Motivation Static Code Analysis Implementation Conclusion References Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia Eckert { schneidc,pfoh,eckertc } @in.tum.de Chair for IT Security Technische Universit¨ at M¨ unchen Munich, Germany April 10, 2012 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 1 / 28
Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 2 / 28
Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 3 / 28
Motivation Static Code Analysis Implementation Conclusion References Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum(2003)] Monitored VM Static Static Library System Libraries & API Static Library Library VMI describes the act of examining, Guest OS monitoring and manipulating a virtual machine from the vantage point of a Virtual Hardware hypervisor. Hypervisor Operating System Hardware C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 4 / 28
Motivation Static Code Analysis Implementation Conclusion References Semantic Gap [Chen and Noble(2001)] Struct A Struct B Struct C Struct D Struct E Struct F Struct G C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 5 / 28
Motivation Static Code Analysis Implementation Conclusion References Bridging the Gap: Out-of-Band Delivery Common Approach: utilize kernel debugging symbols Use symbols for: Layout and size of kernel data structures Virtual address of global variables and functions Emulate virtual-to-physical address translation in software ⇒ Complex engineering task C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 6 / 28
Motivation Static Code Analysis Implementation Conclusion References Introducing InSight [Schneider et al.(2011)]) Features: Stand-alone VMI tool to bridge the semantic gap Uses debugging symbols as foundation Shell-like interface for interactive inspection JavaScript engine for automated analysis Works for x86 32 bit (w/ PAE) and 64 bit Linux guests Supports any hypervisor providing guest memory access C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 7 / 28
Motivation Static Code Analysis Implementation Conclusion References Introducing InSight (cont.) [Schneider et al.(2011)]) struct task_struct pid pid_t = 3412 real_parent parent struct timespec children time_t = 1271184192 tv_sec sibling Functionality so far tv_nsec start_time long = 391233 uid_t = 0 uid gid gid_t = 0 Read objects from known struct task_struct struct task_struct locations with known type pid_t = 8244 pid pid real_parent real_parent parent parent Follow typed pointer fields children children sibling sibling to further objects start_time start_time uid_t = 1001 uid uid struct task_struct gid gid gid_t = 100 pid But... real_parent parent children sibling start_time uid gid C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 8 / 28
Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient struct list_head { 1 struct list_head *next, *prev; 2 }; 3 4 struct module { 5 struct list_head list; 6 char name[60]; 7 /* ... */ 8 }; 9 10 struct list_head modules; 11 12 struct module* find_module(const char *name) 13 { 14 struct module *mod; 15 list_for_each_entry(mod, &modules, list) 16 { 17 if (strcmp(mod->name, name) == 0) 18 return mod; 19 } 20 return NULL; 21 } 22 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 9 / 28
Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient (cont.) 1 struct module* find_module(const char * name) 2 { 3 struct module * mod; 4 /* Original code: list_for_each_entry(mod, &modules, list) */ 5 for (mod = ({ 6 const typeof(((typeof(*mod) *) 0)->list) * __mptr = ((&modules)->next); 7 (typeof(*mod) *) ((char *) __mptr - __builtin_offsetof(typeof(*mod), list)); 8 }); 9 __builtin_prefetch(mod->list.next), &mod->list != (&modules); 10 mod = ({ 11 const typeof(((typeof(*mod) *) 0)->list) * __mptr = (mod->list.next); 12 (typeof(*mod) *) ((char *) __mptr - __builtin_offsetof(typeof(*mod), list)); 13 })) 14 { 15 if (strcmp(mod->name, name) == 0) 16 return mod; 17 } 18 return ((void *) 0); 19 } C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 10 / 28
Motivation Static Code Analysis Implementation Conclusion References Why debugging symbols are insufficient (cont.) struct module struct module struct module modules: struct list_head struct list_head struct list_head struct list_head next next next next prev prev prev prev name name name C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 11 / 28
Motivation Static Code Analysis Implementation Conclusion References Example: lsmod in JavaScript Manually apply expert knowledge function lsmod() 1 { 2 // type of variable "modules" is list_head 3 var head = new Instance("modules"); 4 var m = head.next; 5 m.ChangeType("module"); 6 // offset for address correction 7 var offset = m.MemberOffset("list"); 8 m.AddToAddress(-offset); 9 // correct head as well for loop terminaten 10 head.AddToAddress(-offset); 11 // iterate over all modules 12 do { 13 print(m.name + " " + m.args); 14 m = m.list.next; 15 m.ChangeType("module"); 16 m.AddToAddress(-offset); 17 } while (m && m.Address() != head.Address()); 18 } 19 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 12 / 28
Motivation Static Code Analysis Implementation Conclusion References Summary Problems Runtime pointer and type manipluations are not reflected in the debugging symbols: type casts from void* pointers type casts from integer types pointer arithmetic variable length arrays Possible solution Static analysis of the kernel’s source code to detect such runtime operations and augment the debugging symbols C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 13 / 28
Motivation Static Code Analysis Implementation Conclusion References Outline Motivation 1 Introducing InSight Why debugging symbols are insufficient Static Code Analysis 2 Step 1: Points-to Analysis Step 2: Establishing Used-as Relations Implementation 3 Conclusion 4 C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 14 / 28
Motivation Static Code Analysis Implementation Conclusion References Static Code Analysis Questions our code analysis can answer: 1 Is a global variable or structure field used as a type that differs from its declaration? 2 How to transform a source value (field/variable) to derive the next object’s address? Our approach: Type centric analysis Captures arbitrary pointer arithmetic Over-approximation of possible pointer types → Increase object coverage at cost of type uncertainty We call this the used-as analysis. C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 15 / 28
Motivation Static Code Analysis Implementation Conclusion References Used-As Analysis Prerequisites: Kernel debugging symbols Pre-processed source code Involves two steps: 1 Points-To Analysis Detects memory aliasing between symbols (variables/pointers) Reveals indirect type usages through local (pointer) variables 2 Establishing used-as relations Find type usages contradicting their declaration → type casts Record how value is transformed to target address → pointer arithmetic C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 16 / 28
Motivation Static Code Analysis Implementation Conclusion References Step 1: Points-to Analysis Characteristics: structure/union field sensitive intra-procedural control-flow insensitive works on complete C expressions: x = y + 8 * sizeof(int); z = x & ~0xFF; z �→ { ( y + 8 · sizeof( int )) & ˜0xFF } Result: transitive closure of points-to map C. Schneider, J. Pfoh, C. Eckert Chair for IT Security, TU M¨ unchen April 10, 2012 17 / 28
Recommend
More recommend