detection of software vulnerabilities static analysis
play

Detection of Software Vulnerabilities: Static Analysis (Part I) - PowerPoint PPT Presentation

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods


  1. Detection of Vulnerabilities • Detect the presence of vulnerabilities in the code during the development , testing , and maintenance • Trade-off between soundness and completeness § A detection technique is sound for a given category if it can correctly conclude that a given program has no vulnerabilities o An unsound detection technique may have false negatives , i.e., actual vulnerabilities that the detection technique fails to find

  2. Detection of Vulnerabilities • Detect the presence of vulnerabilities in the code during the development , testing , and maintenance • Trade-off between soundness and completeness § A detection technique is sound for a given category if it can correctly conclude that a given program has no vulnerabilities o An unsound detection technique may have false negatives , i.e., actual vulnerabilities that the detection technique fails to find § A detection technique is complete for a given category, if any vulnerability it finds is an actual vulnerability o An incomplete detection technique may have false positives , i.e., it may detect issues that do not turn out to be actual vulnerabilities

  3. Detection of Vulnerabilities • Achieving soundness requires reasoning about all executions of a program (usually an infinite number) § This can be done by static checking of the program code while making suitable abstractions of the executions

  4. Detection of Vulnerabilities • Achieving soundness requires reasoning about all executions of a program (usually an infinite number) § This can be done by static checking of the program code while making suitable abstractions of the executions • Achieving completeness can be done by performing actual, concrete executions of a program that are witnesses to any vulnerability reported § The analysis technique has to come up with concrete inputs for the program that triggers a vulnerability § A typical dynamic approach is software testing: the tester writes test cases with concrete inputs and specific checks for the outputs

  5. Detection of Vulnerabilities Detection tools can use a hybrid combination of static and dynamic analysis techniques to achieve a good trade-off between soundness and completeness

  6. Detection of Vulnerabilities Detection tools can use a hybrid combination of static and dynamic analysis techniques to achieve a good trade-off between soundness and completeness Dynamic verification should be used in conjunction with static verification to provide full code coverage

  7. Intended learning outcomes • Introduce software verification and validation • Understand soundness and completeness concerning detection techniques • Emphasize the difference among static analysis , testing / simulation , and debugging • Explain bounded model checking of software • Explain unbounded model checking of software

  8. Static analysis vs Testing/ Simulation OK Simulation/ testing error • Checks only some of the system executions § May miss errors • A successful execution is an execution that discovers one or more errors

  9. Static analysis vs Testing/ Simulation OK Model Checking Error trace Specification Line 5: … Line 12: … … Line 41: … • Exhaustively explores all executions • Report errors as traces • May produce incorrect results

  10. Avoiding state space explosion • Bounded Model Checking (BMC) § Breadth-first search (BFS) approach • Symbolic Execution § Depth-first search (DFS) approach

  11. Bounded Model Checking A graph G = (V, E) consists of: • V: a set of vertices or nodes • E ⊆ V x V: set of edges connecting the nodes • Bounded model k = 0 checkers explore the k = 1 state space in depth k = 2 • Can only prove k = 3 correctness if all states k = 4 k = 5 are reachable within k = 6 the bound

  12. Breadth-First Search (BFS) BFS (G,s) 01 for each vertex u ∈ V[G]-{s} // anchor (s) Initialization of 02 colour[u] ← white // u colour graph nodes 03 d[u] ← ∞ // s distance 04 π [u] ← NIL // u predecessor 05 colour[s] ← grey Initializes the 06 d[s] ← 0 anchor node (s) 07 π [s] ← NIL 08 enqueue(Q,s) 09 while Q ≠ ∅ do Visit each adjacent 10 u ← dequeue(Q) 11 for each v ∈ Adj[u] do node of u 12 If colour[v] = white then 13 colour[v] ← grey 14 d[v] ← d[u] + 1 15 π [v] ← u 16 enqueue(Q,v) 17 colour[u] ← blue

