All Buffer Overflows in C Nurit Dor Michael Rodeh Mooly Sagiv PLDI2003 DAEDALUS project from web2c strpascalc void foo char s while s s ID: 467087
Download Presentation The PPT/PDF document "CSSV: Towards a Realistic Tool for Stati..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C
Nurit Dor, Michael Rodeh, Mooly SagivPLDI’2003
DAEDALUS
project Slide2
/* from web2c [
strpascal.c] */
void
foo(char *s) { while ( *s != ‘ ‘ ) s++; *s = 0; }
Vulnerabilities of C programs
Null dereference
Dereference to unallocated storage
Out of bound pointer arithmetic
Out of bound updateSlide3
Is it common?
General belief – yes!FUZZ study Test reliability by random input Tens of applications on 9 different UNIX systems 18% – 23% hang or crash
CERT advisory
Up to 50% of attacks are due to buffer overflowCOMMON AND DANGEROUSSlide4
CSSV’s GoalsEfficient
conservative static checking algorithmVerify the absence of buffer overflow --- not just finding bugs All C constructs
Pointer arithmetic, casting, dynamic memory, …
Real programsMinimum false alarms Slide5
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];
…
for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);
…
cp
buf
(long)
tempSlide6
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];
…
for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);
…
cp
buf
( l o n g )
temp
Cleanness is potentially violated:
7 + offset (cp)
BUFSIZSlide7
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];
…
for (i = 0; &buf[i] < cp ; ++i)
temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);
…
cp
buf
(long)
temp
Cleanness is potentially violated:
offset(cp)+7 +len(cp)
BUFSIZ
7 + offset (cp)
<
BUFSIZSlide8
Verifying Absence of Buffer Overflow is non-trivial
void safe_cat
(char *
dst, int size, char *src ){ if ( size > strlen
(src
) +
strlen(dst
) ) {
dst = dst
+ strlen
(dst);
strcpy(dst
,
src); }
}
{string(src)
alloc(dst) > len(src)}
{string(src)
string(dst)
alloc(dst+len(dst)) > len(src)}
string(src)
string(dst)
(
size > len(src)+len(dst))
alloc(dst+len(dst)) > len(src))Slide9
Can this be done for real programs?
Complex linear relationshipsPointer arithmeticLoopsProcedures
Use
Polyhedra[CH78]Points-to-analysisWideningProcedure contractsVery few false alarms!Slide10
C String Static VerifierDetects string violations
Buffer overflow (update beyond bounds)Unsafe pointer arithmeticReferences beyond null termination
Unsafe library calls
Handles full CMulti-level pointers, pointer arithmetic, structures, casting, …Applied to real programsPublic domain softwareC code from AirbusSlide11
Operational Semantics
p1 =alloc(m)
p
2 = p1 + ip3= *p2p1 0x480590
0x5050510
i
0x480000
p
2
0x480580
0x5050518
0x5050510
.
.
999
8
0x5050518
20
p
3
0x490000
20
4
.
.
m
4
4
undef
0x480590
.
.
0x5050510
0x480000
0x480580
0x5050510
Shadow memory
base
size
0x490000
4Slide12
Domain ConstructionGiven an abstract domains D
1, D2, …, DkConstruct a “composite domain” c(D1, D
2
, …, Dk)Examples: Cartesian AbstractionMore laterSlide13
CSSV’s Abstraction
Ignore exact location Track base addresses
i
p1p2
p
3
heap1
p1
0x480590
0x5050510
i
0x480000
p
2
0x480580
0x5050518
0x5050510
.
.
999
8
0x5050518
20
p
3
0x490000
20
4
.
.
m
4
4
undef
0x480590
.
.
0x5050510
0x480000
0x480580
0x5050510
Shadow memory
base
size
0x490000
4
Abstract
locationsSlide14
CSSV’s Abstraction
Track sizes
i
p1p2
p3
heap
1
p1 0x480590
0x5050510
i
0x480000
p
2
0x480580
0x5050518
0x5050510
.
.
999
8
0x5050518
20
p
3
0x490000
20
4
.
.
m
4
4
undef
0x480590
.
.
0x5050510
0x480000
0x480580
0x5050510
Shadow memory
base
size
0x490000
4
Abstract
locations
4
4
4
4
mSlide15
CSSV’s Abstraction
Track pointers from one base to another (may)
i
p1p2
p3
heap
1
p1 0x480590
0x5050510
i
0x480000
p
2
0x480580
0x5050518
0x5050510
.
.
999
8
0x5050518
20
p
3
0x490000
20
4
.
.
m
4
4
undef
0x480590
.
.
