alleviating false alarm problem of static buffer overflow analysis youil kim 2008-12-12 1
TRANSCRIPT
![Page 1: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/1.jpg)
Alleviating False Alarm Problem of Static Buffer Overflow Analysis
Youil Kim <[email protected]>2008-12-12
2008-12-12 1
![Page 2: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/2.jpg)
Background
• Morris worm (1998)– Infected over 6,000 major Unix ma-
chines.– Buffer overflows in UNIX fingerd
• Code-Red virus (2001)– Infected over 359,000 computers in 14
hours.– Buffer overflows in Microsoft IIS
• Buffer overflows account for 1/3 of the severe remotely exploitable vul-nerabilities.
2008-12-12 2
![Page 3: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/3.jpg)
Our Goal
• A Scalable and Precise Static Buffer Overflow Analyzer for Large C Programs
– 두 마리 토끼를 어떻게 잡을까 ?
2008-12-12 3
![Page 4: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/4.jpg)
Our Approach
2008-12-12 4
PreciseAnalysis
BufferOverflowAlarms
C Code
C Code
Re-ducedAlarms
ScalableAnalysis
![Page 5: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/5.jpg)
Our Approach
• Less precise analysis, first.– Unification-based points-to analysis– Interval analysis
• Precise analysis on small areas around potential alarms– Symbolic execution using an SMT solver
2008-12-12 5
![Page 6: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/6.jpg)
Current Development Status
• Scalable static buffer overflow ana-lyzer– Analyzes five GNU tools in five minutes.
• Precise analysis using an SMT solver.– Reduces 72% of false alarms of the buf-
fer overflow test cases from three open source applications (bind, sendmail, wu-ftpd).
2008-12-12 6
![Page 7: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/7.jpg)
2008-12-12
참고 : SMT Solver
• Satisfiability Modulo Theories– SMT generalizes boolean satisfiability by
adding equality reasoning, arithmetic, and other useful theories.
• Z3 from Microsoft– Used in several program analysis, verification,
test case generation projects.
7
![Page 8: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/8.jpg)
2008-12-12
참고 : SMT Formula
(x > 0) and ((x + y < 2) or (x + 2y – z >= 6)) and((x + y = 2) or (x + 2y – z > 4))
X0 and (X1 or X2) and (X3 or X4)SAT Formula
SMT Formula
8
![Page 9: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/9.jpg)
Raccoon, Our Base Analyzer
2008-12-12 9
![Page 10: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/10.jpg)
Raccoon Overview
2008-12-12
Analysis 1:
Points-to Analysis
Analysis 2:
Interval Analysis
Analysis 3:
Buffer Analysis
False AlarmFilter
10
BufferOverflowAlarms
C Code
C Code
Re-ducedAlarms
Buffer Analysis Example:p = {offset = [0, 1], length = [3, 3], size = [5, 5]}
0
p
![Page 11: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/11.jpg)
Raccoon’s Performance
2008-12-12 11
Software SLOC # CIL Lines
Time # Alarms # Writes % Alarms
tar-1.13 9,279 19,829 104.64 282 450 63
bison-1.875
11,854 29,903 83.01 548 1,316 42
sed-4.08 3,344 7,464 4.52 136 222 61
gzip-1.2.4a
5,809 11,298 14.52 130 242 54
grep-2.5.1 6,234 14,879 45.46 318 455 70
Total 36,520 83,373 252.15 1,414 2,685 53Experiments on 2.33 GHZ quad-core XEON with 8 GB RAM
Statically proved 47% of writes are safe
![Page 12: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/12.jpg)
참고 : Airac5’s Performance
2008-12-12 12
Software # Lines Time # Alarms # Ac-cesses
% Alarms
tar-1.13 20,258 24,783.40 76 2,630 3
bison-1.875
25,907 20,340.19 30 5,164 1
sed-4.08 6,053 51,516.45 5 461 1
gzip-1.2.4a
7,327 18,401.30 50 799 6
grep-2.5.1 9,297 33,325.10 24 187 13
Total 68,842 148,366.44
185 9,241 2Experiments on Pentium4 2.33 GHZ with 8 GB RAM
Fewer alarms, but takes 600 times longer to analyze
![Page 13: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/13.jpg)
Filtering False Alarms of Buffer Over-flow Analysis Using an SMT Solver
2008-12-12 13
![Page 14: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/14.jpg)
False Alarm Filter
2008-12-12
Analysis 1:
Points-to Analysis
Analysis 2:
Interval Analysis
Analysis 3:
Buffer Analysis
False AlarmFilter
14
BufferOverflowAlarms
C Code
C Code
Re-ducedAlarms
![Page 15: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/15.jpg)
A Concrete Example
2008-12-12
$ raccoon2 rmt.cil.cBuffer Overflow Detection:
rmt.c:138: *(string + counter)Size : [64, 64]Offset: [0, 64]
rmt.c:311: *(p)Size : [64, 64]Offset: [-oo, 62]
Total 0 array write(s).Total 0 array alarm(s).Total 4 pointer write(s).Total 2 pointer alarm(s).
