using static checking to find security vulnerabilities in
play

Using Static Checking To Find Security Vulnerabilities In The Linux - PowerPoint PPT Presentation

Sep 11, 2023 •184 likes •659 views

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

  1. Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1

  2. Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group and memory management Interested in many different subsystems of the Linux Kernel 2

  3. Agenda Overview of security issues in the Linux Kernel Static checking Static checking tools Automated checking Bonus 3

  4. Cause of the kernel bugs Data: Jan, 2014 to August, 2016 [cvedetails.com] 4

  5. Language-specific security issues Buffer overflow [stack and heap based] Use a�er free and double free Null pointer dereference and invalid pointer dereference String issues Incorrect/missing bound check, array overflow, out-of-bound errors etc Others Integer signedness, buffer over read, deadlock, array index value error etc 5

  6. General security issues Race conditions Memory corruption and memory consumption Divide by zero and off by one Integer overflow Information leak 6

  7. Linux kernel specific security issues Incorrect/missing initialization of data structure Calling sleeping functions under invalid context Missing permission check Uninitialized data Others Infinite looping, improper fault handling, copy pasted code, etc 7

  8. Static code checking 8

  9. Static code analysis Usually performed as part of a code review and is carried out at the implementation phase of a security development lifecycle (SDL). Performed without actually executing programs. Benefits: Find bugs early, cheaper to fix the bugs when they are caught at the early stage of so�ware development Things to care about: False positives 9

  10. Why static checkers? Example one: diff ­­git a/security/keys/key.c b/security/keys/key.c index bd5a272..346fbf2 100644 ­­­ a/security/keys/key.c +++ b/security/keys/key.c @@ ­597,7 +597,7 @@ int key_reject_and_link(struct key *key, mutex_unlock(&key_construction_mutex); ­ if (keyring) + if (keyring && link_ret == 0) __key_link_end(keyring, &key­>index_key, edit); /* wake up anyone waiting for a key to be constructed */ Commit 38327424b40bce by Dan Carpenter, reported by Smatch. Fixes CVE-2016-4470 10

  11. Why static checkers? Example one: int key_reject_and_link(...) ... if (keyring) { if (keyring­>restrict_link) return ­EPERM; link_ret = __key_link_begin(keyring, &key­>index_key, &edit); } ... if (keyring && link_ret == 0) __key_link_end(keyring, &key­>index_key, edit); Missing check? Potential uninitialized variable? What is so special about this? 11

  12. Why static checkers? Example one: security/keys/keyring.c int __key_link_begin(..., ... , struct assoc_array_edit **_edit) ... { struct assoc_array_edit *edit; ... edit = assoc_array_insert(&keyring­>keys, &keyring_assoc_array_ops, index_key, NULL); ... if (!edit­>dead_leaf) { ret = key_payload_reserve(keyring, keyring­>datalen + KEYQUOTA_LINK_BYTES); if (ret < 0) goto error_cancel; ... error_cancel: assoc_array_cancel_edit(edit); Failure of __key_link_begin = uninitialization of 'edit' = system crash by local users 12

  13. Failure of __key_link_begin = uninitialization of 'edit' = system crash by local users Why static checkers? Example two: ­­­ a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c @@ ­1790,6 +1790,7 @@void rtl88e_dm_watchdog(...) if (ppsc­>p2p_ps_info.p2p_ps_mode) fw_ps_awake = false; + spin_lock(&rtlpriv­>locks.rf_ps_lock); if ((ppsc­>rfpwr_state == ERFON) && ((!fw_current_inpsmode) && fw_ps_awake) && (!ppsc­>rfchange_inprogress)) { @@ ­1802,4 +1803,5 @@void rtl88e_dm_watchdog(...) rtl88e_dm_check_edca_turbo(hw); rtl88e_dm_antenna_diversity(hw); } + spin_unlock(&rtlpriv­>locks.rf_ps_lock); } Commit 204e2ab22e1e2d0 by Larry Finger, reported by LDV tools 13

  14. Why static checkers? Example two: drivers/net/wireless/rtlwifi/rtl8188ee/hw.c bool rtl88ee_gpio_radio_on_off_checking(...) { ... spin_lock(&rtlpriv­>locks.rf_ps_lock); if (ppsc­>rfchange_inprogress) { spin_unlock(&rtlpriv­>locks.rf_ps_lock); return false; } else { Potential race condition 14

  15. Why static checkers? Example two: drivers/net/wireless/rtlwifi/rtl8188ee/hw.c bool rtl88ee_gpio_radio_on_off_checking(...) { ... spin_lock(&rtlpriv­>locks.rf_ps_lock); if (ppsc­>rfchange_inprogress) { spin_unlock(&rtlpriv­>locks.rf_ps_lock); return false; } else { Similar code was present in 5 other files 15

  16. Static checking tools 16

  17. scripts/checkpatch.pl Written by Andy Whitcro�, Joe Perches Checks for basic coding style issues and sometimes for incorrect API usuage Warns about a few errors that can trigger security bugs: Misuse of memsets, check for lockdep_set_novalidate_class, Prefixing 0x with decimal output, using weak declarations which can have unintended link defects Good to run it for new submissions 17

