• No results found

Statically Detecting Likely Buffer Overflow Vulnerabilities

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Statically Detecting Likely Buffer Overflow Vulnerabilities"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

(Article begins on next page)

Please share

how this access benefits you. Your story matters.

Citation

David Larochelle, David Evans, Statically Detecting Likely Buffer

Overflow Vulnerabilities, 2001 USENIX Security Symposium,

Washington, D.C., August 13-17 2001.

Published Version

http://www.usenix.org/events/sec01/larochelle.html

Accessed

February 19, 2015 8:39:11 AM EST

Citable Link

http://nrs.harvard.edu/urn-3:HUL.InstRepos:5027549

Terms of Use

This article was downloaded from Harvard University's DASH

repository, and is made available under the terms and conditions

applicable to Other Posted Material, as set forth at

http://nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of-use#LAA

(2)

Statically Detecting Likely

Buffer Overflow Vulnerabilities

David Larochelle

David Evans

University of Virginia Department of Computer Science

Supported by USENIX Student

Grant and NASA LRC

16 August 2001

David Larochelle 2

• 1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 servers

• 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers

– Single largest cause of vulnerabilities in CERT advisories

– Buffer overflow threatens Internet- WSJ(1/30/01)

16 August 2001

Why aren’t we better off than

we were 13 years ago?

• Ignorance

• C is difficult to use securely

– Unsafe functions – Confusing APIs

• Even security aware programmers make mistakes. • Security Knowledge has not been codified into the

development process 16 August 2001

Automated Tools

• Run-time solutions – StackGuard[USENIX 7], gcc bounds-checking, libsafe[USENIX 2000] – Performance penalty

– Turns buffer overflow into a DoS attack

• Compile-time solutions - static analysis

– No run-time performance penalty – Checks properties of all possible executions

(3)

16 August 2001

David Larochelle 5

Design Goals

• Tool that can be used by typical programmers as part of the development process

– Fast, Easy to Use

• Tool that can be used to check legacy code

– Handles typical C programs

• Encourage a proactive security methodology

– Document key assumptions

16 August 2001

David Larochelle 6

Our approach

• Document assumptions about buffer sizes – Semantic comments

– Provide annotated standard library – Allow user's to annotate their code • Find inconsistencies between code and

assumptions

• Make compromises to get useful checking – Use simplifying assumptions to improve efficiency – Use heuristics to analyze common loop idioms – Accept some false positives and false negatives

(unsound and incomplete analysis)

Implementation

• Extended LCLint

– Open source checking tool [FSE ‘94] [PLDI ‘96] – Uses annotations

– Detects null dereferences, memory leaks, etc. • Integrated to take advantage of existing

checking and annotations (e.g., modifies) • Added new annotations and checking for

Annotations

• requires, ensures • maxSet

– highest index that can be safely written to • maxRead

– highest index that can be safely read • char buffer[100];

(4)

16 August 2001 David Larochelle 9

SecurityFocus.com Example

void func(char *str){ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); return; }

char *strncat (char *s1, char *s2, size_t n)

/*@requires maxSet(s1)

>=maxRead(s1) + n@*/

uninitialized array

Source: Secure Programming working document, SecurityFocus.com

16 August 2001

David Larochelle 10

strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint:

requires maxRead (buffer @ strncat.c:4:29) <= 0 needed to satisfy precondition:

requires maxSet (buffer @ strncat.c:4:29)

>= maxRead (buffer @ strncat.c:4:29) + 255 derived from strncat precondition:

requires maxSet (<parameter 1>)

>= maxRead (<parameter1>) + <parameter 3>

Warning Reported

char * strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) >= maxRead(s1) + n @*/

char buffer[256];

strncat(buffer, str, sizeof(buffer) - 1);

16 August 2001

Overview of checking

• Intraprocedural

– But use annotations on called procedures and global variables to check calls, entry, exit points • Expressions generate constraints

– C semantics, annotations

• Axiomatic semantics propagates constraints • Simplifying rules

(e.g. maxRead(str+i) ==> maxRead(str) - i) • Produce warnings for unresolved constraints

16 August 2001

Loop Heuristics

• Recognize common loop idioms

• Use heuristics to guess number of iterations • Analyze first and last iterations

