Towards practical reactive security audit using extended static checkers 1

Similar documents
Towards practical reactive security audit using extended static checkers

Visualizing Information Flow through C Programs

InvGen: An Efficient Invariant Generator

Model Checking: An Introduction

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Software testing. Objectives

Static Code Analysis Procedures in the Development Cycle

Automatic vs. Manual Code Analysis

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Automated Theorem Proving - summary of lecture 1

Static vs. Dynamic Testing How Static Analysis and Run-Time Testing Can Work Together. Outline

Design by Contract beyond class modelling

Boogie: A Modular Reusable Verifier for Object-Oriented Programs

Secure Software Programming and Vulnerability Analysis

Detecting Critical Defects on the Developer s Desktop

Transparent Monitoring of a Process Self in a Virtual Environment

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

Levels of Software Testing. Functional Testing

Automated Program Behavior Analysis

Security challenges for internet technologies on mobile devices

Statically Checking API Protocol Conformance with Mined Multi-Object Specifications Companion Report

Software Engineering Techniques

Variable Base Interface

Building Security into the Software Life Cycle

Source Code Review Using Static Analysis Tools

Debugging A MotoHawk Application using the Application Monitor

Interactive Application Security Testing (IAST)

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Introduction to Static Analysis for Assurance

Applications of formal verification for secure Cloud environments at CEA LIST

Chapter 8 Software Testing

Glossary of Object Oriented Terms

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Software Testing. Quality & Testing. Software Testing

The Course.

The Security Development Lifecycle

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Software Engineering Concepts: Testing. Pointers & Dynamic Allocation. CS 311 Data Structures and Algorithms Lecture Slides Monday, September 14, 2009

TOOL EVALUATION REPORT: FORTIFY

MPI-Checker Static Analysis for MPI

Evaluation of AgitarOne

Logistics. Software Testing. Logistics. Logistics. Plan for this week. Before we begin. Project. Final exam. Questions?

Probabilistic Assertions

Detecting SQL Injection Vulnerabilities in Web Services

Introduction to Automated Testing

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Wiggins/Redstone: An On-line Program Specializer

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Revision History Revision Date Changes Initial version published to

Seven Practical Steps to Delivering More Secure Software. January 2011

Course Title: Software Development

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

Oracle Solaris Studio Code Analyzer

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

Ontology Model-based Static Analysis on Java Programs

What is COM/DCOM. Distributed Object Systems 4 COM/DCOM. COM vs Corba 1. COM vs. Corba 2. Multiple inheritance vs multiple interfaces

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Outline. 1 Denitions. 2 Principles. 4 Implementation and Evaluation. 5 Debugging. 6 References

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

An Incomplete C++ Primer. University of Wyoming MA 5310

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

The programming language C. sws1 1

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

Gold Standard Method for Benchmarking C Source Code Static Analysis Tools

Volume I, Section 4 Table of Contents

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

D. Best Practices D.1. Assurance The 5 th A

PROBLEM SOLVING SEVENTH EDITION WALTER SAVITCH UNIVERSITY OF CALIFORNIA, SAN DIEGO CONTRIBUTOR KENRICK MOCK UNIVERSITY OF ALASKA, ANCHORAGE PEARSON

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Test Data Management Concepts

Introducing Formal Methods. Software Engineering and Formal Methods

El Dorado Union High School District Educational Services

Detecting Software Vulnerabilities Static Taint Analysis

How to Write a Checker in 24 Hours

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

find model parameters, to validate models, and to develop inputs for models. c 1994 Raj Jain 7.1

Object Oriented Software Design II

Software security assessment based on static analysis

Testing Tools Content (Manual with Selenium) Levels of Testing

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Trustworthy Software Systems

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Model Checking of Software

Static Taint-Analysis on Binary Executables

Operating System Security

Internet Explorer turns your personal computer into a publicfile Server

Linux Kernel. Security Report

Chapter 1: Key Concepts of Programming and Software Engineering

Elemental functions: Writing data-parallel code in C/C++ using Intel Cilk Plus

Transcription:

Towards practical reactive security audit using extended static checkers 1 Julien Vanegue 1 Shuvendu K. Lahiri 2 1 Bloomberg LP, New York 2 Microsoft Research, Redmond May 20, 2013 1 The work was conducted while the first author was employed at Microsoft.

