1 / 54

CSSV – C String Static Verifier

CSSV – C String Static Verifier. Nurit Dor Michael Rodeh Mooly Sagiv Greta Yorsh Tel-Aviv University http://www.cs.tau.ac.il/~nurr. The Problem: Detecting String Manipulation Errors. An important problem Common errors Cause security vulnerability A challenging problem Use of pointers

zoe
Download Presentation

CSSV – C String Static Verifier

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSSV – C String Static Verifier Nurit Dor Michael Rodeh Mooly Sagiv Greta Yorsh Tel-Aviv University http://www.cs.tau.ac.il/~nurr

  2. The Problem:Detecting String Manipulation Errors • An important problem • Common errors • Cause security vulnerability • A challenging problem • Use of pointers • Use of pointer arithmetic • Error point vs. failure point

  3. Example– unsafe call to strcpy() simple() { char s[20]; char *p; char t[10]; strcpy(s,”Hello”); p = s + 5; strcpy(p,” world!”); strcpy(t,s); }

  4. buf cp Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 char buf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … temp (long)

  5. Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 char buf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … buf cp temp ( l o n g )

  6. buf cp Complicated Example /* from web2c [fixwrites.c] */ #define BUFSIZ 1024 char buf[BUFSIZ]; char insert_long(char *cp) { char temp[BUFSIZ]; … for (i = 0; &buf[i] < cp ; ++i) temp[i] = buf[i]; strcpy(&temp[i],”(long)”); strcpy(&temp[i+6],cp); … temp (long)

  7. NbLine + 1 Real Example void RTC_Si_SkipLine(const INT32 NbLine, char ** const PtrEndText) { INT32 indice; for (indice=0; indice<NbLine; indice++) { **PtrEndText = '\n'; (*PtrEndText)++; } **PtrEndText = '\0'; return; } PtrEndText

  8. Vulnerable String Manipulation • Pointers to bufferschar *p= buffer; … while( ) p++; • Standard string manipulation functions strcpy(), strcat(), … • NULL termination strncpy(), …

  9. Are String Violations Common? • FUZZ study (1995) • Random test programs on various systems • 9 different UNIX systems • 18% – 23% hang or crash • 80% are string related errors • CERT advisory • 50% of attacks are abuses of buffer overflows

  10. Current Methods • Runtime • Safe-C [PLDI’94] • Purify • Bound-checking … • Static+ Runtime • CCured [POPL’02]

  11. Current Methods • Static • Wagner et. al. [NDSS’00] • LCLint’s extension [USENIX’01] • Dor, Rodeh and Sagiv [SAS’01]

  12. Goals • Static detection of string errors • References beyond array limit • Unsafe pointer arithmetic • Missing null terminator • Additional properties: • References beyond null • Specified using preconditions • Sound • Never miss errors • Few false alarms IS IT POSSIBLE ?

  13. Challenges in Static Analysis • Soundness • Precision • Combine integer and pointer analysis (p+i) = ‘\0’; strcpy(q, p); • Scalability to handle real applications • Complexity of Chaotic iterations • Handles full C

  14. CSSV Solution • Use powerful static domain • Exponential abstract interpretation • Use pre- and post-conditions to specify procedure requirements on strings • No interprocedural analysis • Modular analysis • Automatic generation of procedure specification

  15. PreModPost Cfiles Cfiles AWP CSSV Pointer Analysis Procedure’sPointer info Procedure name C2IP Integer Proc Potential Error Messages Integer Analysis

  16. Advantages of Specifications • Allows modular analysis • Not all the code is available • Enables more precise analyses • User control of the verification • Detect errors at point of logical error • Improve the precision of the analysis • Check additional properties • Beyond ANSI-C

  17. Specification and Soundness • Preconditions are handled conservatively • All errors are detected • Inside a procedure’s bodyOR • At call statements to the procedure

  18. Specification– strcpy char* strcpy(char* dst, char *src) requires mod ensures ( string(src)  alloc(dst) > len(src) ) dst.strlen, dst.is_nullt ( len(dst) = = pre@len(src)  return = = pre@dst )

  19. Specification – insert_long() /* insert_long.c */ #include "insert_long.h" char buf[BUFSIZ]; char * insert_long (char *cp) { char temp[BUFSIZ]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; } char * insert_long(char *cp) requires( string(cp)  buf  cp < buf + BUFSIZ ) modcp.strlen ensures ( cp.strlen = = pre[cp.strlen + 6]  return_value = = cp + 6 ; )

  20. Difficulties with Specifications • Legacy code • Complexity of software • Need to know context

  21. PreModPost Cfiles Cfiles CSSV Pointer Analysis Procedure’sPointer info Procedure name C2IP Integer proc Potential Error Messages Integer Analysis

  22. CSSV – Pointer Analysis • Models the string objects • Pre compute points-to information • Determines which objects may be updated thru a pointer char s[20]; char *p; … p = s + 5; strcpy(p,” world!”);

  23. local p q s t r temp Integrating Pointer Information? foo(char *p, char *q) { char local[100]; … p = local; *q = 0; … } main() { char s[10], t[20], r[30]; char *temp; foo(s,t);foo(s,r); … temp = s … }

  24. Projection for foo() foo(char *p, char *q) { char local[100]; … p = local; … } local p q param#1 param#2

  25. PreModPost Cfiles Cfiles CSSV Pointer Analysis Procedure’sPointer info Procedure name C2IP Integer proc Potential Error Messages Integer Analysis

  26. C2IP – C to Integer Program • Generate an integer program • Integer variables only • No function calls • Non deterministic • Goal: String error in the C program Assert violated in the IP