Example:

for (init; *buf; buf++)

– Assume maxRead(buf) iterations – Model first and last iterations

(5)

16 August 2001

David Larochelle 13

Case studies

• wu-ftpd 2.5 and BIND 8.2.2p7 – Detected known buffer overflows

– Unknown buffer overflows exploitable with write access to config files

• Performance

– wu-ftpd: 7 seconds/ 20,000 lines of code – BIND: 33 seconds / 40,000 lines – Athlon 1200 MHz 16 August 2001 David Larochelle 14

Results

95 writes 166 reads 132 writes 220 reads -Other Warnings 4 40 19 LCLint warnings with no annotations added 4 55 strncpy 21 97 strcpy 12 27 strcat LCLint warning with annotations Instances in wu-ftpd (grep)

int acl_getlimit(char *class, char *msgpathbuf) {

struct aclmember *entry = NULL; while (getaclentry("limit", &entry)) {

strcpy(msgpathbuf, entry->arg[3]);

LCLint reports a possible buffer overflow for

wu-ftpd vulnerablity

/*@requires maxSet(msgpathbuf) >= 1023 @*/ /*@requires maxSet(msgpathbuf) >= 1023 @*/ strncpy(msgpathbuf, entry->arg[3], 1023); msgpathbuf[1023] = ‘\0’; strncpy(msgpathbuf, entry->arg[3], 199); msgpathbuf[199] = ‘\0’; /*@requires maxSet(msgpathbuf) >= 199 @*/ /*@requires maxSet(msgpathbuf) >= 199 @*/

int access_ok( int msgcode) { char class[1024], msgfile[200]; int limit;

limit = acl_getlimit(class, msgfile);

Related Work

• Lexical analysis

– grep, its4, RATS, FlawFinder

• Wagner, Foster, Brewer [NDSSS ‘00] – Integer range constraints

– Flow insensitive analysis

(6)

16 August 2001

David Larochelle 17

Impediments to wide spread

adoption

• People are lazy

• Programmers are especially lazy • Adding annotations is too much work

(except for security weenies)

• Working on techniques for automating the annotation process

16 August 2001

David Larochelle 18

Conclusion

• 2014:???

– Will buffer overflows still be common? – Codify security knowledge in tools real

programmers can use Beta version now available:

http://lclint.cs.virginia.edu

David Larochelle David Evans [email protected] [email protected]

References

Download now ( PDF - 6 Page - 92.88 KB )

Related documents

Implementing Database Security and Auditing

into procedures with buffer overflow vulnerabilities 168 5.4.2 Implementation options: Patches and best practices 170 5.5 Don't consider eliminating the application server layer 170

Whitepaper. Considerations When Evaluating a Playout System Implementation

By abandoning the conventional approach of delivering and branding television in multiple disparate steps, integrated playout systems hold the key to radically simplifying

Self-Fashioning, Double Consciousness, and a History of Representation: The Narratives of Frederick Douglass and Solomon Northup as Compared to Runaway Slave Advertisements

African Americans like Frederick Douglass were born into slavery and experienced at a young age the projected identity of being less than human by their white oppressors. Northup

Lessons from the Arab Spring.

This section will offer detailed recommendations provided by the researcher on the four conditions (military loyalty to the regime, the existence of civil society, the utilization

PROF. DR. OLIVER GÜRTLER CURRICULUM VITAE

Economic Inquiry, Economic Theory, Economic Theory Bulletin, European Economic Review, European Journal of Political Economy, Experimental Eco- nomics, Games and Economic

Tonight s Speaker. Life of a Tester at Microsoft Urvashi Tyagi Software Test Manager, Microsoft

Test strategy Master plan Test Design Specificatio n Test cases Test tool Bug report Test Sign- off Test Deliverables PLC TLC Testability..  Windows Vista + Office 12

NACE RESEARCH NACE RESEARCH. Job Outlook 2006 $39.95

Among respondents, roughly two out of five (42.9 percent) reported that they offered signing bonuses to 2004-05 graduates, and 43.9 percent reported that they have plans to

Thayer Chinese Assertiveness and U.S. Rebalancing: Confrontation in the South China Sea

In  this  respect,  the  South  China  Sea  is  an  area  of  growing  concern.    This  sea  is  not  only  vital  to