  13. BFS Example 0 4 5 1 3 6 2 7

  14. BFS Example 0 4 5 1 3 6 2 7

  15. BFS Example 0 4 5 1 3 6 2 7

  16. BFS Example 0 4 5 1 3 6 2 7

  17. BFS Example 0 4 5 1 3 6 2 7

  18. BFS Example 0 4 5 1 3 6 2 7

  19. BFS Example 0 4 5 1 3 6 2 7

  20. BFS Example 0 4 5 1 3 6 2 7

  21. Symbolic Execution • Symbolic execution explores all paths individually • Can only prove correctness if all paths are explored

  22. Depth-first search (DFS) Paint all vertices white and initialize the fields π with NIL where π [u] represents the predecessor of u

  23. DFS Example 1/ 0 4 5 1 3 6 2 7

  24. DFS Example 1/ 0 4 5 1 2/ 3 6 2 7

  25. DFS Example 1/ 0 4 5 1 2/ 3 6 2 7 3/

  26. DFS Example 1/ 0 4 5 1 2/ 3 6 4/ 2 7 3/

  27. DFS Example 1/ 0 4 5/ 5 1 2/ 3 6 4/ 2 7 3/

  28. DFS Example 1/ 0 4 5/6 5 1 2/9 3 6 4/7 2 7 3/8

  29. DFS Example 1/ 10/ 0 4 5/6 5 1 2/9 3 6 4/7 2 7 3/8

  30. DFS Example 1/ 10/ 0 4 5/6 5 1 2/9 11/ 3 6 4/7 2 7 3/8

  31. DFS Example 1/ 10/ 0 4 5/6 5 1 2/9 11/12 3 6 4/7 2 7 3/8

  32. DFS Example 1/ 10/13 0 4 5/6 5 1 2/9 11/12 3 6 4/7 2 7 3/8

  33. DFS Example 1/14 10/13 0 4 5/6 5 1 2/9 11/12 3 6 4/7 2 7 3/8

  34. DFS Example 1/14 10/13 0 4 5/6 5 1 2/9 11/12 3 6 4/7 2 7 15/16 3/8

  35. V&V and debugging • V & V and debugging are distinct processes

  36. V&V and debugging • V & V and debugging are distinct processes • V & V is concerned with establishing the absence or existence of defects in a program, resp.

  37. V&V and debugging • V & V and debugging are distinct processes • V & V is concerned with establishing the absence or existence of defects in a program, resp. • Debugging is concerned with two main tasks § Locating and § Repairing these errors

  38. V&V and debugging • V & V and debugging are distinct processes • V & V is concerned with establishing the absence or existence of defects in a program, resp. • Debugging is concerned with two main tasks § Locating and § Repairing these errors • Debugging involves § Formulating a hypothesis about program behaviour § Test these hypotheses to find the system error

  39. The debugging process Test Test Specification results cases Repair Design Locate Re-test error error repair error program Ian Sommerville. Software Engineering (6th,7th or 8th Edn) Addison Wesley

  40. Intended learning outcomes • Introduce software verification and validation • Understand soundness and completeness concerning detection techniques • Emphasize the difference among static analysis , testing / simulation , and debugging • Explain bounded model checking of software • Explain precise memory model for software verification

  41. Circuit Satisfiability • A Boolean formula contains § Variables whose values are 0 or 1

  42. Circuit Satisfiability • A Boolean formula contains § Variables whose values are 0 or 1 § Connectives : ∧ (AND) , ∨ (OR) , and ¬ (NOT)

  43. Circuit Satisfiability • A Boolean formula contains § Variables whose values are 0 or 1 § Connectives : ∧ (AND) , ∨ (OR) , and ¬ (NOT) • A Boolean formula is SAT if there exists some assignment to its variables that evaluates it to 1

  44. Circuit Satisfiability • A Boolean combinational circuit consists of one or more Boolean combinational elements interconnected by wires SAT: <x 1 = 1, x 2 = 1, x 3 = 0>

  45. Circuit-Satisfiability Problem • Given a Boolean combinational circuit of AND, OR, and NOT gates, is it satisfiable ? CIRCUIT-SAT = {<C> : C is a satisfiable Boolean combinational circuit}

  46. Circuit-Satisfiability Problem • Given a Boolean combinational circuit of AND, OR, and NOT gates, is it satisfiable ? CIRCUIT-SAT = {<C> : C is a satisfiable Boolean combinational circuit} § Size: number of Boolean combinational elements plus the number of wires o if the circuit has k inputs , then we would have to check up to 2 k possible assignments

