1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors...
1
Property 3: standard file descriptorsvulnerability
attack.c
at.c
Standard File Descriptors0:stdin 1:stdout 2:stderr
close(1); close(2);execl(“at”, …);
open(LOCK, O_WRONLY);
…
fd=open(atfile,O_CREAT);
…perror(user_str);
tty tty tty
tty <closed> <closed>tty <closed> <closed>
tty LOCK <closed>
tty LOCK atfile
Program: at (at-3.1.8-33)
2
Model Checking Millions of Lines of C Code
Hao ChenDrew Dean, David Wagner
Ben Schwarz, Geoff Morrison, Jacob West, Jeremy Lin
3
Problem statement
• Demonstrate the impact of MOPS for improving software security
• MOPS: MOdel checking Programs for Security
4
Achievements
• Showed that MOPS is scalable– Checked 700 packages in RedHat Linux 9
(85% packages, 30 million LOC)
• Showed that MOPS is usable– Most checks were done by students who were
neither tool nor package developers
• Showed that MOPS is useful– Founds dozens of bugs and counting
5
Outline
• Overview of MOPS• What have we done?
– Checked 700 packages on RedHat Linux 9– Checked EROS kernel
• How did we do it?• Conclusion• Demo
6
MOPS (MOdel checking Programs for Security properties)
• A static analysis tool that checks source programs for temporal safety properties
• Main features– Pushdown model checking– Inter-procedural analysis– Control flow centric
7
MOPS: MOdel checking Programsfor Security properties
Parser ModelChecker
Program
SecurityProperty
(FSA)
CFG Program OK
Error Traces
MOPS
8
Property 1: race conditionVictim
absent=stat(tmpfile,&s);
Adversary
if(absent){ fp=fopen(tmpfile,“w”);
Create tmpfile
9
FSA model for race condition
Check(f) Use(f)
Check(f): stat(f), lstat(f), access(f), readlink(f), statfs(f)Use(f): chmod(f), chroot(f), creat(f), execv(f), execve(f), execl(f), …
10
Race condition: bug 1
exists = lstat(to, &s) == 0;if (!exists || !S_ISLNK(s.st_mode) && s.st_nlink == 1)) { ret = rename(from, to); if (ret == 0) { if (exits) { chmod(to, s.st_mode & 0777); …
Program: ar (binutils-2.13.90.0.18-9)
11
Race condition: bug 2
we_own_log = 1;…if (stat(_PATH_LOG, &s1) != 0) …if ((stat(_PATH_LOG, &s2) != 0 || …) we_own_log = 0;…if (we_own_log){ unlink(_PATH_LOG);}
Program: minilogd (initscripts-7.14-1)
12
Package Program Reported bugs Real bugsbinutils ar 2 1coreutils chown 3 2coreutils chmod 2 1coreutils cp 2 1dos2unix dos2unix 4 2ftpcopy ftpcopy 8 3gaim gaim 2 3joe joe 1 1jpilot jpilot 2 1initscripts minilogd 1 1inn fastrm 1 1isdn4k-utils isdnlog 4 1lrzsz lsz 4 1LPRng checkpc 8 1make make 1 1mc mc 5 1Total 50 22
Race condition bugs
13
Property 2: drop privilege before making unsafe system calls
int main()
{
// ruid≠0, euid=0
do_something_with_privilege();
drop_privilege();
execl(“/bin/sh”, “sh”, NULL);
}
void drop_privilege()
{
struct passwd *passwd;
if ((passwd = getpwuid(getuid())) == NULL)
return;
fprintf(log, “User %s”, passwd->pw_name);
seteuid(getuid());
}
euid=0 euid≠0
seteuid(0)
seteuid(!0)
execl()
unsafe
14
A bug on dropping privilege
// ruid≠0, euid=suid=0seteuid(getuid());setuid(getuid());…execlp(askpass, askpass, msg, (char *) 0);
Progarm: ssh (openssh-3.5p1-6)
15
Problem: unportable semantics of setuid(getuid())
R≠0,E=S=0 R=E≠0,S=0
R=E=S≠0
R≠0,E=S=0 R=E≠0,S=0
R=E=S≠0
OpenBSD Linux
16
Vulnerability in ssh
R≠0, E=S=0
OpenSSH 3.5 on Linux
R=E≠0, S=0
R=E≠0, S=0
seteuid(getuid())
setuid(getuid())
R≠0, E=S=0
OpenSSH 3.5 on OpenBSD
R=E≠0, S=0
R=E=S≠0
seteuid(getuid())
setuid(getuid())
R≠0, E=S=0
OpenSSH 2.5.2 on Linux
R=E=S≠0
setuid(getuid())
safe safeunsafe!
Lessons:•Unportable API causes vulnerability•Programmer’s confusion causes vulnerability
17
Experiment on RedHat Linux 9
• Programs– Tried all 839 packages on RedHat Linux 9
(30M LOC)– Succeed on 85% packages– Failed on 15% packages
• Mainly due to parsing failures: C++, non-standard C
• Performance– Machine: 1.5GHz Pentium 4, 1G MB memory – Took about 40 hours to check one property on all
packages
18
Experience with EROS kernel• EROS
– Extremely Reliable Operating System [SSF95]
– 60,000 lines of code in the kernel
• Checked 5 properties (design invariants) – Verified 4 properties– Discovered 1 bug
• Provided preliminary evidence that – EROS’s design by invariants approach is effective
in reducing bugs
19
Commit() or Yield()
Init
sys_call(){ … Commit(); … ptr = malloc(); …}
malloc(){ … while (!buffer_available) Yield();}
Committed
Yielded Error
Lesson: static checking is good at catchingsurprising interaction among components
Commit()
Yield() Yield()Syscallreturn
20
Research challenge
• How to scale MOPS to large programs?– Solution: compact CFGs– Impact: reduce CFG sizes often by more than 100
times
• How to consolidate similar error traces?– Goal: report one error trace for each bug– Intuition
• Divide all error traces into categories
• One category represents one unique bug
• Report the shortest path from each category
21
Engineering challenge: integrating MOPS into software
build processes• 1st attempt: manually edit Makefiles
– Too complicated; does not survive autoconf
• 2nd attempt: setenv GCC_EXEC_PREFIX to run MOPS instead of gcc– Build processes generate & run code
• 3rd attempt: build CFG & machine code– Dangling CFGs; links to object files broken
• 4th attempt: Put CFGs into ELF files– Solves all identified problems!