1 / 17

A Finite State Machine Methodology for Analyzing Security Vulnerabilities

This research paper presents a methodology using Finite State Machines to analyze and model security vulnerabilities, including heap overflow and signed integer overflow. It provides insights and observations from vulnerability analysis and summarizes the FSM models for different vulnerabilities.

mohawk
Download Presentation

A Finite State Machine Methodology for Analyzing Security Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Finite State Machine Methodology for Analyzing Security Vulnerabilities S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer Center for Reliable and High-Performance Computing Coordinated Science Laboratory University of Illinois at Urbana-Champaign

  2. Overview • Used the Bugtraq database and application source code to analyze reported vulnerabilities. • Developed finite state machine (FSM) models to depict the vulnerabilities and associated exploits. • Only three primitive FSMs (pFSM) are required to describe at least 22% (out of 6000) of Bugtraq vulnerabilities. • Discovered a new remotely exploitable heap overflow vulnerability, which is now published in Bugtraq.

  3. Observations from Vulnerability Analysis • Exploiting a vulnerability involves multiple vulnerable operationson several objects. • Exploits must pass through multiple elementaryactivities, each providing an opportunity for performing a security check. • For each elementary activity, the vulnerability data and corresponding code inspections allow us to define a predicate, which if violated, naturally results in a security vulnerability.

  4. SPEC Check State Reject State Accept State Primitive FSM • We define Primitive FSM (pFSM) to depict an elementary activity, which specifies a predicate (SPEC) that should be guaranteed in order to ensure security. IMPL_REJECT SPEC_REJECT IMPL_ACCEPT SPEC_ACCEPT

  5. Op 1: Write an integer to an array location Elementary activity 1 Elementary activity 2 A function pointer can be overwritten Op 2: Manipulate the function pointer Elementary activity 3 Sendmail Debugging Function Signed Integer Overflow (Bugtraq #3163) Attacker’s malicious code is executed

  6. Elementary Activity 1 of Sendmail Vulnerability Elementary Activity 1: get user input Get strings str_x and str_i, convert them to integers x and i a ? (integer represented by str_x) > 231 pFSM Get str_x and str_i 1 (integer represented by str_x)  231 Convert str_x and str_i to integers x and i

  7. Elementary Activity 2 of Sendmail Vulnerability Elementary Activity 2: assign debug level x >100 x<0 or x>100 Convert str_x and str_i to integers x and i pFSM2 x 100 0x 100 tTvect[x]=i A function pointer (psetuid) is corrupted

  8. Elementary Activity 3 of Sendmail Vulnerability Elementary Activity 3: manipulation of function pointer psetuid A function pointer (psetuid) is corrupted ? psetuid is changed Load psetuid to the memory pFSM 3 starting sendmail program Execute the code referred by psetuid psetuid is unchanged Execute maliciouscode

  9. Summarizing the FSM Model of the Sendmail Vulnerability Operation 1: Write integer i to tTvect[x] ? ( integer represented by str_x)> 231 x > 100 pFSM1 get text strings str_x and str_i x < 0 or x > 100 ( integer represented by str_x) 231 convert str_i and str_x to integer i and x x  100 pFSM2 0  x  100 tTvect[x]=i Function pointer is corrupted Operation 2: Manipulate the function pointer ? addr_setuid changed Load the function pointer pFSM3 addr_setuid unchanged Execute code referred by addr_setuid Execute MCode

  10. NULL HTTPD Heap Overflow Vulnerabilities (Bugtraq #5774, #6255) Op 1: Read user input from a socket into a heap buffer contentLen<0 Size(PostData)<length(input) pFSM1 get (contentLen, input) pFSM2 Copy input from the socket Calloc PostData[1024+contentLen] contentLen>=0 length(input) <= Size(PostData) Buffer overflow Op 2: Allocate and free the buffer B->fd=AB->bk=C B->fd=&addr_free-(offset of field bk)B->bk=Mcode Calloc is called -¨- pFSM3 When buf is freed, execute B->fd->bk = B->bk B->fd and B->bk unchanged A function pointer is corrupted Op 3: Manipulate the function pointer - Load addr_free to the memory during program initialization addr_free changed- pFSM4 addr_free unchanged - -¨- Execute addr_free when function free is called Attacker’s malicious code is executed

  11. Operation 1 of NULL HTTPD: Read postdata from socket to an allocated buffer PostData 0: Get contentLen //Can be negative 1: PostData = calloc(contentLen +1024, sizeof(char));x=0; rc=0; 2: pPostData= PostData; 3: do { 4: rc=recv(sock, pPostData, 1024, 0); 5: if (rc==-1) { 6: closeconnect(sid,1); 7: return; 8: } 9: pPostData+=rc; 10: x+=rc; 11: }while ((rc==1024) || (x<contentLen)); contentLen<0 pFSM1 get (contentLen, input) contentLen is an integer, input: string to be read from a socket contentLen>=0 Calloc PostData[1024+contentLen] ? length(input)>Size(PostData) pFSM2 Copy input from the socket to PostData by recv() call length(input) <= Size(PostData)

  12. Modeled Vulnerabilities • Signed Integer Overflow • Heap Overflow • Stack Overflow • Format String Vulnerabilities • File Race Conditions • Some Input Validation Vulnerabilities

  13. Common pFSM Types • Object Type Check. to verify whether the input object is of the type that the operation is defined on. • Content and Attribute Check. to verify whether the contents and the attributes of the object meet the security guarantee. • Reference Consistency Check. to verify whether the binding between an object and its reference is preserved from the time when the object is checked to the time when the operation is applied on the object.

  14. Common pFSM Types (cont.)

  15. Conclusions and Future Directions • Conclusions • Extracted common characteristics of security vulnerabilities • Based on the characteristics, developed an FSM methodology to model vulnerabilities. • Only three pFSM types were required. Force rigorous reasoning. Indicate opportunities of security check. • Future Directions • Automatically specify certain predicates in the FSMs • Runtime checks or formal proofs of the predicates.

  16. Backup

  17. Specify and Check Security Predicates in Source Code • void foo (int contentLen, int sock, int sid) { /* Precondition: contentLen>0 && sock>0 */ • /* assert:: contentLen>0*/ • dbuf = calloc(contentLen +1024, sizeof(char)); • dbpos =0; dbsize =0; • if (dbuf==NULL) return; • pDbuf= dbuf; • do { • /* assert: sock>0 && size(pDuf)>=1024 */ • dbsize=recv(sock, pDbuf, 1024, 0); • if (dbsize== -1) { • return; • } • /* assert: 0<=dbsize<=1024 && dbuf<=pDbuf<=dbuf+contentLen*/ • pDbuf += dbsize; • /* assert: 0<=dbpos<=contentLen */ • dbpos += dbsize; • } while ((dbsize ==1024) && (dbpos <contentLen)); • } • Insert predicates (automatically or by annotations) • Runtime check or formally prove these predicates

More Related