Static Analysis for Bug Finding: Using Compilers to Identify Security Vulnerabilities, Slides of Compilers

The use of compilers for bug finding, specifically for identifying security vulnerabilities. It covers the history of compiler-based bug finding tools, common classes of security vulnerabilities, and how buffer overruns work. The document also discusses the importance of static analysis and provides examples of vulnerabilities and attacks.

Typology: Slides

2012/2013

Uploaded on 04/29/2013

aalok
aalok 🇮🇳

4.4

(15)

97 documents

1 / 22

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Static Analysis for Bug Finding
1
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16

Partial preview of the text

Download Static Analysis for Bug Finding: Using Compilers to Identify Security Vulnerabilities and more Slides Compilers in PDF only on Docsity!

Static Analysis for Bug Finding

1

Compilers Can be Used for Bug Finding

  • A trend of compiler research
  • Started in 1991 with Intrinsa
    • Bug finding tool called Prefix
    • Looks for NULL dereferences
    • Memory leaks (double-deletes, dangling pointers)
    • Concurrency bugs (race conditions)
    • etc.
  • Purchased by Microsoft
    • Became Prefix/Prefast
    • Used by MS internally on a regular basis

2

Common Classes of Security Vulnerabilities

  • Server-type software

(C, C++)

  • Application software

(Java, C#, PHP)

4

  • Buffer overruns
  • Format string violations
  • SQL injections
  • Cross-site scripting attacks
  • HTTP splitting attacks
  • Directory traversal attacks
  • Session hijacking attacks
  • etc.

Buffer Overruns

5

Example: Buffer Overrun in gzip

0589 if (to_stdout && !test && !list && (!decompress || ... 0590 SET_BINARY_MODE(fileno(stdout)); 0591 } 0592 while (optind < argc) { 0593 treat_file(argv[optind++]);

7

0704 local void treat_file(iname) 0705 char *iname; 0706 { ... 0716 if (get_istat(iname, &istat) != OK) return ;

0997 local int get_istat(iname, sbuf) 0998 char *iname; 0999 struct stat *sbuf; 1000 { ... 1009 strcpy(ifname, iname);

gzip.c:

gzip.c:

gzip.c:

Need to have a model of strcpy Docsity.com

A Glimpse of What Analysis is Needed

  • Need it to represent flow of date in C:
  • Yes if we can prove that p cannot point to a
  • Should we put a flow edge from 3 to a to represent

potential flow?

  • If we don’t
    • Analysis may miss bugs
  • If we do
    • Analysis may end up being too imprecise

8

a = 2; *p = 3; …  is the value of a still 2?

Real-Life Hacking Stories

  • blogger.com cracked Aug. 2005
  • Firefox marketing site hacked Jul. 2005
  • MS UK defaced in hacking attack Jul. 2005
  • Hacker hits Duke system Jun. 2005
  • MSN site hacked in South Korea Jun. 2005
  • MSN site hacking went undetected for days Jun. 2005
  • Phishers manipulate SunTrust site to steal data Sep. 2004
  • Tower Records settles charges over hack attacks Apr. 2004
  • Western Union Web site hacked Sep. 2000

10

  • 75% of all security attacks today are at the application level* - 97% of 300+ audited sites were vulnerable to Web application attacks*
  • $300K average financial loss from unauthorized access or info theft** - Average $100K/hour of downtime lost
  • Source: Gartner Research *Source: Computer Security Institute survey

Simple Web App

• Web form allows user to look up account details

• Underneath – Java Web app. serving requests

Injecting Malicious Data (1)

13

query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob' AND Password = ‘********‘”

submit

Injecting Malicious Data (2)

14

query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob‘-- ‘AND Password = ‘ ‘”

submit

Summary of Attacks Techniques

1. Inject

(taint sources)

  • Parameter manipulation
  • Hidden field manipulation
  • Header manipulation
  • Cookie poisoning
  • Second-level injection

2. Exploit

(taint sinks)

  • SQL injections
  • Cross-site scripting
  • HTTP request splitting
  • HTTP request smuggling
  • Path traversal
  • Command injection

16

1. Header manipulation + 2. HTTP splitting = vulnerability
Input and output validation are at the core of the issue

Focusing on Input/Output Validation

  • SQL injection and cross-site scripting are most prevalent
  • Buffer overruns are losing their market share

17

SQL Injection

Buffer overrun HTML Injection Information disclosure

Code execution

Path traversal Format string Integer overlow HTTP response splitting

Other input validation

Cross-site scripting

• Why Pointer Analysis?Imagine manually auditing an application

  • Two statements somewhere in the program
  • Can these variables refer to the same object?
  • Question answered by pointer analysis...

19

// get Web form parameter
String param = request.getParameter(...);
// execute query
con.executeQuery(query);

Pointers in Java?

• Java references are pointers in disguise

20

Stack Heap