Advanced Computer Architecture Lab University of Michigan Efficient Dynamic Detection of Efficient Dynamic Detection of Input-Related Security Faults Input-Related Security Faults Eric Larson Dissertation Defense University of Michigan April 29, 2004
41
Embed
Efficient Dynamic Detection of Input-Related Security Faults
Efficient Dynamic Detection of Input-Related Security Faults. Eric Larson Dissertation Defense University of Michigan April 29, 2004. Security Faults. Keeping computer data and accesses secure is a tough problem Software errors cost companies millions of dollars - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Advanced Computer Architecture LabUniversity of Michigan
1
Efficient Dynamic Detection of Efficient Dynamic Detection of Input-Related Security FaultsInput-Related Security Faults
Eric LarsonDissertation DefenseUniversity of Michigan
April 29, 2004
Advanced Computer Architecture LabUniversity of Michigan
2
Security FaultsSecurity Faults• Keeping computer data and accesses secure is a tough
problem• Software errors cost companies millions of dollars• Different types of errors can lead to exploits:
• Even with a well-designed security protocol, a program can be compromised if it contains bugs!
Advanced Computer Architecture LabUniversity of Michigan
3
Input-Related Software FaultsInput-Related Software Faults• Common implementation error is to improperly bound input data
– checks are not present in many cases– when checks are present, they can be wrong– especially important for network data
• Common security exploit: buffer overflow– array references– string library functions in C
• Widespread problem:– 2/3 of CERT security advisories in 2003 were due to buffer overflows– buffer overflow bugs have recently been found in Windows and Linux
Advanced Computer Architecture LabUniversity of Michigan
4
Remainderof the stack
foo
Example Buffer Overflow AttackExample Buffer Overflow Attack• Attacking the program involves two steps:
bar
1. Write malicious code onto the stack.
bad code2. Redirect control to execute the malicious data.
Advanced Computer Architecture LabUniversity of Michigan
5
Overwriting the Return AddressOverwriting the Return Address
void bar() { char buffer[100]; gets(buffer); printf(“String is %s”, buffer);}
Return address
temporary value 1
temporary value 2
buf[99]
buf[98]
buf[0]
Stack grows to lower addresses
Data grows to higher addresses
Advanced Computer Architecture LabUniversity of Michigan
6
Overwriting the Return AddressOverwriting the Return Address
void bar() { char buffer[100]; gets(buffer); printf(“String is %s”, buffer);}
0xbadc0de
0xbadc0de
0xbadc0de
buf[99]
buf[98]
buf[0]
Stack grows to lower addresses
Data grows to higher addresses
The location of the return address is not always known, so overwriteeverything!
Advanced Computer Architecture LabUniversity of Michigan
7
Outline of TalkOutline of Talk• Background and Related Work (Ch. 2)• Detecting Input-Related Software Faults (Ch. 3)• MUSE: Instrumentation Infrastructure (Ch. 4)• Implementation and Results (Ch. 5)• Reducing Performance Overhead (Ch. 6)• Conclusions (Ch. 7)
Advanced Computer Architecture LabUniversity of Michigan
8
When Should I Look for Software Bugs?When Should I Look for Software Bugs?• Compile-time (static) bug detection
+ no dependence on input+ can prove that a dangerous operation is safe in some cases– often computationally infeasible (too many states or paths)– scope is limited: either high false alarm rate or low bug finding rate– hard to analyze heap data
• Run-time (dynamic) bug detection+ can analyze all variables (including those on the heap)+ execution is on a real path fewer false alarms– error may not manifest as an error in the output– depends on program input– impacts performance of program
Our approach is dynamic, addressing its deficiencies by borrowing ideas from
static bug detection
Advanced Computer Architecture LabUniversity of Michigan
9
Contributions of this ThesisContributions of this Thesis• Dynamically Detecting Input-Related Software Faults
– Relaxes dependence on input• MUSE: Instrumentation Infrastructure
– Developed for rapid prototyping of bug detection tools for this and future research
• Improved Shadow State Management– Tighter integration with the compiler, improves performance
Advanced Computer Architecture LabUniversity of Michigan
10
