finding good bugs in very good code - stanford...
TRANSCRIPT
![Page 1: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/1.jpg)
Finding good bugs in very good code
Fraser Brown, Dawson Engler, Deian Stefan, Craig Disselkoen
![Page 2: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/2.jpg)
We like finding bugs
![Page 3: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/3.jpg)
0. Write checking tool
![Page 4: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/4.jpg)
0. Write checking tool 1. Take large codebase that isn’t aggressively checked
![Page 5: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/5.jpg)
0. Write checking tool 1. Take large codebase that isn’t aggressively checked 2. Look for null pointer dereferences
![Page 6: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/6.jpg)
0. Write checking tool 1. Take large codebase that isn’t aggressively checked 2. Look for null pointer dereferences3. Send bug reports
![Page 7: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/7.jpg)
0. Write checking tool 1. Take large codebase that isn’t aggressively checked 2. Look for null pointer dereferences3. Send bug reports…
![Page 8: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/8.jpg)
0. Write checking tool 1. Take large codebase that isn’t aggressively checked 2. Look for null pointer dereferences3. Send bug reports……...
![Page 9: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/9.jpg)
We want to find good bugs
![Page 10: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/10.jpg)
We want to find good bugsin very good code
![Page 11: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/11.jpg)
This talk: security bugs in Chrome, Firefox, SQLite
![Page 12: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/12.jpg)
Chrome and Firefox browsers run fuzzers
![Page 13: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/13.jpg)
Chrome and Firefox browsers run fuzzers
Testing with ~random inputs
![Page 14: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/14.jpg)
Chrome and Firefox browsers run fuzzers- Chrome has 25,000 machines fuzzing 24/7
![Page 15: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/15.jpg)
Chrome and Firefox browsers run fuzzers- Chrome has 25,000 machines fuzzing 24/7
- As a result, Chrome testing hits ~75% line coverage of browser
![Page 16: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/16.jpg)
Chrome and Firefox browsers run fuzzers- Chrome has 25,000 machines fuzzing 24/7
- As a result, Chrome testing hits ~75% line coverage of browser
- Firefox has an entire team devoted to fuzzing
![Page 17: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/17.jpg)
Chrome and Firefox browsers run fuzzers- Chrome has 25,000 machines fuzzing 24/7
- As a result, Chrome testing hits ~75% line coverage of browser
- Firefox has an entire team devoted to fuzzing
- Firefox runs 7+ different fuzzers (2016)
![Page 18: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/18.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*
![Page 19: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/19.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*
Look for bugs in code while it executes
![Page 20: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/20.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*- Chrome’s 24/7 fuzzers use:
![Page 21: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/21.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*- Chrome’s 24/7 fuzzers use:
- ASAN: heap and stack buffer overflows, etc
![Page 22: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/22.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*- Chrome’s 24/7 fuzzers use:
- ASAN: heap and stack buffer overflows, etc
- MSan: uninitialized memory bugs
![Page 23: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/23.jpg)
Chrome and Firefox browsers run fuzzers *with sanitizers*- Chrome’s 24/7 fuzzers use:
- ASAN: heap and stack buffer overflows, etc
- MSan: uninitialized memory bugs
- UBSan: undefined behavior bugs
![Page 24: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/24.jpg)
Chrome and Firefox run static checkers
![Page 25: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/25.jpg)
Chrome and Firefox run static checkers
Check code without running it
![Page 26: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/26.jpg)
Chrome and Firefox run static checkers
![Page 27: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/27.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
![Page 28: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/28.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
- Firefox:
![Page 29: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/29.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
- Firefox:
- Automatic static checkers on every patch
![Page 30: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/30.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
- Firefox:
- Automatic static checkers on every patch
- Clang checkers
![Page 31: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/31.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
- Firefox:
- Automatic static checkers on every patch
- Clang checkers
- Coverity checkers
![Page 32: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/32.jpg)
Chrome and Firefox run static checkers - Chrome: Clang C++, unix, and core static checkers
- Firefox:
- Automatic static checkers on every patch
- Clang checkers
- Coverity checkers
- Infer checkers
![Page 33: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/33.jpg)
Chrome and Firefox browsers have bug bounty programs
![Page 34: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/34.jpg)
SQLite:
![Page 35: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/35.jpg)
SQLite:- Part of Chrome and Firefox
![Page 36: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/36.jpg)
SQLite:- Part of Chrome and Firefox
- 700x more test code than database code
![Page 37: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/37.jpg)
SQLite:- Part of Chrome and Firefox
- 700x more test code than database code
- 100% branch test coverage
![Page 38: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/38.jpg)
SQLite:- Part of Chrome and Firefox
- 700x more test code than database code
- 100% branch test coverage
- Re-tests with sanitizers for three different compilers on:
- 32- and 64-bit builds
- Big- and little-endian architectures
![Page 39: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/39.jpg)
![Page 40: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/40.jpg)
Few bugs with our existing checking systems
![Page 41: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/41.jpg)
New approach: Static analysis + symbolic execution
![Page 42: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/42.jpg)
New approach: Static analysis + symbolic execution
Check code without running it
![Page 43: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/43.jpg)
New approach: Static analysis + symbolic execution
“Run” program over all possible paths and values
![Page 44: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/44.jpg)
New approach: Static analysis + symbolic execution
![Page 45: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/45.jpg)
New approach: Static analysis + symbolic execution
Symbolic: checking:
- UC-Klee
- Woodpecker
Combined static and symbolic:
- Chopper
- Dowser
- Deadline
- … more!