Problem: Find software security vulnerabilities in legacy applications Legacy applications Operating system applications Core drivers and other kernel components Browser renderer and browser management libraries COM components accesses Security vulnerabilities (Heap) Buffer overruns Double frees Use-after-free 1. Reference counting issues 2. Dangling pointers Information disclosures Dynamic type confusions Zero allocations Untrusted component execution (e.g. dll/ocx loading)

Problem: Find software security vulnerabilities in legacy applications Legacy applications Operating system applications Core drivers and other kernel components Browser renderer and browser management libraries COM components accesses Security vulnerabilities (Heap) Buffer overruns Double frees Use-after-free 1. Reference counting issues 2. Dangling pointers Information disclosures Dynamic type confusions Zero allocations Untrusted component execution (e.g. dll/ocx loading) Finding all such security issues ahead of time in a cost-effective manner is infeasible.

Problem: Find software security vulnerabilities in legacy applications Legacy applications Operating system applications Core drivers and other kernel components Browser renderer and browser management libraries COM components accesses Security vulnerabilities (Heap) Buffer overruns Double frees Use-after-free 1. Reference counting issues 2. Dangling pointers Information disclosures Dynamic type confusions Zero allocations Untrusted component execution (e.g. dll/ocx loading) Finding all such security issues ahead of time in a cost-effective manner is infeasible. Can we do better for some interesting scenarios?

The MSRC mission The Microsoft Security Response Center (MSRC) identifies, monitors, resolves, and responds to security incidents and Microsoft software security vulnerabilities. http://www.microsoft.com/security/msrc/whatwedo/updatecycle.aspx...the MSRC engineering team investigates the surrounding code and design and searches for other variants of that threat that could affect customers. Ensuring there are no variants of a given threat is an expensive process of automated testing, manual code review, static analysis. The process is effective (finds additional bugs) but far from providing any assurance/coverage.

A more realistic problem Reactive security audit Given an existing security threat (e.g. independent researcher finds an unknown vulnerability). Describe variants of the threat. Perform thorough checking of variants of the threat on the attack surface. In a time constrained fashion (must obtain results before a security bulletin is released (time frame: often days, weeks or months)).

Tools for an auditor A security auditor Has domain knowledge to create variants Can guide tools to help with the static checking But, cannot spend months/years to perform a formal proof of a given component

Tools for an auditor A security auditor Has domain knowledge to create variants Can guide tools to help with the static checking But, cannot spend months/years to perform a formal proof of a given component A reactive security audit tool must be cost-effective: Configurable to new problem domains. Scalable (Millions of lines of code). Accurately capture the underlying language (C/C++) semantics. Transparent with respect to the reasons for failure. No black magic.

Why audit? Other approaches find bugs, but lack user-guided refinement and controllability. White-box fuzzing (e.g. SAGE) Not property guided (can t exhaust a million lines of code) Difficult to apply to modules with complex objects as inputs Model checking (e.g. SLAM) Typically state machine properties (can t distinguish objects, data structures) Difficult to scale to more than 50KLOC Data-flow analysis (e.g. ESP) Ad-hoc approximations of source (C/C++) semantics Not suited for general property checking In other words: A user could not easily influence the outcome of these tools, even if they desired.

Extended static checkers to the rescue Extended static checking Precise modeling of language semantics (may make clearly-specified assumptions) Accurate intraprocedural checking User-guided annotation inference 1. Interprocedural analysis (made easy using templates) 2. Loop invariants (not the subject if this talk) Made possible by using automated theorem provers. ESC/Java[Flanagan,Leino et al. 01], HAVOC [Lahiri, Qadeer et al. 08], Frama-C...

Contributions Explore the problem of reactive security audit using extended static checker HAVOC. Extensions in HAVOC (called HAVOC-LITE) to deal with complexity of applications (C++, million LOCs, usability, robustness). Case study on C++/COM components in the browser and the OS at large: 1. Found 70+ new security vulnerabilities that have been fixed. 2. Vulnerabilities were not found by other tools after running on same code base. 3. Discussion of the effort required vs. payoff for the study.

