static analysis
play

Static Analysis Trent Jaeger Systems and Internet Infrastructure - PowerPoint PPT Presentation

Sep 18, 2023 •366 likes •885 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent Jaeger Systems and Internet Infrastructure

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University September 12, 2011 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Outline • Static Analysis Goals • Static Analysis Concepts • Abstract Interpretation • Interprocedural Dataflow Analysis Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Our Goal • In this course, we want to develop techniques to detect vulnerabilities and fix them automatically • What’s a vulnerability? • How to fix them? • Today we will start to develop some of the techniques that we will use Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Vulnerability • How do you define computer ‘vulnerability’? Flaw ‣ Accessible to adversary ‣ Adversary has ability to exploit ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Vulnerability • How do you define computer ‘vulnerability’? Flaw – Can we find flaws in source code? ‣ Accessible to adversary – Can we find what is accessible? ‣ Adversary has ability to exploit – Can we find how to exploit? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack What are the ways that this can be done? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ What are the ways that this can be done? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack How can an adversary change control? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ How can we prevent this? ROP conclusions ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. Static Analysis • Explore all possible executions of a program All possible inputs ‣ All possible states ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. A Form of Testing • Static analysis is an alternative to runtime testing • Runtime Select concrete inputs ‣ Obtain a sequence of states given those inputs ‣ Apply many concrete inputs (i.e., run many tests) ‣ • Static Select abstract inputs with common properties ‣ Obtain sets of states created by executing abstract inputs ‣ One run ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. Static Analysis • Provides an approximation of behavior • “Run in the aggregate” Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states ‣ • “Run in non-standard way” Run in fragments ‣ Stitch them together to cover all paths ‣ • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Static Analysis • Provides an approximation of behavior • “Run in the aggregate” Rather than executing on ordinary states ‣ Finite-sized descriptors representing a collection of states ‣ • “Run in non-standard way” Run in fragments ‣ Stitch them together to cover all paths ‣ • Runtime testing is inherently incomplete, but static analysis can cover all paths Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Static Analysis Example • Descriptors represent the sign of a value Positive, negative, zero, unknown ‣ • For instruction, c = a * b If a has a descriptor pos ‣ And b has a descriptor neg ‣ • What is the descriptor for c after that instruction? • How might this help? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Descriptors • Choose a set of descriptors that Abstracts away details to make analysis tractable ‣ Preserves enough information that key properties hold ‣ Can determine interesting results • • Using sign as a descriptor Abstracts away specific integer values (billions to four) ‣ Guarantees when a*b = 0 it will be zero in all executions ‣ • Choosing descriptors is one key step in static analysis Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Precision • Abstraction loses some precision • Enables run in aggregate, but may result in executions that are not possible in the program (a <= b) when both are pos ‣ If b is equal to a at that point, then false branch is never ‣ possible in concrete executions • Results in false positives Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Soundness • The use of descriptors “over-approximates” a program’s possible executions • Abstraction must include all possible legal values May include some values that are not actually possible ‣ • The run-in-aggregate must preserve such abstractions Thus, must propagate values that are not really possible ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Implications of Soundness • Enables proof that a class of vulnerabilities are completely absent No false negatives in a sound analysis ‣ • Comes at a price Ensuring soundness can be complex, expensive, cautious ‣ • Thus, unsound analyses have gained in popularity Find bugs quickly and simply ‣ Such analyses have both false positives and false negatives ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. What Is Static Analysis? • Abstract Interpretation Execute the system on a simpler data domain ‣ Descriptors of the abstract domain • Rather than the concrete domain ‣ • Elements in an abstract domain represent sets of concrete states Execution mimics all concrete states at once ‣ • Abstract domain provides an over-approximation of the concrete domain Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Abstract Domain Example • Use interval as abstract domain b = [40, 41] ‣ • a = 2*b a = [x, y]? ‣ • What are the possible concrete values represented? Which concrete states are possible? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Joins • A join combines states from multiple paths Approximates set-union as either path is possible ‣ • Use Interval as abstract domain a = [36, 39], b = [40, 41] ‣ • If (a >= 38) a=2*b; /* join */ a = [x, y], b=[40, 41] – what are x and y? ‣ • What’s the impact of over-approximation? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Impact of Abstract Domain • The choice of abstract domain must preserve the over-approximation to be sound (no false negatives) • Integer arithmetic vs 2’s-complement arithmetic • a = [126, 127], b = [10, 12] What is c = a+b in an 32-bit machine? ‣ What is c = a+b in an 8-bit machine? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Successive Approximation • The abstract execution of a system can often be cast as a problem of solving a set of equations by means of successive approximation. • If constructed correctly, the execution of the system in the abstract domain over-approximates the semantics of the original system Any behavior not exhibited by the abstract domain cannot ‣ be exhibited during concrete system execution. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Abstract Interpretation • Patrick Cousot Class slides/notes from MIT ‣ http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/ ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Abstract Interpretation • Patrick Cousot Class slides/notes from MIT ‣ http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/ ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

  25. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 25

  26. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 26

  27. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 27

  28. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 28

  29. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 29

  30. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 30

  31. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 31

  32. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 32

  33. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 33

  34. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 34

  35. Abstract Interpretation Systems and Internet Infrastructure Security (SIIS) Laboratory Page 35

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang &amp; Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

732 views • 34 slides
Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is static analysis What are the tools Analysis of the OpenAFS code base What is static analysis Static analysis is performed by analysing

556 views • 20 slides
Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts

Using the Clang Static Analyzer Vince Bridgers About this tutorial Soup to nuts Small amount of theory to a practical example Why Static Analysis? Static Analysis in Continuous Integration What is Cross Translation Unit

480 views • 34 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&amp;V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley Weimer University of Virginia Static Analysis-based Bug Finders Use known-faulty semantic patterns to find suspected bugs statically

570 views • 26 slides

More recommend