1 / 19

Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis

SoTeSty. Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis. Wei Le and Mary Lou Soffa University of Virginia. sotesty.cs.virginia.edu. Motivation. Buffer overflow: 20 years since Morris Worm, still the most common exploit

Download Presentation

Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SoTeSty Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu

  2. Motivation • Buffer overflow: 20 years since Morris Worm, still the most common exploit • Challenge: eliminate exploitable buffer overflows • Detect where buffer overflow can occur • Determine cause and remove it 2

  3. Problems of Static Approaches • Detection Precision: false positives • Report for errors does not provide much information for diagnosis • report an overflow point in the program • Not fully automatic: manual annotation 3

  4. Our Goals and Approaches • Goal: automatically identify paths on which a buffer overflow can occur and report the path segment that causes the overflow • Challenge: huge number of paths • Approach: • interprocedual path-sensitive for precision and help diagnosis • demand-driven for scalability 4

  5. Five Types of Paths • Infeasible: no input can exercise the path • Safe:no input can overflow the buffer • Vulnerable: users can write any content to the buffer • Overflow-user-independent: the buffer content is statically determinable • Don’t-know:the buffer status cannot be judged statically 5

  6. An Example Safe Infeasible Overflow 1 y n resolved wbuf 2 3 rootd = 1 rootd = 0 4 \0 \0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN 5 LEN = 6 y n exit 6 rootd == 0 y wu-ftpd 2.6.2 realpath.c 7 n strcat(resolved, “/”) 8 strcat(resolved, wbuf)

  7. Q0 (s<l, f) Demand-Driven Analysis Solved char resolved [LEN ] …… Q053 (LEN-1<l, f) Q153(LEN<l, f) 1 Q052(LEN-1<l, f) y n 2 3 rootd = 1 rootd = 0 Infeasible 4 Q05 (LEN-1-rootd<l, f) Q15(LEN-rootd<l, f) strlen(wbuf)+rootd+1+ strlen(resolved) > LEN 5 exit Q0 Q1 y n 6 rootd == 0 Q1 (s+1<l, f) s: strlen(resolved)+strlen(wbuf) l: sizeof(resolved) f: wbuf y 7 n strcat(resolved, “/”) 8 strcat(resolved, wbuf)

  8. The Demand-Driven Model • PVS (potentially vulnerable statement)strcpy(a,b) • Query sizeof(a) > strlen(b), flag • Information for Updating Queries char a[9] • Propagation Rules • interprocedural, loop, join point, infeasible • Resolving the Query false, flag = user input 8

  9. Approach Program Feasibility Detection PVS Infeasible Paths Node Information Overflow Properties Raise Query Propagate Query Update Query Resolve Query Yes Propagate Results Label Paths No 9

  10. Experiments • Purpose • Existence of the 5 types of paths • Benefit of demand-driven analysis • Implementation: Microsoft Phoenix APIs[phoenix] • Benchmarks • 9 programs, size 0.4-97.3K LOC • the BugBench[06lu] and Buffer Overflow Benchmark[03Zitser] 10

  11. Experimental Results 11

  12. Experimental Results • All defined types of paths exist • Problematic paths manifest certain complexity • Memory usage: 9-65MB • Time cost: 0.24-102.6s

  13. User Scenario Entry PVS

  14. User Scenario Entry Overflow User Independent Vulnerable PVS

  15. User Scenario Entry Overflow User Independent Vulnerable PVS

  16. User Scenario Entry Overflow User Independent Vulnerable Root Cause PVS

  17. Related Work • Static Detection for Buffer Overflow • ARCHER[03xie] BOON[00wagner] ESPx[06hackett] Prefast[ms] Prefix[00bush] Splint[96evans] • Path-Sensitive Analysis for Defects • ARCHER[03xie] ESPx[06hackett] ESP [02das] IPSSA[03livshits] MOPS[02check] Prefix[00bush] • Demand-Driven Approach • A general framework[96Duesterwald] • Application for dataflow computation[96Duesterwald], infeasible detection[97bodik], memory leak[06Orlovich] , postmortem analysis[04Manevich] 17

  18. Conclusions • A categorization of five types of paths for buffer overflow • An interprocedual demand-driven path-sensitive diagnosis tool for identifying the type of paths through a potential overflow • Experimental results that demonstrate the path types existing in real program 18

  19. Thank you and Questions? 19

More Related