cmpsc 497 static analysis
play

CMPSC 497: Static Analysis Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Dec 27, 2023 •172 likes •580 views

CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  1. CMPSC 497: � Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Our Goal • In this course, we want to develop techniques to detect vulnerabilities before they are exploited automatically ‣ What ’ s a vulnerability? ‣ How to find them? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Static Analysis • Provides an approximation of behavior • “ Run in the aggregate ” ‣ Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states • “ Run in non-standard way ” ‣ Run in fragments ‣ Stitch them together to cover all paths • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. Static Analysis • A challenge is that static analysis is a bit of an art form ‣ Which analysis technique do you use to answer which question? ‣ That is not so easy Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. Static Analysis • A challenge is that static analysis is a bit of an art form ‣ Why is it hard? ‣ Rice’s Theorem states that all non-trivial questions about the semantic properties of programs from a universal program language are undecidable. (1953) • Syntatic properties (e.g., does program have an if-then-else) are possible to answer • But, the sort of questions we want to answer are often about semantic properties ‣ Thus, static analysis uses approximate program models Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Correctness • How does this impact proving a program is correct? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Correctness • Soundness : ‣ Predicted results must apply to every system execution • Overapproximate the effect of every program statement ‣ Absolutely mandatory for trustworthiness of analysis results! • Completeness : ‣ Behavior of every system execution caught by analysis ‣ Prove any true statement in program is really true • Usually not guaranteed due to approximation ‣ Degree of completeness determines quality of analysis • Correctness : Soundness ^ Completeness (rare) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Soundness • Soundness : ‣ All executions are represented ‣ Implication 1: no false negatives, as static analysis model represents all executions possible • However, unlikely that model is a correct representation of the program semantics ‣ Implication 2: Sound model is not complete ‣ Implication 3: A sound static analysis will produce some false positives ‣ The number of false positives determines the quality of the analysis Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  9. Static Analysis Approaches • A challenge is that static analysis is a bit of an art form ‣ Which analysis technique do you use to answer which question? • How about for control flows, type-based analysis, and taint analysis? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Static Analysis Approaches • Control flow ‣ Does a program execute one statement (e.g., security check) before another statement (e.g., security-sensitive operation)? Ordering of statements • Type-based analysis ‣ Does a program use data lacking properties (e.g., security check) in a statement (e.g., security-sensitive operation)? Label data using types • Taint analysis ‣ Does a program statement use a tainted value, and what is the impact of executing the statement on its variables? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. CFG Analysis • Does your program have a double free? • Can control flow analysis detect this? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. CFG Analysis • Does your program have a double free? • What does the CFG look like? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

  13. CFG Analysis • Does your program have a double free? • What is the property of the CFG that indicates violation? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. CFG Analysis • Does your program have a double free? • Can we identify the exploitation in this analysis? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

  15. CFG Analysis • Does your program have a double free? • What about this code? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15

  16. CFG Analysis • Does your program have a double free? • What about this code? False positive? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  17. CFG Analysis • Does your program have a double free? • How do we change the property to detect more accurately (with fewer false positives)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  18. CFG Analysis • Does your program have a double free? • Does our new rule work for the following? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); bar(&buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 18

  19. CFG Analysis • Does your program have a double free? • What would need to be done to check? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); bar(&buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 19

  20. CFG Analysis • Does your program have a double free? • What about this one? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf3R1 = buf2R1; buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf3R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  21. Type-based Analysis • Does your program have a double free? • Can we express the rule with types (type-based)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf2R1 = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22

  22. Type-based Analysis • Does your program have a double free? • Can we express the rule with types (type-based)? foo(int x, char **y) // need not be “main” { … buf1R1 = (char *) malloc(BUFSIZE2); DEF buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1), FREE x1 = buf2R1; DEF y = x1, y = (char *) malloc(BUFSIZE2); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(y), FREE x2 = y; free(buf1R2); } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 23

Recommend

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 29, 2019 Janyl

Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 29, 2019 Janyl

Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 29, 2019 Janyl Jumadinova Compiler Development (CMPSC 401) January 29, 2019 1 / 40 Automaton and Regular Expressions Deterministic Finite Automata (DFAs),

526 views • 49 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
Compiler Development (CMPSC 401) Semantic Analysis Janyl Jumadinova March 12, 2019 Janyl

Compiler Development (CMPSC 401) Semantic Analysis Janyl Jumadinova March 12, 2019 Janyl

Compiler Development (CMPSC 401) Semantic Analysis Janyl Jumadinova March 12, 2019 Janyl Jumadinova Compiler Development (CMPSC 401) March 12, 2019 1 / 32 Where we are now Program is lexically well-formed: Identifiers have valid names.

605 views • 49 slides
Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 24, 2019 Janyl

Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 24, 2019 Janyl

Compiler Development (CMPSC 401) Lexical Analysis Janyl Jumadinova January 24, 2019 Janyl Jumadinova Compiler Development (CMPSC 401) January 24, 2019 1 / 26 Outline Quick overview of basic concepts of formal grammars. Lexical

721 views • 47 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

732 views • 34 slides
Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is static analysis What are the tools Analysis of the OpenAFS code base What is static analysis Static analysis is performed by analysing

556 views • 20 slides
Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts Small amount of theory to a practical example Why Static Analysis? Static Analysis in Continuous Integration What is Cross Translation Unit

480 views • 34 slides

More recommend