15
64 bytes
p
![Page 16: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/16.jpg)
2008-12-12
A Concrete Example302 count = lseek (tape, count, whence);303 if (count < 0)304 goto ioerror;305 308 p = count_string + sizeof count_string;309 *--p = '\0';
310 do
311 *--p = '0' + (int) (count % 10);312 while ((count /= 10) != 0);
rmt.c in GNU tar 1.13
16
p = {offset=[63,63], size=[64,64]}, count = [0, +oo]
p = {offset=[-oo,63], size=[64,64]}, count = [0, +oo]
![Page 17: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/17.jpg)
2008-12-12
The Filtering Algorithm
17
Extract a Program Snip-pet
Build an Initial Context
SMT Translation
Symbolic Execution
It’s a false alarm.
I don’t know.
unsatisfiable satisfiable or unknown
loop execution
Choose an Alarm State-ment
No alarm
Exit
![Page 18: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/18.jpg)
2008-12-12
Extract a Program Snippet
• Extract a backward program slice with re-spect to the target alarm statement– Up to the safe point– Within the procedure boundary– Note: We use Raccoon results to imitate func-
tion calls.
18
![Page 19: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/19.jpg)
A Program Snippet
2008-12-12
302 count = lseek (tape, count, whence);303 if (count < 0)304 goto ioerror;305
308 p = count_string + sizeof count_string;309 *--p = '\0';
310 do311 *--p = '0' + (int) (count % 10);312 while ((count /= 10) != 0);
19
Backward program slicing to the safely accessible point.
p = {offset=[63,63], size=[64,64]}, count = [0, +oo]
![Page 20: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/20.jpg)
A Program Snippet in SSA Form
2008-12-12
while (1) { p_1 = p_0 - 1; (*p_1) = (char)(48 + (int)(count_0 % 10L)); count_1 = count_0 / 10L; if (! (count_1 != 0L)) { break; }}
20
Internal format is in static single assignment (SSA) form.
p = {offset=[63,63], size=[64,64]}, count = [0, +oo]
![Page 21: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/21.jpg)
An Initial Context
2008-12-12 21
;; Initial Context Formula
(assert (p.offset_0 = 63))(assert (p.size_0 = 64))(assert (count_0 >= 0))(assert (count_0 < 9223372036854775807))
Need initial context for live-in variables of the program snippet
Constructed from the results of interval analysis of Raccoon
![Page 22: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/22.jpg)
2008-12-12
Symbolic Execution of Loops
let isFalseAlarm(ctxt, i) =
if isSat(ctxt && l-path[i] && l-alarm[i]) then DONTKNOW else if isSat(ctxt && r-path[i] && r-alarm[i]) then DONTKNOW else if isSat(ctxt && r-path[i]) then isFalseAlarm(ctxt && r-path[i], i + 1) else YES
22
l-path r-path
l-path r-path
1st iteration
...
![Page 23: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/23.jpg)
2008-12-12
Run It$ time ./rmt-ocaml
The loop is unrolled 18 times.It is a false alarm.
real 0m0.034suser 0m0.032ssys 0m0.002s$
23
![Page 24: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/24.jpg)
2008-12-12
Implementation
• Raccoon2 is implemented in OCaml.• Yices OCaml API: C API + SWIG
– Yices provides (incomplete) C API.– SWIG connects the C API with OCaml
code.• Currently, manual translation.
