usenix

Information about usenix

Published on June 18, 2007

Author: WoodRock

Source: authorstream.com

Content

Statically Detecting Likely Buffer Overflow Vulnerabilities:  Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported by USENIX Student Grant and NASA LRC Slide2:  1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 servers 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers Single largest cause of vulnerabilities in CERT advisories Buffer overflow threatens Internet- WSJ(1/30/01) Why aren’t we better off than we were 13 years ago? :  Why aren’t we better off than we were 13 years ago? Ignorance C is difficult to use securely Unsafe functions Confusing APIs Even security aware programmers make mistakes. Security Knowledge has not been codified into the development process Automated Tools:  Automated Tools Run-time solutions StackGuard[USENIX 7], gcc bounds-checking, libsafe[USENIX 2000] Performance penalty Turns buffer overflow into a DoS attack Compile-time solutions - static analysis No run-time performance penalty Checks properties of all possible executions Design Goals:  Design Goals Tool that can be used by typical programmers as part of the development process Fast, Easy to Use Tool that can be used to check legacy code Handles typical C programs Encourage a proactive security methodology Document key assumptions Our approach:  Our approach Document assumptions about buffer sizes Semantic comments Provide annotated standard library Allow user's to annotate their code Find inconsistencies between code and assumptions Make compromises to get useful checking Use simplifying assumptions to improve efficiency Use heuristics to analyze common loop idioms Accept some false positives and false negatives (unsound and incomplete analysis) Implementation:  Implementation Extended LCLint Open source checking tool [FSE ‘94] [PLDI ‘96] Uses annotations Detects null dereferences, memory leaks, etc. Integrated to take advantage of existing checking and annotations (e.g., modifies) Added new annotations and checking for buffer sizes Annotations:  Annotations requires, ensures maxSet highest index that can be safely written to maxRead highest index that can be safely read char buffer[100]; ensures maxSet(buffer) == 99 SecurityFocus.com Example:  SecurityFocus.com Example void func(char *str){ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); return; } char *strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) andgt;=maxRead(s1) + [email protected]*/ Source: Secure Programming working document, SecurityFocus.com Warning Reported:  strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead (buffer @ strncat.c:4:29) andlt;= 0 needed to satisfy precondition: requires maxSet (buffer @ strncat.c:4:29) andgt;= maxRead (buffer @ strncat.c:4:29) + 255 derived from strncat precondition: requires maxSet (andlt;parameter 1andgt;) andgt;= maxRead (andlt;parameter1andgt;) + andlt;parameter 3andgt; Warning Reported char * strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) andgt;= maxRead(s1) + n @*/ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); Overview of checking:  Overview of checking Intraprocedural But use annotations on called procedures and global variables to check calls, entry, exit points Expressions generate constraints C semantics, annotations Axiomatic semantics propagates constraints Simplifying rules (e.g. maxRead(str+i) ==andgt; maxRead(str) - i) Produce warnings for unresolved constraints Loop Heuristics:  Loop Heuristics Recognize common loop idioms Use heuristics to guess number of iterations Analyze first and last iterations Example: for (init; *buf; buf++) Assume maxRead(buf) iterations Model first and last iterations Case studies:  Case studies wu-ftpd 2.5 and BIND 8.2.2p7 Detected known buffer overflows Unknown buffer overflows exploitable with write access to config files Performance wu-ftpd: 7 seconds/ 20,000 lines of code BIND: 33 seconds / 40,000 lines Athlon 1200 MHz Results:  Results 95 writes 166 reads 132 writes 220 reads - Other Warnings 4 40 19 LCLint warnings with no annotations added 4 55 strncpy 21 97 strcpy 12 27 strcat LCLint warning with annotations Instances in wu-ftpd (grep) wu-ftpd vulnerablity:  int acl_getlimit(char *class, char *msgpathbuf) { struct aclmember *entry = NULL; while (getaclentry('limit', andamp;entry)) { … strcpy(msgpathbuf, entry-andgt;arg[3]); LCLint reports a possible buffer overflow for strcpy(msgpathbuf, entry-andgt;arg[3]); LCLint reports an error at a call site of acl_getlimit wu-ftpd vulnerablity /*@requires maxSet(msgpathbuf) andgt;= 1023 @*/ strncpy(msgpathbuf, entry-andgt;arg[3], 1023); msgpathbuf[1023] = ‘\0’; strncpy(msgpathbuf, entry-andgt;arg[3], 199); msgpathbuf[199] = ‘\0’; /*@requires maxSet(msgpathbuf) andgt;= 199 @*/ int access_ok( int msgcode) { char class[1024], msgfile[200]; int limit; … limit = acl_getlimit(class, msgfile); Related Work:  Related Work Lexical analysis grep, its4, RATS, FlawFinder Wagner, Foster, Brewer [NDSSS ‘00] Integer range constraints Flow insensitive analysis Dor, Rodeh and Sagiv [SAS ‘01] Source-to-source transformation with asserts and additional variables. Impediments to wide spread adoption:  Impediments to wide spread adoption People are lazy Programmers are especially lazy Adding annotations is too much work (except for security weenies) Working on techniques for automating the annotation process Conclusion:  Conclusion 2014:??? Will buffer overflows still be common? Codify security knowledge in tools real programmers can use Beta version now available: http://lclint.cs.virginia.edu David Larochelle David Evans [email protected] [email protected]