  47. Circuit-Satisfiability Problem • Given a Boolean combinational circuit of AND, OR, and NOT gates, is it satisfiable ? CIRCUIT-SAT = {<C> : C is a satisfiable Boolean combinational circuit} § Size: number of Boolean combinational elements plus the number of wires o if the circuit has k inputs , then we would have to check up to 2 k possible assignments § When the size of C is polynomial in k , checking each one takes Ω (2 k ) o Super-polynomial in the size of k

  48. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula}

  49. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2

  50. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2 o Assignment: <x 1 = 0, x 2 = 0, x 3 = 1, x 4 = 1>

  51. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2 o Assignment: <x 1 = 0, x 2 = 0, x 3 = 1, x 4 = 1> o Φ = ((0 → 0) ∨ ¬ (( ¬ 0 ↔ 1) ∨ 1)) ∧ ¬ 0

  52. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2 o Assignment: <x 1 = 0, x 2 = 0, x 3 = 1, x 4 = 1> o Φ = ((0 → 0) ∨ ¬ (( ¬ 0 ↔ 1) ∨ 1)) ∧ ¬ 0 o Φ = (1 ∨ ¬ (1 ∨ 1)) ∧ 1

  53. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2 o Assignment: <x 1 = 0, x 2 = 0, x 3 = 1, x 4 = 1> o Φ = ((0 → 0) ∨ ¬ (( ¬ 0 ↔ 1) ∨ 1)) ∧ ¬ 0 o Φ = (1 ∨ ¬ (1 ∨ 1)) ∧ 1 o Φ = (1 ∨ 0) ∧ 1

  54. Formula Satisfiability (SAT) • The SAT problem asks whether a given Boolean formula is satisfiable SAT = {< Φ > : Φ is a satisfiable Boolean formula} § Example: o Φ = ((x 1 → x 2 ) ∨ ¬ (( ¬ x 1 ↔ x 3 ) ∨ x 4 )) ∧ ¬ x 2 o Assignment: <x 1 = 0, x 2 = 0, x 3 = 1, x 4 = 1> o Φ = ((0 → 0) ∨ ¬ (( ¬ 0 ↔ 1) ∨ 1)) ∧ ¬ 0 o Φ = (1 ∨ ¬ (1 ∨ 1)) ∧ 1 o Φ = (1 ∨ 0) ∧ 1 o Φ = 1

  55. DPLL satisfiability solving Given a Boolean formula φ in clausal form (an AND of ORs) {{a, b}, {¬a, b}, {a,¬b}, {¬a,¬b}} determine whether a satisfying assignment of variables to truth values exists.

  56. DPLL satisfiability solving Given a Boolean formula φ in clausal form (an AND of ORs) {{a, b}, {¬a, b}, {a,¬b}, {¬a,¬b}} determine whether a satisfying assignment of variables to truth values exists. Solvers based on Davis-Putnam-Logemann-Loveland algorithm: 1. If φ = ∅ then SAT {{a, b}, {¬a, b}, {a,¬b}} 2. If ⃞ ∈ φ then UNSAT a ↦ false a ↦ true 3. If φ = φ ’ ∪ {x} then DPLL( φ ’[x ↦ true]) {{b}, {¬b}} {{b}} If φ = φ ’ ∪ {¬x} then DPLL( φ ’[x ↦ false]) 4. Pick arbitrary x and return b ↦ true b ↦ true b ↦ false DPLL( φ [x ↦ false]) ∨ DPLL( φ [x ↦ true]) { ⃞ } { ⃞ } ∅

  57. DPLL satisfiability solving Given a Boolean formula φ in clausal form (an AND of ORs) {{a, b}, {¬a, b}, {a,¬b}, {¬a,¬b}} determine whether a satisfying assignment of variables to truth values exists. Solvers based on Davis-Putnam-Logemann-Loveland algorithm: 1. If φ = ∅ then SAT {{a, b}, {¬a, b}, {a,¬b}} 2. If ⃞ ∈ φ then UNSAT a ↦ false a ↦ true 3. If φ = φ ’ ∪ {x} then DPLL( φ ’[x ↦ true]) {{b}, {¬b}} {{b}} If φ = φ ’ ∪ {¬x} then DPLL( φ ’[x ↦ false]) 4. Pick arbitrary x and return b ↦ true b ↦ true b ↦ false DPLL( φ [x ↦ false]) ∨ DPLL( φ [x ↦ true]) { ⃞ } { ⃞ } ∅ + NP-complete but many heuristics and optimizations ⇒ can handle problems with 100,000’s of variables