24
![Page 25: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/25.jpg)
2008-12-12
Experimental Results Bad Code
# Writes # Alarms# False
Alarms # RemovedRaccoon
Time SMT Time
BIND-1 44 29 29 29 0.05s 54.95s
BIND-2 55 35 35 35 0.10s 245.30s
BIND-3 11 1 1 1 0.01s 5.52s
BIND-4 9 1 1 1 0.02s 0.06s
SM-1 28 28 0 - 0.14s -
SM-2 23 6 3 0 0.02s 0.02s
SM-3 13 3 0 - 0.01s X
SM-4 11 7 0 - 0.01s ∞
SM-5 18 6 3 0 0.04s -
SM-6 1 1 0 - 0.01s X
SM-7 46 46 45 20 0.05s 0.88s +
FTP-1 24 2 1 0 0.01s 0.02s
FTP-2 19 1 1 0 0.12s -
FTP-3 9 2 2 0 0.02s -
25
![Page 26: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/26.jpg)
Research Plan
2008-12-12 26
![Page 27: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/27.jpg)
2008-12-12
Research Plan: Filtering Algo-rithm• Automatize the false alarm filtering
– Implement missing parts– Experiment with large GNU software
• Optimize the false alarm filtering al-gorithm– Exploit yices_inconsistent()
27
![Page 28: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/28.jpg)
2008-12-12
Research Plan: Raccoon
• Improve Raccoon analyzer– For example, structure field sensitivity
• Alarm grouping via abstract state re-finements– Extend the basic idea to pointer ac-
cesses and C string library calls– Visualize the relationship between
alarms28
![Page 29: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/29.jpg)
Alarm Grouping: A Motivating Ex-ample
2008-12-12
201 for (counter = 0; counter < SPARSES_IN_OLDGNU_HEADER; counter++)202 {203 /* Compare to 0, or use !(int)..., for Pyramid's dumb compiler. */204 if (current_header->oldgnu_header.sp[counter].numbytes == 0)205 break;206 207 sparsearray[counter].offset =208 OFF_FROM_OCT(current_header->oldgnu_header.sp[counter].offset);209 sparsearray[counter].numbytes =210 SIZE_FROM_OCT(current_header->oldgnu_header.sp[counter].numbytes);211 }compare.c in GNU tar 1.13
29
![Page 30: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/30.jpg)
Thank You
2008-12-12 30
![Page 31: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/31.jpg)
2008-12-12
참고 : SMT Formulae (1/2)
;; Loop Body Formula – 1st(p.offset_1 = p.offset_0 – 1) and (count_1 = count_0 / 10)
31
;; Leaving Path Context Formula – 1st(count_1 = 0) and false
;; Remaining Path Condition Formula – 1st(true)
;; Remaining Path Alarm Condition Formula – 1st(p.offset_1 <= 62) and ((p.offset_1 < 0) or (p.size_0 <= p.offset_1))
![Page 32: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/32.jpg)
2008-12-12
참고 : SMT Formulae (2/2)
32
;; Remaining Path Condition Formula – 2nd(not (count_2 = 0))
;; Remaining Path Alarm Condition Formula – 2nd(p.offset_2 <= 62) and((p.offset_2 < 0) or (p.size_0 <= p.offset_2))
;; Loop Body Formula – 2nd(p.offset_2 = p.offset_1 – 1) and(count_2 = count_1 / 10)
;; Leaving Path Context Formula – 2nd(count_2 = 0) and false
![Page 33: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/33.jpg)
2008-12-12
참고 : A Sequence of Loops517 p = buf;519 strcpy(temp, "HEADER JUNK:");
523 while (*temp != '\0')524 *p++ = *temp++;
534 comp_size = dn_comp(exp_dn, comp_dn, 200, ...);
539 for(i=0; i<comp_size; i++)540 *p++ = *comp_dn++;
544 PUTSHORT(30, p); /* type = T_NXT = 30 */545 p += 2;
nxt-ok.c from BIND-1 buffer overflow models
33
![Page 34: Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim 2008-12-12 1](https://reader036.vdocument.in/reader036/viewer/2022062407/56649dff5503460f94ae70ea/html5/thumbnails/34.jpg)
2008-12-12
참고 : Related Work
• Forward-backward analysis [ASTREE]• Counter-Example Guided Abstraction
Refinements [SLAM, BLAST]• Statistical alarm ranking [Coverity,
Airac]
34