![Page 46: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/46.jpg)
New approach: Static analysis + symbolic execution
![Page 47: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/47.jpg)
New approach: Static analysis + symbolic execution- Static analysis identifies many potential errorsites ($)
![Page 48: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/48.jpg)
New approach: Static analysis + symbolic execution- Static analysis identifies many potential errorsites ($)
- Programmer-written static extension (~200 LOC or less)
- Symbolic execution jumps directly to candidate errorsite and executes ($$$$$)
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 49: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/49.jpg)
New approach: Static analysis + symbolic execution- Static analysis identifies many potential errorsites ($)
- Programmer-written static extension (~200 LOC or less)
- Symbolic execution jumps directly to candidate errorsite and executes ($$$$$)
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 50: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/50.jpg)
New approach: Static analysis + symbolic execution- Static analysis identifies many potential errorsites ($)
- Programmer-written static extension (avg. 175 LOC)
- Symbolic execution jumps directly to candidate errorsite and executes ($$$$$)
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 51: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/51.jpg)
New approach: Static analysis + symbolic execution- Static analysis identifies many potential errorsites ($)
- Programmer-written static extension (avg. 175 LOC)
- Symbolic execution jumps directly to candidate errorsite and executes ($$$$$)
- Programmer-written symbolic checkers (avg. 40 LOC)
![Page 52: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/52.jpg)
New approach: Static analysis + symbolic execution
![Page 53: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/53.jpg)
New approach: Static analysis + symbolic execution
; ModuleID = 'undef.bc'
source_filename = "undef.c"
target datalayout =
"e-m:e-i64:64-f80:128-n8:16:32:64-
S128"
target triple =
"x86_64-pc-linux-gnu"
LLVM IR File(s)
![Page 54: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/54.jpg)
New approach: Static analysis + symbolic execution
; ModuleID = 'undef.bc'
source_filename = "undef.c"
target datalayout =
"e-m:e-i64:64-f80:128-n8:16:32:64-
S128"
target triple =
"x86_64-pc-linux-gnu"
LLVM IR File(s)
Alloca x => Uninit x
Store y x => Init x
Load x => Error x
….
Static extension
![Page 55: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/55.jpg)
New approach: Static analysis + symbolic execution
; ModuleID = 'undef.bc'
source_filename = "undef.c"
target datalayout =
"e-m:e-i64:64-f80:128-n8:16:32:64-
S128"
target triple =
"x86_64-pc-linux-gnu"
LLVM IR File(s)
Alloca x => Uninit x
Store y x => Init x
Load x => Error x
….
Static extension
Alloca x
Store y z
Load x
Suspicious path
![Page 56: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/56.jpg)
New approach: Static analysis + symbolic execution
; ModuleID = 'undef.bc'
source_filename = "undef.c"
target datalayout =
"e-m:e-i64:64-f80:128-n8:16:32:64-
S128"
target triple =
"x86_64-pc-linux-gnu"
LLVM IR File(s)
Alloca x => Uninit x
Store y x => Init x
Load x => Error x
….
Static extension
Alloca x
Store y z
Load x
Suspicious path
V = Load shadow x
If isSet V
Then Bug
Else No Bug
Symbolic checker
![Page 57: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/57.jpg)
New approach: Static analysis + symbolic execution
; ModuleID = 'undef.bc'
source_filename = "undef.c"
target datalayout =
"e-m:e-i64:64-f80:128-n8:16:32:64-
S128"
target triple =
"x86_64-pc-linux-gnu"
LLVM IR File(s)
Alloca x => Uninit x
Store y x => Init x
Load x => Error x
….
