Achieving Trusted Systems by Providing Security and Reliability ( Research Project #22 ). Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman. Objective and Approach. Objective
Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman
WU-FTP Server Format String Attack
NULL-HTTP Server Heap Corruption Attack
fmt: format string pointer Reliability
ap: argument pointer
fmt: format string pointer
ap: argument pointerInternals of Format String Attack
printf(buf); /* should be printf(“%s”,buf) */
\xdd \xcc \xbb \xaa %d %d %d %n
if (fmt points to “%n”)
then **ap = (character count)
*ap is a tainted value.
Automatically translated to formal semantic representation
C source code of a library function
formal semantic representation
For each pointer dereference in an assignment, generate a theorem stating that the pointer is not tainted
A set of sufficient conditions that imply the validity of the theorems.
They are the security specifications of the analyzed function.