Related presentations


Other presentations created by WoodRock

VoIP endfassung
18. 06. 2007
0 views

VoIP endfassung

Lone Wolf Presentation
22. 04. 2008
0 views

Lone Wolf Presentation

Guersenfinal
17. 04. 2008
0 views

Guersenfinal

10 bridge
16. 04. 2008
0 views

10 bridge

Reveiwfinal spring
14. 04. 2008
0 views

Reveiwfinal spring

ch03 edit
13. 04. 2008
0 views

ch03 edit

Howcroft CME
10. 04. 2008
0 views

Howcroft CME

ARPA07distribute
09. 04. 2008
0 views

ARPA07distribute

PowerPoint Presentation 2007
07. 04. 2008
0 views

PowerPoint Presentation 2007

Central Asia short
30. 03. 2008
0 views

Central Asia short

APALSAGeneralMeeting
27. 03. 2008
0 views

APALSAGeneralMeeting

elements compounds mixtures
04. 01. 2008
0 views

elements compounds mixtures

Moodle for english teachers
27. 06. 2007
0 views

Moodle for english teachers

YagerDOE2005
17. 09. 2007
0 views

YagerDOE2005

JESSICA2 HKJU Dec 18 2002
17. 09. 2007
0 views

JESSICA2 HKJU Dec 18 2002

wipo smes del 07 www 76775
24. 09. 2007
0 views

wipo smes del 07 www 76775

LDAP Integration
24. 09. 2007
0 views

LDAP Integration

SAR presentation Final
24. 09. 2007
0 views

SAR presentation Final

Politics ml Z
02. 10. 2007
0 views

Politics ml Z

sparkles
04. 10. 2007
0 views

sparkles

Extreme Makeover
17. 09. 2007
0 views

Extreme Makeover

current status ebxml cppa tc
29. 10. 2007
0 views

current status ebxml cppa tc

ast201 2007 lect11
28. 11. 2007
0 views

ast201 2007 lect11

judicial
28. 08. 2007
0 views

judicial

Laptop Security
28. 08. 2007
0 views

Laptop Security

hammer fatriv
28. 08. 2007
0 views

hammer fatriv

Air Monitoring
23. 10. 2007
0 views

Air Monitoring

CONFINED
07. 11. 2007
0 views

CONFINED

Kansas GRB 5
15. 11. 2007
0 views

Kansas GRB 5

ATS
16. 11. 2007
0 views

ATS

Lecture 4 Bioterrorism Dunne
17. 11. 2007
0 views

Lecture 4 Bioterrorism Dunne

wieser sybase
20. 11. 2007
0 views

wieser sybase

rushdie
21. 11. 2007
0 views

rushdie

Napoleon I
26. 11. 2007
0 views

Napoleon I

SonnetOL
11. 08. 2007
0 views

SonnetOL

Steve Lafferty optimized
11. 08. 2007
0 views

Steve Lafferty optimized

Tibetian test 2
11. 08. 2007
0 views

Tibetian test 2

Plumbing an Information Space
02. 01. 2008
0 views

Plumbing an Information Space

Tree of Life 3 11 03
11. 08. 2007
0 views

Tree of Life 3 11 03

savas dangerous offenders
11. 08. 2007
0 views

savas dangerous offenders

Memory Revisited
12. 10. 2007
0 views

Memory Revisited

Dermatology Revision
05. 01. 2008
0 views

Dermatology Revision

FROM THE DISCOVERY OF HELIX
16. 10. 2007
0 views

FROM THE DISCOVERY OF HELIX

504d AACR poster 2005 cfg
30. 10. 2007
0 views

504d AACR poster 2005 cfg

Zeeberg
17. 09. 2007
0 views

Zeeberg

sweep
11. 08. 2007
0 views

sweep

Industrialization Ideology
26. 10. 2007
0 views

Industrialization Ideology

CS438 08 Bridges
28. 12. 2007
0 views

CS438 08 Bridges

sa advocacy
24. 09. 2007
0 views

sa advocacy

CausalArguments
26. 11. 2007
0 views

CausalArguments

JostDeutschAwards
07. 01. 2008
0 views

JostDeutschAwards

Class24ImlicatureExp
19. 02. 2008
0 views

Class24ImlicatureExp

Lars Nord Presentation at HA2005
08. 10. 2007
0 views

Lars Nord Presentation at HA2005

ConEvals
27. 02. 2008
0 views

ConEvals

moodle themes
27. 06. 2007
0 views

moodle themes

Moodle lokalp
27. 06. 2007
0 views

Moodle lokalp

Moodle na UE final
27. 06. 2007
0 views

Moodle na UE final

SIRESENAC06
06. 03. 2008
0 views

SIRESENAC06

Seance 4 Alissa fr
24. 10. 2007
0 views

Seance 4 Alissa fr

SKita gesture
11. 08. 2007