Static extension
Alloca x
Store y z
Load x
Suspicious path
V = Load shadow x
If isSet V
Then Bug
Else No Bug
Symbolic checker
Bug
![Page 58: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/58.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
![Page 59: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/59.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
![Page 60: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/60.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
![Page 61: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/61.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
![Page 62: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/62.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
32-bit multiplication
64-bit multiplication
![Page 63: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/63.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
32-bit multiplication WRAPS TO SMALL
64-bit multiplication STAYS BIG
![Page 64: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/64.jpg)
Heap out-of-bounds bug, CVE 2019-XXXX
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
Small allocation
Very large out-of-bounds write
![Page 65: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/65.jpg)
Static extension (heap out-of-bounds)
![Page 66: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/66.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
![Page 67: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/67.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
![Page 68: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/68.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
Dependency between y and y - 1 => mark suspicious path
![Page 69: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/69.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
![Page 70: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/70.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
Save sizeof (x) = y
![Page 71: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/71.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
Save indexSize(x) = y - 1
![Page 72: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/72.jpg)
Static extension (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
indexSize(x) = y - 1
sizeOf(x) = y
![Page 73: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/73.jpg)
Symbolic checker (heap out-of-bounds)
![Page 74: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/74.jpg)
Symbolic checker (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
![Page 75: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/75.jpg)
Symbolic checker (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
y - 1 > y => report bug
![Page 76: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/76.jpg)
Symbolic checker (heap out-of-bounds)
x = malloc (y);
x[y - 1] = 0;
![Page 77: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/77.jpg)
Symbolic execution engine examines all possible values along path
x = malloc (y);
x[y - 1] = 0;
Can y - 1 > y ?
![Page 78: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/78.jpg)
“Constraints” express lines of code as logical formulas
a && b && c || d || e ....
![Page 79: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/79.jpg)
“Constraints” express lines of code as logical formulas
a && b && c || d || e ....
a = true
b = true
c = true
d = false
e = true
SMT SOLVER!
![Page 80: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/80.jpg)
“Constraints” express lines of code as logical formulas
a && not a && b && c || d || e ....
![Page 81: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/81.jpg)
“Constraints” express lines of code as logical formulas
a && not a && b && c || d || e ....
UNSAT
![Page 82: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/82.jpg)
“Constraints” express lines of code as logical formulas
...
malloc (y)
x [y -1]
Suspicious path
![Page 83: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/83.jpg)
“Constraints” express lines of code as logical formulas
...
malloc (y)
x [y -1]
Suspicious path
x = 0xdeadbeef
tmp = y - 1
...
Constraints
![Page 84: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/84.jpg)
“Constraints” express lines of code as logical formulas
...
malloc (y)
x [y -1]
Suspicious path
x = 0xdeadbeef
tmp = y - 1
...
Constraints
y - 1 > y
Bug constraints
![Page 85: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/85.jpg)
“Constraints” express lines of code as logical formulas
...
malloc (y)
x [y -1]
Suspicious path
x = 0xdeadbeef
tmp = y - 1
...
Constraints
y - 1 > y
Bug constraints
SAT
or
UNSAT
SMT Solver
![Page 86: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/86.jpg)
Symbolic checker for heap out-of-bounds
x = malloc (y);
x[y - 1] = 0;
![Page 87: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/87.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
![Page 88: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/88.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
X = new concrete location (e.g., 0xdeadbeef)
![Page 89: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/89.jpg)
2. Symbolic checker examines line
x = malloc (y);
x[y - 1] = 0;
NOOP
![Page 90: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/90.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
![Page 91: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/91.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
1. tmp = y - 1
![Page 92: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/92.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
1. tmp = y - 1
2. ptr = x + sizeof(x) * tmp
![Page 93: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/93.jpg)
1. Symbolic engine translates line
x = malloc (y);
x[y - 1] = 0;
1. tmp = y - 1
2. ptr = x + sizeof(x) * tmp
3. mem[ptr] = 0
![Page 94: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/94.jpg)
2. Symbolic checker examines line
x = malloc (y);
x[y - 1] = 0;
