1 / 15

MOPS: an Infrastructure for Examining Security Properties of Software

MOPS: an Infrastructure for Examining Security Properties of Software. Authors : Hao Chen, David Wagner University of California at Berkeley Publish : ACM Computer and Communication Security 02 Presenter : Xingbo Gao. Outline. Problem Definition and Motivation

avon
Download Presentation

MOPS: an Infrastructure for Examining Security Properties of Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MOPS: an Infrastructure for Examining Security Properties of Software Authors: Hao Chen, David Wagner University of California at Berkeley Publish: ACM Computer and Communication Security 02 Presenter: Xingbo Gao

  2. Outline • Problem Definition and Motivation • Introduction of Temporal Safety Properties • Formal Models and Framework • Feasible Applications • Strengths, Weakness and Improvements

  3. Problem Definition and Motivation // now in directory “/var/ftp” chroot(“/var/ftp/pub”); -----> confines the root priv. in new dir. chdir(“/var/ftp/pub”); filename=read_from_network(); fd=open(filename, O_RDONLY); root / /var /etc /var/ftp /etc/passwd filename = “../../etc/passwd” ?? /var/ftp/pub

  4. Contribution • A New idea to examine security properties of software: verify whether temporal safety properties are obeyed • Propose a formal model to automate this verification process

  5. Temporal Safety Property • Dictates the order of a sequence of security-relevant operations • Can be used to describe many rules for security programs • Violating such properties often render the program vulnerable to attack • Detecting violations or verifying the satisfaction significantly helps to reduce the software vulnerabilities • Manual checking cannot scale to large programs

  6. Formal Model • : the set of security-relevant operations • : all sequences of security operations that violate the security property • : the set of all feasible paths • is a regular language: ( : FSA) • is a context free language: ( :PDA)

  7. Another Example • Before making certain system calls that run untrusted programs, a privileged process must first drop all privileges

  8. Brief Review of ruid, euid and suid • Each Unix process has three user ids: • ruid: real user id • euid: effective user id • suid: saved user id real-uid = tom effective-uid = tom saved-uid = root real-uid = tom effective-uid = root saved-uid = root syscall passwd -> seteuid(0)

  9. Temporal Safety Property Example int main(int argc, char *argv[]) { // start with root privilege do_something_with_privilege(); drop_privilege(); execl(“/bin/sh”, “/bin/sh”, NULL); risky syscall } void drop_privilege() { struct passwd *passwd; if ((passwd=getpwuid(getuid())) == NULL) return; fprintf(log, “drop priv for %s”, passwd->pw_name); seteuid(getuid()); }

  10. Formal Model Cont. ∑={execl(), seteuid(0), seteuid(!0)} (set of security operations) T={[seteuid(!0), execl()], [execl()]} (all feasible traces) T ∩ L(M) = [execl()] An FSA describing Property “Dropping Privileges”

  11. Modular Implementation

  12. Applications • Checking proper dropping privilege • sendmail 8.10.1 fails to drop root privilege in user IDs • sendmail 8.12.0 fails to drop privilege in group IDs • Verifying success of system calls • OpenSSH 2.5.2 no uid-setting syscalls may fail • Checking privilege flow in non-local control flow • wu-ftpd 2.4 beta 11 has offending path • wu-ftpd 2.4 beta 12 fixed this vulnerability

  13. Strengths and Weakness • Strengths • proposed a novel formal approach to model checking security properties in large programs • efficient algorithm and good scalability • sound modeling • Weakness • can raise some false alarms due to approximated modeling • reduced precision because of very limited data flow analysis e.g. if-then-else

  14. Possible Improvements • Investigate how much data flow analysis can be incorporated into MOPS • Improve MOPS while experimenting with checking more security properties in more programs

  15. Questions ?

More Related