0 views

SKita gesture

8 lessons learnt from nms
18. 03. 2008
0 views

8 lessons learnt from nms

WORKING IN THE EU INSTITUTIONS
20. 03. 2008
0 views

WORKING IN THE EU INSTITUTIONS

semantic web applications
25. 03. 2008
0 views

semantic web applications

FutureofNews
05. 10. 2007
0 views

FutureofNews

sxu 1 05 06
11. 08. 2007
0 views

sxu 1 05 06

canarias
23. 10. 2007
0 views

canarias

Reintegration ProgramFinal
28. 12. 2007
0 views

Reintegration ProgramFinal

G Abaee
22. 11. 2007
0 views

G Abaee

tromsoe
11. 08. 2007
0 views

tromsoe

glazerbusan
12. 10. 2007
0 views

glazerbusan

Stockholm Tutorial June 2001
12. 03. 2008
0 views

Stockholm Tutorial June 2001

TF Rschede
18. 06. 2007
0 views

TF Rschede

telwisa 5
18. 06. 2007
0 views

telwisa 5

Teitler Framework
18. 06. 2007
0 views

Teitler Framework

STRUMENTI tris DI ATTUAZIONE
18. 06. 2007
0 views

STRUMENTI tris DI ATTUAZIONE

strategic plan
18. 06. 2007
0 views

strategic plan

STEROIDS
18. 06. 2007
0 views

STEROIDS

Slide musso taranto
18. 06. 2007
0 views

Slide musso taranto

V 005 Gierke
18. 06. 2007
0 views

V 005 Gierke

Vorlesung BGB AT 1
18. 06. 2007
0 views

Vorlesung BGB AT 1

violenza
18. 06. 2007
0 views

violenza

Varma
18. 06. 2007
0 views

Varma

unter Mitglieder wenn das geht
18. 06. 2007
0 views

unter Mitglieder wenn das geht

Unterrichtsbeobachtu ng
18. 06. 2007
0 views

Unterrichtsbeobachtu ng

Traechtigkeit
18. 06. 2007
0 views

Traechtigkeit

todoslossantosanual
02. 11. 2007
0 views

todoslossantosanual

vortrag we mu 220602
18. 06. 2007
0 views

vortrag we mu 220602

SOR Legal Updates 2006 141962 7
11. 08. 2007
0 views

SOR Legal Updates 2006 141962 7

Bigwood 1
13. 03. 2008
0 views

Bigwood 1

lrec metadata
14. 11. 2007
0 views

lrec metadata

termininfo D2D Konferenz2006
18. 06. 2007
0 views

termininfo D2D Konferenz2006

3320 l09
17. 09. 2007
0 views

3320 l09

typologie
18. 06. 2007
0 views

typologie

antalya
03. 09. 2007
0 views

antalya

sermonpp thy will be done
11. 08. 2007
0 views

sermonpp thy will be done

gabriel
24. 09. 2007
0 views

gabriel

tack2
24. 09. 2007
0 views

tack2

VORTRAG BW
18. 06. 2007
0 views

VORTRAG BW

The Perils of Childhood Obesity
11. 08. 2007
0 views

The Perils of Childhood Obesity

GT TurkeyCountryPresent ation
23. 10. 2007
0 views

GT TurkeyCountryPresent ation

Open Everything 3 9
01. 10. 2007
0 views

Open Everything 3 9

arnaud
28. 09. 2007
0 views

arnaud

file1180026507
22. 10. 2007
0 views

file1180026507

yasinsky
24. 09. 2007
0 views

yasinsky

healthy body esteem
03. 10. 2007
0 views

healthy body esteem

moodle presentation epfl final
27. 06. 2007
0 views

moodle presentation epfl final

37 Yale SA Program Overview 07
24. 09. 2007
0 views

37 Yale SA Program Overview 07

song slides
11. 08. 2007
0 views

song slides

Stuttgart
18. 06. 2007
0 views

Stuttgart

site wsa
29. 02. 2008
0 views

site wsa

pearson
24. 09. 2007
0 views

pearson

09 s4 fr
11. 03. 2008
0 views

09 s4 fr

EPS
17. 10. 2007
0 views

EPS

OARS CRJ 2006
24. 09. 2007
0 views

OARS CRJ 2006

7Paul Hopkin
11. 12. 2007
0 views

7Paul Hopkin

Sofia 29 09 30 02
23. 11. 2007
0 views

Sofia 29 09 30 02

CSI NetSec2004
29. 10. 2007
0 views

CSI NetSec2004

santTOPch11
11. 08. 2007
0 views

santTOPch11

HumanCapitalFINAL
24. 09. 2007
0 views

HumanCapitalFINAL

Carmelo Polino
22. 10. 2007
0 views

Carmelo Polino

Poeplau ECLOUD07
03. 01. 2008
0 views

Poeplau ECLOUD07

peytonap
17. 09. 2007
0 views

peytonap

BUTE 2005feb Milano COST291
16. 10. 2007
0 views

BUTE 2005feb Milano COST291