![Page 95: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/95.jpg)
2. Symbolic checker examines line
x = malloc (y);
x[y - 1] = 0;
know sizeOf(x) = y
know indexSize(x) = y - 1
![Page 96: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/96.jpg)
2. Symbolic checker examines line
x = malloc (y);
x[y - 1] = 0;
know sizeOf(x) = y
know indexSize(x) = y - 1
assert y-1 > y
![Page 97: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/97.jpg)
3. Query SMT solver
x = malloc (y);
x[y - 1] = 0;
![Page 98: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/98.jpg)
3. Query SMT solver
x = malloc (y);
x[y - 1] = 0;
SAT
y = 0
x = 0xdeadbeef
![Page 99: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/99.jpg)
Results of the heap out-of-bounds checker
![Page 100: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/100.jpg)
Results of the heap out-of-bounds checker- 22 bugs
![Page 101: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/101.jpg)
Results of the heap out-of-bounds checker- 22 bugs
- High-severity pattern in SQLite
- Patched within 7hrs
- Backported
- Bounty
- CVE
![Page 102: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/102.jpg)
Results of the heap out-of-bounds checker- 22 bugs
- High-severity pattern in SQLite
- Patched within 7hrs
- Backported
- Bounty
- CVE
- 3 security audits
![Page 103: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/103.jpg)
Results of the heap out-of-bounds checker- 22 bugs
- High-severity pattern in SQLite
- Patched within 7hrs
- Backported
- Bounty
- CVE
- 3 security audits
- 1 audit of Firefox checking tools
![Page 104: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/104.jpg)
Results of the heap out-of-bounds checker- 22 bugs
- High-severity pattern in SQLite
- Patched within 7hrs
- Backported
- Bounty
- CVE
- 3 security audits
- 1 audit of Firefox checking tools
- 4 false positives
![Page 105: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/105.jpg)
Three checkers
![Page 106: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/106.jpg)
Three checkers- Heap out-of-bounds
![Page 107: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/107.jpg)
Three checkers- Heap out-of-bounds
- Uninitialized memory
![Page 108: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/108.jpg)
Three checkers- Heap out-of-bounds
- Uninitialized memory
int x;int y = x + 5;
![Page 109: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/109.jpg)
Three checkers- Heap out-of-bounds
- Uninitialized memory
- Simple stack out-of-bounds
![Page 110: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/110.jpg)
Three checkers- Heap out-of-bounds
- Uninitialized memory
- Simple stack out-of-bounds
int x[5];return x[6];
![Page 111: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/111.jpg)
Challenges
![Page 112: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/112.jpg)
Challenge: Unknown state
![Page 113: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/113.jpg)
Challenge: Unknown state
int foo (int * buff, int x) {
int val = buff[x];
}
![Page 114: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/114.jpg)
Challenge: Unknown state
int foo (int * buff, int x) {
int val = buff[x];
}
![Page 115: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/115.jpg)
Challenge: Unknown state
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 116: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/116.jpg)
Solutions: Unknown state1. Target specific errors instead of general correctness
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 117: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/117.jpg)
Ask bad questions get bad answers
int foo (int * buff, int x) {
int val = buff[x];
}
![Page 118: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/118.jpg)
Solutions: Unknown state1. Target specific errors instead of general correctness
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 119: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/119.jpg)
Target error; ignore all else
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
![Page 120: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/120.jpg)
Target error; ignore all else
const int stride = input + 1;...a = my_malloc( (sizeof(int)+12)*stride );
if( a==0 ){ return -1;}...memset(a, 0, sizeof(int)*(stride) );
![Page 121: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/121.jpg)
Solutions: Unknown state1. Target specific errors instead of general correctness
2. All paths are internally consistent
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 122: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/122.jpg)
Constraint solver rejects infeasible paths
if (p) ....
if (!p) ....
![Page 123: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/123.jpg)
Constraint solver rejects infeasible paths
if (p) ....
if (!p) ....
![Page 124: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/124.jpg)
Solutions: Unknown state1. Target specific errors instead of general correctness
2. All paths are internally consistent
3. Tool is simple to support checker-specific tricks
- Programmer-written symbolic checkers (~40 LOC or less)
![Page 125: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/125.jpg)
Results so far (3mos, 1 person):
![Page 126: Finding good bugs in very good code - Stanford Universityiot.stanford.edu/retreat19/sitp19-bugs.pdf · 0. Write checking tool 1. Take large codebase that isn’t aggressively checked](https://reader035.vdocument.in/reader035/viewer/2022070922/5fbad7327143bc64ea436dc4/html5/thumbnails/126.jpg)
Results so far (3mos, 1 person):- 3 checkers (2 out-of-bounds, 1 uninitialized memory)
- Every checker has found at least one bountied browser bug
- 2 CVEs
- High severity, exploitable Chrome pattern (~13 instances)
- 4 medium-severity bugs
- 4 low-severity bugs
- 12+ patches (+3 already patched, +5 mystery patches)
- 22+ patched functions
- 2 security audits
- 48 reported bugs, 38+ confirmed bugs, 18 false positives