  27. C2IP – C to Integer Program • Inline specification • Based on points-to information • Generate constraint variables • Generate assert statements • Generate update statements

  28. C2IP - Constraint Variable • For every pointer p.offset s p.offset = 2

  29. aloc5.msize aloc5.len C2IP - Constraint Variable • For every abstract location aloc.is_nullt aloc.len aloc.msize aloc5 0 s t

  30. C2IP char buf[BUFSIZ]; int buf.offset = 0; int sbuf.msize = BUFSIZ; int sbuf.len; int sbuf.is_nullt; char * insert_long (char *cp) { int cp.offset; char temp[BUFSIZ] int temp.offset = 0; int stemp.msize = BUFSIZ; int stemp.len ; int stemp.is_nullt; int i int i require string(cp); assume(sbuf.is_nullt 0  cp.offset  sbuf.len  sbuf.alloc ); for(i=0; &buf[i] < cp; ++i) { temp[i]=cp[i]; } for (i=0; i< cp.offset ; ++i ) { assert(0  i  stemp.msize  (stemp.is_nullt i stemp.len)); assert(-i cp.offset< -i +sbuf.len); if (sbuf.is_nullt  sbuf.len == i ) { stemp.len = i; stemp.is_nullt = true; } else …

  31. C2IP char * insert_long (char *cp) { int cp.offset; char temp[BUFSIZ] int temp.offset = 0; int stemp.msize = BUFSIZ; int stemp.len ; int stemp.is_nullt; int i int i require string(cp); assume(sbuf.is_nullt 0  cp.offset  sbuf.len  sbuf.alloc ); for(i=0; &buf[i] < cp; ++i) { temp[i]=cp[i]; } for (i=0; i< cp.offset ; ++i ) { assert(0  i  stemp.msize  (stemp.is_nullt i stemp.len)); assert(-i cp.offset< -i +sbuf.len); if (sbuf.is_nullt  sbuf.len == i ) { stemp.len = i; stemp.is_nullt = true; } else … strcpy(&temp[i],"(long)"); assert(0  i < 6 - stemp.msize ); assume(stemp.len == i + 6);…

  32. C2IP - Update statements p = s + 5; p.offset = s.offset + 5;

  33. C2IP - Use points-to information aloc1 p aloc5 *p = 0; if (…) { aloc1.len = p.offset; aloc1.is_nullt = true; } else { alloc5.len = p.offset; alloc5.is_nullt = true; }

  34. Handling structures • Pointer analysis handles structures • C2IP handles pointer arithmetic • Generate constraint variables per field

  35. PreModPost Cfiles Cfiles CSSV Pointer Analysis Procedure’sPointer info Procedure name C2IP Integer proc Potential Error Messages Integer Analysis

  36. Integer Analysis • Interval analysis is not enough assert(-i cp.offset< -i +sbuf.len); • Use a powerful abstract domain • Polyhedra (Cousot Halbwachs, 78) • Statically analyzes program variable relations and detects constraints: a1* var1 + a2* var2 + … + an* varn b

  37. y  1 x + y  3-x + y 1 V = <(1,2) (2,1) > R = <(1,0) (1,1)> 0 1 2 3 y 0 1 2 3 x Linear Relation Analysis • Statically analyzes program variable relations and detects constraints: a1* var1 + a2* var2 + … + an* varn b • Polyhedron

  38. i = cp.offset  1018 buf cp temp Integer Analysis – insert_long() buf.offset = 0 temp.offest = 0 0  cp.offset = i i  sbuf.len < s buf.msize sbuf.msize = 1024 stemp.msize= 1024 ( l o n g ) assert(0  i < 6 - stemp.msize ); // strcpy(&temp[i],"(long)"); Potential violation when cp.offset  1018

  39. PreModPost Cfiles Cfiles AWP CSSV Pointer Analysis Procedure’sPointer info Procedure name C2IP Integer proc Potential Error Messages Integer Analysis

  40. Cfiles Cfiles Pre AWP CSSV Pointer Analysis Procedure’sPointer info LeafProcedure C2IPside effect Mod Integer proc

  41. Cfiles Cfiles Post CSSV Pointer Analysis Procedure’sPointer info LeafProcedure C2IPside effect Pre Mod Integer proc Potential Error Messages Integer Analysis

  42. AWP • Approximate the Weakest Precondition • Backward integer analysis • Generates a precondition

  43. AWP – insert_long() • Generate the following precondition: sbuf.is_nullt  sbuf.len < sbuf.alloc  0  cp.offset  sbuf.len  …

  44. AWP – insert_long() • Generate the following precondition: string(cp)  sbuf.len  cp.offset + 1017 • Not the weakest precondition: string(cp)  sbuf.len  1017

  45. Implementation • Using: • ASToolKit [Microsoft] • GOLF [Microsoft – Das Manuvir] • New Polka [IMAG - Bertrand Jeannet] • Main steps: • Simplifier • Pointer analysis • C2IP • Integer Analysis

  46. PreModPost Core C Cfiles Cfiles Implementation – step 1 Inline Annotation Procedure name C’ Simplifier

  47. Core C • Simplify the analysis implementation • A limited form of C expressions • Adds temporaries • At most one operator per statement • Convert value into location computation • No lost of precision

  48. Core C Implementation – step 2 GOLF pointer analysis Procedure name GFCvisible variables Visible variables GlobalPointer info Procedure’spointer projection Procedure’sPointer info

  49. Core C Pre Implementation – step 3 , 4 GFCC2IP Procedure name Integer Program ModularPointer info backward Integer Analysis forward Potential Error Messages

  50. Preliminary results (web2C) Up to four times faster than SAS01

More Related