Overview of the rest of the talk Overview example HAVOC overview HAVOC HAVOC-LITE Case study Conclusions

Overview example (condensed) 1 typedef s t r u c t tagvariant 2 { 3 #d e f i n e VT UNKNOWN 0 4 #d e f i n e VT DISPATCH 1 5 #d e f i n e VT ARRAY 2 6 #d e f i n e VT BYREF 4 7 #d e f i n e VT UI1 8 8 (... ) 9 VARTYPE v t ; 10 union { 11... 12 IUnknown unk ; 13 I D i s p a t c h d i s p ; 14 SAFEARRAY p a r r a y ; 15 BYTE pbval ; 16 PVOID b y r e f ; 17... 18 } ; 19 } VARIANT ; 1 void t1bad ( ) { 2 VARIANT v ; 3 v. v t = VT ARRAY ; 4 v. pbval = 0 ; 5 } 6 void t2good ( ) { 7 VARIANT v ; 8 v. v t = VT BYREF VT UI1 ; 9 u s e v f i e l d (&v ) ; 10 } 11 void u s e v f i e l d (VARIANT v ) 12 v >pbval = 0 ; 13 } 14 void t2good2 ( ) { 15 VARIANT v ; 16 s e t v t (&v ) ; v. pbval = 0 ; 17 } 18 void s e t v t (VARIANT v ) { 19 v >v t = VT BYREF VT UI1 ; 20 }

Overview example: Annotations 1 //Field instrumentations ( Encoding the p r o p e r t y ) 2 3 r e q u i r e s ( v >v t == VT ARRAY) 4 i n s t r u m e n t w r i t e p r e ( v >p a r r a y ) 5 void i n s t r u m e n t w r i t e a r r a y (VARIANT v ) ; 6 7 r e q u i r e s ( v >v t == (VT BYREF VT UI1 ) ) 8 i n s t r u m e n t w r i t e p r e ( v >pbval ) 9 void i n s t r u m e n t w r i t e p b v a l (VARIANT v ) ;

Overview example: Annotations 1 //Field instrumentations ( Encoding the p r o p e r t y ) 2 3 r e q u i r e s ( v >v t == VT ARRAY) 4 i n s t r u m e n t w r i t e p r e ( v >p a r r a y ) 5 void i n s t r u m e n t w r i t e a r r a y (VARIANT v ) ; 6 7 r e q u i r e s ( v >v t == (VT BYREF VT UI1 ) ) 8 i n s t r u m e n t w r i t e p r e ( v >pbval ) 9 void i n s t r u m e n t w r i t e p b v a l (VARIANT v ) ; 1 //Func instrumentations with candidates ( Encoding i n f e r e n c e ) 2 3 c a n d r e q u i r e s ( v >v t == (VT BYREF VT UI1 ) ) 4 c a n d r e q u i r e s ( v >v t == VT ARRAY) 5 c a n d e n s u r e s ( v >v t == (VT BYREF VT UI1 ) ) 6 c a n d e n s u r e s ( v >v t == VT ARRAY) 7 i n s t r u m e n t u n i v e r s a l t y p e ( v ) 8 i n s t r u m e n t u n i v e r s a l i n c l u d e ( "*" ) 9 void i n s t r u m e n t c a n d v a r i a n t (VARIANT v ) ;

Overview example: Tool output Addition of preconditions/postconditions on relevant methods and fields E.g. adds an assertion before access to pbval field in each of the procedures Inferred preconditions and postconditions E.g. precondition requires(v->vt == (VT BYREF VT UI1)) on func use vfield E.g. postcondition ensures(v->vt == (VT BYREF VT UI1)) on func set vt Warning only on t1bad procedure.

HAVOC flow The modular checker uses Boogie program verifier and Z3 prover. Candidate annots template Houdini inference Inferred annots Source code Property + Manual annots Concrete program semantics Modular checker Refine annots? Warning review

HAVOC HAVOC-LITE Supporting C++ constructs used commonly in the COM applications. Scalable interprocedural inference. New instrumention mechanisms to deal with classes. Usability and robustness enhancements.

C++ support Extend the memory model of HAVOC to support: Classes and attributes. C++ references. Casts (static and dynamic). Constructors, destructors and instance methods. C++ operators. Method overloading. Multiple inheritance. Dynamic dispatch and type look-up. Ability to annotate instance methods, attributes and operators. Extend instrumentations to instrument all methods of a class, or a method in all classes.