  58. SAT solving as enabling technology

  59. SAT Competition

  60. Bounded Model Checking (BMC) MC : check if a property holds for all states error Init . . .

  61. Bounded Model Checking (BMC) MC : check if a property holds for all states BMC : check if a property holds for a subset of states k error Init . . .

  62. Bounded Model Checking (BMC) MC: ok no M, S IS THERE ANY fail yes ERROR?

  63. Bounded Model Checking (BMC) MC: ok no M, S IS THERE ANY fail yes ERROR? “never” happens in practice BMC: k + 1 still tractable completeness threshold reached ok no IS THERE bound M, S k + 1 intractable ANY fail ERROR yes IN k STEPS?

  64. Bounded Model Checking Basic Idea: check negation of given property up to given depth property ¬ ϕ 0 ¬ ϕ 1 ¬ ϕ 2 ¬ ϕ k-1 ¬ ϕ k ∨ ∨ ∨ ∨ . . . transition M 0 M 1 M 2 M k-1 M k system bound counterexample trace

  65. Bounded Model Checking Basic Idea: check negation of given property up to given depth property ¬ ϕ 0 ¬ ϕ 1 ¬ ϕ 2 ¬ ϕ k-1 ¬ ϕ k ∨ ∨ ∨ ∨ . . . transition M 0 M 1 M 2 M k-1 M k system bound counterexample trace • transition system M unrolled k times – for programs: unroll loops, unfold arrays, …

  66. Bounded Model Checking Basic Idea: check negation of given property up to given depth property ¬ ϕ 0 ¬ ϕ 1 ¬ ϕ 2 ¬ ϕ k-1 ¬ ϕ k ∨ ∨ ∨ ∨ . . . transition M 0 M 1 M 2 M k-1 M k system bound counterexample trace • transition system M unrolled k times – for programs: unroll loops, unfold arrays, … • translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k

  67. Bounded Model Checking Basic Idea: check negation of given property up to given depth property ¬ ϕ 0 ¬ ϕ 1 ¬ ϕ 2 ¬ ϕ k-1 ¬ ϕ k ∨ ∨ ∨ ∨ . . . transition M 0 M 1 M 2 M k-1 M k system bound counterexample trace • transition system M unrolled k times – for programs: unroll loops, unfold arrays, … • translated into verification condition ψ such that ψ satisfiable iff ϕ has counterexample of max. depth k • has been applied successfully to verify HW/SW systems

  68. Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (building-in operators)

  69. Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (building-in operators) Theory Example Equality x 1 =x 2 ∧ ¬ (x 1 =x 3 ) ⇒ ¬ (x 1 =x 3 )

  70. Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (building-in operators) Theory Example Equality x 1 =x 2 ∧ ¬ (x 1 =x 3 ) ⇒ ¬ (x 1 =x 3 ) Bit-vectors (b >> i) & 1 = 1

  71. Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (building-in operators) Theory Example Equality x 1 =x 2 ∧ ¬ (x 1 =x 3 ) ⇒ ¬ (x 1 =x 3 ) Bit-vectors (b >> i) & 1 = 1 Linear arithmetic (4y 1 + 3y 2 ≥ 4) ∨ (y 2 – 3y 3 ≤ 3)

  72. Satisfiability Modulo Theories (1) SMT decides the satisfiability of first-order logic formulae using the combination of different background theories (building-in operators) Theory Example Equality x 1 =x 2 ∧ ¬ (x 1 =x 3 ) ⇒ ¬ (x 1 =x 3 ) Bit-vectors (b >> i) & 1 = 1 Linear arithmetic (4y 1 + 3y 2 ≥ 4) ∨ (y 2 – 3y 3 ≤ 3) Arrays (j = k ∧ a[k]=2) ⇒ a[j]=2

Recommend


More recommend