  18. scripts/checkpatch.pl Example output: scripts/checkpatch.pl --file --terse <path_to_directory> drivers/staging/media/bcm2048/radio­bcm2048.c:307: ERROR: Use 4 digit octal (0777) not decimal permissions drivers/staging/media/bcm2048/radio­bcm2048.c:1539: CHECK: Avoid crashing the kernel ­ try using WARN_ON & recovery code rather than BUG() or BUG_ON() drivers/staging/media/bcm2048/radio­bcm2048.c:1997: ERROR: Macros with complex values should be enclosed in parentheses drivers/staging/media/bcm2048/radio­bcm2048.c:2025: WARNING: Prefer 'unsigned int' to bare use of 'unsigned' drivers/staging/media/bcm2048/radio­bcm2048.c:2543: WARNING: struct v4l2_ioctl_ops should normally be const 18

  19. Sparse Written by Linus Torvalds, later maintained by Josh Triplett, Chris Li Provides a set of annotations designed to convey semantic information about types. For example, what address space pointers point to or what locks a function acquires or releases. More than 6000 patches accepted so far. Documentation: https://kernelnewbies.org/Sparse 19

  20. Sparse Can find the following security or related bugs: Warns about casts that add an address space to a pointer type and truncate const values Warns about unsupported operations or type mismatches with restricted integer types. Warns about any non-static variable or function definition that has no previous declaration. Warns about the use of 0 as a NULL pointer. 20

  21. Sparse Example output: make C=2 <path_to_directory> drivers/staging/wlan­ng/p80211conv.c:132:25: warning: cast to restricted __be16 drivers/staging/wlan­ng/p80211conv.c:154:38: warning: incorrect type in assignment (different base types) drivers/staging/wlan­ng/p80211conv.c:154:38: expected unsigned short [unsigned] [usertype] type drivers/staging/wlan­ng/p80211conv.c:154:38: got restricted __be16 [usertype] <noident> drivers/staging/wlan­ng/prism2fw.c:251:15: warning: memset with byte count of 120000 drivers/staging/lustre/lnet/selftest/rpc.c:764:9: warning: context imbalance in 'srpc_shutdown_service' ­ different lock contexts for basic block 21

  22. Smatch Written by Dan Carpenter More than 3000 bugs fixed by Smatch, mostly by Dan Uses sparse as a C parser Documentation: https://blogs.oracle.com/linuxkernel/entry/smatch_static_analysis_tool_overview 22

  23. Smatch Can find the following security or related bugs: Null pointer dereference, error pointer dereference, buffer overflow etc Off by one bugs Locking related bugs - Double locks/unlocks, missing unlock etc Unintialized variable/data and signedness related bugs Use a�er free, double free etc Information leak Unnecessary null check and missing null check 23

  24. Smatch Example output: <path_to_smatch>/smatch_scripts/kchecker --spammy ./ drivers/staging/xgifb/vb_setmode.c:3581 XGI_SetGroup2() warn: mask and shift to zero drivers/staging/xgifb/vb_setmode.c:5334 XGI_EnableBridge() warn: we tested 'pVBInfo­>VBInfo & 256' before and it was 'true' drivers/staging/vt6656/rf.c:876 vnt_rf_table_download() error: memcpy() 'addr1' too small (3 vs 48) drivers/staging/rts5208/ms.c:2736 ms_build_l2p_tbl() error: buffer overflow 'ms_start_idx' 17 <= s32max drivers/staging/rts5208/ms.c:2594 ms_build_l2p_tbl() error: we previously assumed 'ms_card­>segment' could be null(see line 2586) drivers/staging/rts5208/sd.c:4115 ext_sd_send_cmd_get_rsp() warn: masked condition '(*ptr + 3 & 30) != 3' is always true. 24

  25. Coccinelle Written by Julia Lawall Pattern matching and transformation tool Can warn you about bugs [report mode] or suggest a fix for the bugs [patch mode] More than 4000 patches fixed by Coccinelle Documentation: http://coccinelle.lip6.fr/ 25

  26. Coccinelle Some of the fault types found by Coccinelle 26

  27. Coccinelle Can find the following security or related bugs: Null pointer dereference Use a�er free Locking related bugs - Double locks/unlocks, missing unlock etc Use of sleeping functions or GFP_KERNEL flag under the lock Use a�er free, double free etc Protecting function pointers in data structures 27

Recommend

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for

Why Cant Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security Justin Smith (Lafayette College) smithjus@lafayette.edu Lisa Nguyen Quang Do (Google) lisanqd@google.com Emerson Murphy-Hill (Google)

605 views • 15 slides
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

595 views • 20 slides
About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

The Three Faces of DevSecOps Guy Podjarny (@guypod) @guypod About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since 1997 DevOps

1.29k views • 107 slides
About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source

Developer as a Malware Distribution Vehicle Guy Podjarny (@guypod) @guypod About Me CEO &amp; Co-Founder at Snyk Find &amp; Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since

1.41k views • 119 slides
Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event Embedded Linux Conference Static code checking in the Linux kernel 1. Overview 2. Randconfig issues 3. Checking tools 4. Automated checking

586 views • 48 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities Sam Lanning @samlanning @samlanning A story of many bugs (CVE-2017-8046) 7 September 2017 22 September 2017 27 September 2017 Mo

426 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member Programming lover qazbnm456 @boik_su Agenda Brief introduction to CodeQL CodeQLs Tricks Replicate CVEs to find you CVEs More

2.1k views • 63 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

804 views • 35 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy

801 views • 38 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic Program Analysis Program Analysis Patrice Godefroid Godefroid Patrice Bell Laboratories, Lucent Technologies Bell Laboratories, Lucent

1.05k views • 56 slides

More recommend