Assignments Homework 1 due Friday Lab1 due next Wednesday - PowerPoint PPT Presentation

Assignments Homework 1 – due Friday Lab1 – due next Wednesday Section - will talk about gdb, etc.

Approaches to Fin inding Security Bugs 2  Runtime Monitoring  Black-box Testing  Static Analysis

From Coverity 3

Architecture of an Analysis Platform

Bugs Detected by Coverity 5 Crash ash Causing using Defects ects Uninit nitial ialized ized var ariables iables • • Null l pointer nter der eref efere erence nce Inva valid id use e of negat gative ive • • Use e after er free ee values lues • Double uble free ee Pass Pa ssing ing large ge param rameters eters by • • Array ray index dexing ing error rors value lue • Mismatc smatched ed arr rray ay Under der-all allocat ocation ions s of dynam namic ic • • new/ w/delete delete data Po Potent ential ial stack ack over errun un Memo mory ry leaks aks • • Potent ential ial heap ap ove verrun run File hand ndle e leaks ks • • Return urn point inters ers to lo loca cal Netwo work k res esourc ource e leak aks • • var ariables iables Unused used values lues • Logically gically inconsistent consistent code de Unhand handled led retur urn codes des • • Use e of inva valid id itera rators ors •

Coverity Checkers 6  Some coding patterns and some vulnerabilities are specific to the code base  Issues that apply to the Linux kernel are unlikely to apply in application software

Example Checker: Mis issin ing Optio ional Arguments 7  Prototype for open() syscall: int open(const char *path, int oflag, /* mode_t mode */...);  Typical mistake: fd = open(“file”, O_CREAT);  Force setting explicit file perm rmissions!  Check: Look for oflags == O_CREAT without mode argument

Example: chroot Protocol Checker  Goal: confine process to a “jail” on the filesystem  chroot() changes filesystem root for a process  Problem  chroot() itself does not change current working directory chroot() chdir(“/”) open(“../file”,…) Error if open before chdir

Tainting Checkers 9

Sanitize In Integers Before Use Warn when unchecked integers from untrusted sources reach trusting sinks Network copyin(&v, p, len) Syscall packet param v.tainted v.clean Use(v) memcpy(p, q, v) array[v] copyin(p,q,v) while(i < v) copyout(p,q,v) … ERROR Linux: 125 errors, 24 false; BSD: 12 errors, 4 false

Looking for Blocking Function Calls 11 11

Missed Lower-bound Check 12 12 /* 2.4.5/drivers/char/drm/i810_dma.c */ if(copy_from_user(&d, arg, sizeof(arg))) return – EFAULT; if(d.idx > dma->buf_count) return – EINVAL; buf = dma->buflist[d.idx]; Copy_from_user(buf_priv->virtual, d.address, d.used);  d is read from the user  Signed integer d.idx is upper-bound checked but not lower-bound checked  d.used is unchecked , allowing 2GB of user data to be copied into the kernel

Remote Exploit 13 13 /* 2.4.9/drivers/isdn/act2000/capi.c:actcapi_dispatch */ isdn_ctrl cmd; ... while ((skb = skb_dequeue(&card->rcvq))) { msg = skb->data; ... memcpy(cmd.parm.setup.phone, msg->msg.connect_ind.addr.num, msg->msg.connect_ind.addr.len - 1);  msg points to arbitrary network data  This can be used to overflow cmd and write data onto the stack

Example Code with Functions and Calls 15 15  We would want to reason about the flow of the input (si size) and name provided by the user

Call Graph for the Program 16 16 main atoi exit free malloc say_hello fgets printf

Control Flow Graph 17 17 char * buf[8]; Represent logical structure of code in graph form if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END

Path Traversal 18 18 Conceptually Conceptually: Analyze each path through control graph separately char * buf[8]; Actually Perform some checking Actually computation once per node; combine paths at merge nodes if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END

Apply Checking Null ll po poin inters Use aft Use fter fr free 19 19 Array over Arr errun char * buf[8]; See how three checkers are run for this path if (a) • Checker !a • Defined by a state diagram, with state if (a && b) transitions and error states !(a && b) delete [] b; • Run Checker • Assign initial state to each program var • State at program point depends on state at *b = ‘x’; previous point, program actions • Emit error if error state reached *a = *b; END

Apply Checking 20 20 Null pointers Use after free Array overrun char * buf[8]; “ buf is 8 bytes” if (a) !a if (a && b) !(a && b) delete [] b; *b = ‘x’; *a = *b; END

Apply Checking 21 21 Null pointers Use after free Array overrun char * buf[8]; “ buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; *b = ‘x’; *a = *b; END

Apply Checking 22 22 Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) Already knew !(a && b) a was null delete [] b; *b = ‘x’; *a = *b; END

Apply Checking 23 23 Null pointers Use after freeArray overrun char * buf[8]; “buf is 8 bytes” if (a) !a “a is null” if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; *a = *b; END

Apply Checking 24 24 Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; “b dereferenced!” *a = *b; END

Apply Checking 25 25 Null pointers Use after free Array overrun char * buf[8]; “buf is 8 bytes” if (a) “a is null” !a if (a && b) !(a && b) delete [] b; “b is deleted” *b = ‘x’; “b dereferenced !” *a = *b; No more errors reported for b END

False Positives 26 26  What is a bug? Something the user will fix.  Many sources of false positives  False paths  Idioms  Execution environment assumptions  Killpaths  Conditional compilation  “third party code”  Analysis imprecision  …

A False Path 27 27 char * buf[8]; if (a) a !a b = new char [5]; if (a && b) !(a && b) a && b buf[8] = a; delete [] b; *b = ‘x’; *a = *b; END

False Path Pruning 28 28 Branch Disequality Integer Range char * buf[8]; if (a) !a if (a && b) a && b buf[8] = a; END

False Path Pruning 29 29 Branch Disequality Integer Range char * buf[8]; if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) a && b buf[8] = a; END

False Path Pruning 30 30 Branch Disequality Integer Range char * buf[8]; if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) “a != 0” a && b buf[8] = a; END

False Path Pruning 31 31 Branch Disequality Integer Range char * buf[8]; Impossible if (a) “a in [0,0]” “a == 0 is true” !a if (a && b) “a != 0” a && b buf[8] = a; END

Application to Security Bugs 32 32  Stanford research project  Ken Ashcraft and Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, IEEE Security and Privacy 2002  Used modified compiler to find over 100 security holes in Linux and BSD

Results for BSD and Linux 33 33 Linux BSD Violation Bug Fixed Bug Fixed Gain control of system 18 15 3 3 Corrupt memory 43 17 2 2 Read arbitrary memory 19 14 7 7 Denial of service 17 5 0 0 Minor 28 1 0 0 Total 125 52 12 12

CSE484/CSE584 THREAT MODELING Dr. Benjamin Livshits