] Integer range constraints Flow insensitive analysis Dor, Rodeh and Sagiv [SAS ‘01] Source-to-source transformation with asserts and additional variables. Impediments to wide spread adoption:  Impediments to wide spread adoption People are lazy Programmers are especially lazy Adding annotations is too much work (except for security weenies) Working on techniques for automating the annotation process Conclusion:  Conclusion 2014:??? Will buffer overflows still be common? Codify security knowledge in tools real programmers can use Beta version now available: David Larochelle David Evans

Add a comment

Related presentations

Related pages

USENIX | The Advanced Computing Systems Association

Registration is open for the 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud '16) and the 8th USENIX Workshop on Hot Topics in Storage and ...
Read more

Conferences | USENIX

8th USENIX Workshop on the Theory and Practice of Provenance: TaPP '16: June 8-9, 2016: Washington, D.C. 8th USENIX Workshop on Hot Topics in Storage and ...
Read more

USENIX – Wikipedia

USENIX, The Advanced Computing Systems Association, ist eine Vereinigung von Betriebssystem-Entwicklern, Forschern und Benutzern in Berkeley. Diese wurde ...
Read more

USENIX - 维基百科,自由的百科全书

USENIX成立于1975年,当时的名字叫做Unix用户群,其主要目的是学习和开发Unix以及类似系统。1977 年 6 月,美国电话电报 ...
Read more

USENIX - Wikipedia, the free encyclopedia

The USENIX Association is the Advanced Computing Systems Association. It was founded in 1975 under the name "Unix Users Group," focusing primarily on the ...
Read more

dblp: USENIX (Annual) Technical Conference

Bibliographic content of USENIX (Annual) Technical Conference ... Winter 1986: Denver, CO, USA Summer 1985: Portland, OR, USA Winter 1985: Dallas, TX, USA
Read more

USENIX - YouTube

As part of USENIX's commitment to the Open Access to research movement, slides, proceedings, and audio and video recordings from many of our events are now ...
Read more

USENIX - Wikipedia

USENIX協会は、1975年に設立された "Unix User Group" というユーザーグループを起源とする団体。Advanced Computing Technical ...
Read more

dblp: USENIX Security Symposium - dblp: computer science ...

Bibliographic content of USENIX Security Symposium ... Zachary N. J. Peterson: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education ...
Read more

USENIX - Google+

USENIX - USENIX, the Advanced Computing Systems Association - Since 1975, the USENIX Association has brought together the community of engineers, system ...
Read more