Scalable annotation inference HAVOC used Houdini[Flanagan, Leino 01] algorithm for inferring inductive annotations from a set of candidates. Previous approach only worked for a few hundred to thousand methods in a module (memory blowup) A two-level Houdini algorithm is used 1. Break inference into a large number of smaller calls to Houdini (see paper). 2. Each call to Houdini consists of few hundred methods only. 3. Different Houdini calls can act on same methods. 4. Algorithm runs until the set of contracts for methds does not change anymore.

Case study Properties checked Results Example bug Cost-effectiveness

Checked security properties Properties Description Zero-sized allocations Dynamic memory allocations never of size 0 Empty array ctors VLA allocations never of size 0 VARIANT initialization VARIANT structures must be initialized before use VARIANT type safety VARIANT fields usage consistent with run-time type Interface refcounting Interfaces must not be released without prior ref/init Library path validation Run-time modules always loaded with qualified path DOM info disclosure DOM accessors return failure on incomplete operations These properties are variants of vulnerabilities reported in a large set of MSRC bulletins (see paper).

Results : Found vulnerabilities Prop LOC Proc # Vulns Checktime Inference Zero-sized allocations 2.8M 58K 9 3h14 3h22 Empty array ctors 1.2M 3.1K 0 26m 6m13 VARIANT initialization 6.5M 196K 5 5h03 11h40 VARIANT type safety 6.5M 196K 8 5h03 11h40 Interface refcounting 2M 11.2K 4 2h26 20h Library path qualification 20M Mils 35 5d N/A DOM info disclosure 2.5M 100s 2 1h42 N/A An additional 7 bugs were found for Probe validation of userland-pointers.

Inference measurements Properties Warns Warns Improv. Cand. Inf. Warns with inf cand. Zero-sized allocations 71 50 29% 75162 42160 Empty array constructor 45 35 22% 4024 446 VARIANT initialization 216 117 45% 100924 770 VARIANT type safety 83 68 18% 100924 770 Interface refcounting 746 672 (3) 10% 234K 1671 DOM info disclosure 82 N/A N/A N/A N/A Library path validation 280 N/A N/A N/A N/A The instrumentation + candidates took less than 100 lines for each property. Interpretation : Inference is a useful to reduce the number the false positives across applicable properties.

Example bug: COM VT VARIANT vulnerability 1 HRESULT CBrowserOp : : I n v o k e ( DISPID d i s p I d, DISPPARAMS dp ) 2 { 3 switch ( d i s p I d ) { 4 case DISPID ONPROCESSINGCOMPLETE : 5 i f (! dp! dp >r g v a r g! dp >r g v a r g [ 0 ]. p d i s p V a l ) { 6 r e t u r n E INVALIDARG ; 7 } 8 e l s e { 9 IUnknown punk = dp >r g v a r g [ 0 ]. p d i s p V a l ; 10 I N e e d e d I n t e r f a c e pres = NULL ; 11 hr = punk >Q u e r y I n t e r f a c e ( I I D N e e d e d I f a c e, &pres ) ; 12 i f ( hr == S OK) { 13 P e r f o r m A c t i o n ( pres, dp ) ; 14 R e l e a s e I f a c e ( pres ) ; 15 } 16 } 17 break ; 18 d e f a u l t : r e t u r n DISP E MEMBERNOTFOUND ; 19 } 20 r e t u r n S OK ; 21 }

Cost-effectiveness of HAVOC-LITE Complement existing techniques when domain specific knowledge is required. 1. Allow broader coverage than fuzzing or testing. 2. Does not replace fuzzing or manual audit, but complement them. Review of results and creation of new annotations/instrumentations determine the level of warnings. In our experience, cost-effectiveness is best when warnings # stay smaller than 100 per Million LOC. Easier to review than trying to add more inference

Conclusion HAVOC-LITE enables practical reactive vulnerability checking on large C/C++/COM software. Explaining the reason of warnings is key to wider usability [Lahiri, Vanegue, VMCAI 11] Future work Currently attempting to roll out to other security auditors and properties. Work inspired new methods for assigning confidence to warnings [Blackshear, Lahiri PLDI 13] Combine with property-directed inlining [Lal,Lahiri,Qadeer CAV 12]

The end Questions? Thank you.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information