Selected Related WorkSelected Related Work• Jones & Kelly: dynamic approach to catching memory access
errors, tracks all valid objects in memory using a table • Tainted Perl: prevents unsafe actions from unvalidated input• STOBO: uses allocation sizes rather than string sizes• CCured: type system used to catch memory access errors,
instrumentation is added when static analysis fails• BOON: derives and solves a system of integer range constraints
statically to find buffer overruns • CSSV: model checking system to find buffer overflows in C,
keeps track of potential string lengths and null termination • MetaCompilation: checks for uses of unbounded input, does not
verify if the checks are correct
Advanced Computer Architecture LabUniversity of Michigan
11
Detection of Input-Related Software FaultsDetection of Input-Related Software Faults• Program instrumentation tracks data derived from input
– possible range of integer variables– maximum size and termination of strings
• Dangerous operations are checked over entire range of possible values
• Found 17 bugs in 9 programs, including 2 known high security faults in OpenSSH
Relaxes constraint that the user provides an input that exposes the bug
Advanced Computer Architecture LabUniversity of Michigan
12
Detecting Array Buffer OverflowsDetecting Array Buffer Overflows• Interval constraint variables are introduced when
external inputs are read– Holds the lower and upper bounds for each input value– Initial values encompass the entire range– Control points narrow the bounds– Arithmetic operations adjust the bounds
• Potentially dangerous operations are checked:– Array indexing– Controlling a loop or memory allocation size– Arithmetic operations (overflow)
Advanced Computer Architecture LabUniversity of Michigan
– can also be used to created profilers, coverage tools, and debugging aids
• Implemented in GCC at the abstract syntax tree (AST) level• Simplification phase breaks up complex C statements
– removes C side effects and other nuances– allows matching in the middle of a complex expression
• Specification consists of pattern-function pairs– patterns match against statements, expressions, and special events– on a match, call is made to corresponding external function
Advanced Computer Architecture LabUniversity of Michigan
22
Testing ProcessTesting Process
SourceCode
Instrumentationspecification
InstrumentedExecutable
Errorreports
Compile(GCC w/MUSE)
Run test suite
Debug andfix errors
Advanced Computer Architecture LabUniversity of Michigan
Instrumentation sites reduced after ... Integers that are …
Advanced Computer Architecture LabUniversity of Michigan
34
Approaches to Shadow State ManagementApproaches to Shadow State Management• Shadow state table (Example: Jones & Kelly):
– Slow to maintain and access– Does not modify the variables within the program
• Fat variables (Example: Safe C):– Fast to access, shadow state is contained within the variable – Variables no longer fit in within a register– All variables of a particular type must be instrumented– Must account for functions that were not compiled using fat
variables
Advanced Computer Architecture LabUniversity of Michigan
35
Referencing Local Shadow State by NameReferencing Local Shadow State by Name• Compiler creates separate variable to store shadowed
state for local variables– Quick to access, lookup to table not necessary– Original variable is not modified in any form– Only created for local variables that need shadowed state
• Still need shadow state table for:– heap variables– aliased local variables (used in the “address-of (&)” operator)
Advanced Computer Architecture LabUniversity of Michigan
36
Results: Shadow State by Name Results: Shadow State by Name (Performance)(Performance)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
anagram ft ks yacr2 betaftpd ghttpd openssh thttpd AVG.
Pe
rfo
rma
nce
Imp
rove
me
nt
Shadow State by Name
Useless Instrumentation Removal
Both Optimizations
Advanced Computer Architecture LabUniversity of Michigan
37
Results: Shadow State by Name Results: Shadow State by Name (Integer Shadow State Table Accesses)(Integer Shadow State Table Accesses)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
anagram ft ks yacr2 betaftpd ghttpd openssh thttpd AVG.
Inte
ge
r T
ab
le A
cce
sse
s R
ed
uct
ion
%
Shadow State by Name
Useless Instrumentation Removal
Both Optimizations
Advanced Computer Architecture LabUniversity of Michigan