0x5050510
0x480000
0x480580
0x5050510
Shadow memory
base
size
0x490000
4
Abstract
locations
4
4
4
4
mSlide16
Pointer Validation
How can we validate pointer arithmetic? Track offsets from originTrack numeric values
p
2 = p1 + ii
p1
p
2
p3
heap1
4
4
4
4
m
0
8
=8Slide17
Numeric values are unknown
Track integer relationships
p
2 = p1 + iip1
p
2
p
3heap1
4
4
4
4
m
p
1
.offset
p
1
.offset + i
p
2
.offset = p
1
.offset + iSlide18
Validation
Pointer arithmetic
p
2 = p1 + i *p1.size p1 .offset + i
Pointer dereference
p
3
= *p2
*p2.size
p2 .offsetSlide19
The null-termination byte
Many expressions involve the ‘\0’ byte
strcpy(dst, src)
Track the existence of null-terminationTrack the index of the first oneSlide20
Abstract Transformers
Defines the effect of statements on the abstract representation
p
1 =alloc(m)p2 = p1 + ii
p
2
p
3p1
4
4
4
4
heap
1
p
1
.offset = 0
m
p
1
.offset + iSlide21
Abstract Transformers
Unknown value
p
3= *p2 p3=0 *p2.is_nullt *p2.len == p2.offsetp3= unknown otherwiseSlide22
Overly Conservative
Representing infeasible concrete statesInfeasible pointer aliasesInfeasible integer variablesSlide23
char* strcpy(char* dst, char *src)
requires
mod ensures Procedure Calls – Contracts
( string(src)
alloc(dst) > len(src)
)
len(
dst), is_nullt(dst)
( len(dst) = = pre@len(src)
return = = pre@dst)
Slide24
Advantages of Procedure Contracts
Modular analysis [Not all the code is available]Enables more expensive analyses User control of the verification
Detect errors at point of logical error
Improve the precision of the analysisCheck additional propertiesBeyond ANSI-CSlide25
Specification and Soundness
All errors are detectedViolation of procedure’s preconditionCallViolation of procedure's postconditionReturn
Violation of statement
’s precondition…a[i]… Slide26
char* strcpy(char* dst, char *src)
requires
mod ensures Procedure Calls – Contracts
( string(src)
alloc(dst) > len(src)
)
len(
dst), is_nullt(dst)
( len(dst) = = pre@len(src)
return = = pre@dst)
Slide27
safe_cat’s contract
void safe_cat(char* dst
,
int size, char* src) requires mod
ensures
( string(src)
string(dst) alloc(dst) == size )
(
len
(dst
) <= pre@len(src
)e
+
pre@len
(dst)
len
(
dst
) >=
pre@len
(
dst
|)
)
dst
Slide28
Specification – insert_long()
/* insert_long.c */#include "insert_long.h" char buf[BUFSIZ];
char * insert_long (char *cp) {
char temp[BUFSIZ]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; }char * insert_long(char *cp) requires(
string(cp)
buf
cp < buf + BUFSIZ
) mod
cp.len
ensures ( len
(cp) = = pre@len(cp) + 6
return_value = = cp + 6 ;
)Slide29
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];
…
for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);
…
cp
buf
( l o n g )
temp
Cleanness is potentially violated:
7 + offset (cp)
BUFSIZSlide30
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];
…
for (i = 0; &buf[i] < cp ; ++i)
temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);
…
cp
buf
(long)
temp
Cleanness is potentially violated:
offset(cp)+7 +len(cp)
BUFSIZ
7 + offset (cp)
<
BUFSIZSlide31
CSSV – Technical overview
C
files
Procedure
’
sPointer info
Pointer Analysis
C2IP
Integer Proc
Integer Analysis
Potential
Error Messages
Procedure
name
C
files
ContractsSlide32
Used SoftwareASToolKit
[Microsoft]LLVM, SootCore C [TAU - Greta Yorsh]CIL [Berkeley, LLVM]GOLF [Microsoft -
Manuvir
Das]New Polka [Inria - Bertrand Jeannet]ApronSlide33
CSSV Static Analysis
Inline contractsExpose behavior of called proceduresPointer analysis (global)Find relationship between base addresses
Project into procedures
Integer analysisCompute offset informationSlide34
Preliminary results (web2C)
FA
errors
space
(Mb)
time
(sec)
coreC
line
line
Proc
0
2
13
2.0
64
14
insert_long
0
2
0.3
0.1
25
10
fprintf_pascal_string
0
0
0.2
0.1
23
9
space_terminate
0
2
1.7
0.2
28
14
external_file_name
1
2
5.2
0.6
53
15
join
0
0
4.6
0.6
105
25
remove_newline
0
2
0.2
0.1
23
9
null_terminateSlide35
Preliminary results (EADS/RTC_Si)
FA
errors
space
(Mb)
time
(sec)
coreC
line
line
Proc
0
0
0.5
1.6
34
19
FiltrerCarNonImp
0
0
1.9
0.8
42
12
SkipLine
0
0
21
7.9
134
37
StoreIntInBufferSlide36
CSSV: Summary
SemanticsSafety checkingFull CEnables abstractionsContract languageString behavior
Omit pointer aliasing
Procedural points-to ScalableImprove precisionStatic analysis Tracks important string propertiesUtilizes integer analysisSlide37
Related ProjectsSAL MicrosoftSplint: David Evans
Sage: MicrosoftBrian Hacket static analysis, ICSE’2006Vinod Ganapathy
: CCS’2013Slide38
Conclusion
Ambitious sound analyses
Very few false alarms
Scaling is an issueUse staged analysesUse modular analysisUse encapsulation