1

Property 3: standard file descriptorsvulnerability

attack.c

at.c

Standard File Descriptors0:stdin 1:stdout 2:stderr

close(1); close(2);execl(“at”, …);

open(LOCK, O_WRONLY);

…

fd=open(atfile,O_CREAT);

…perror(user_str);

tty tty tty

tty <closed> <closed>tty <closed> <closed>

tty LOCK <closed>

tty LOCK atfile

Program: at (at-3.1.8-33)

2

Model Checking Millions of Lines of C Code

Hao ChenDrew Dean, David Wagner

Ben Schwarz, Geoff Morrison, Jacob West, Jeremy Lin

3

Problem statement

• Demonstrate the impact of MOPS for improving software security

• MOPS: MOdel checking Programs for Security

4

Achievements

• Showed that MOPS is scalable– Checked 700 packages in RedHat Linux 9

(85% packages, 30 million LOC)

• Showed that MOPS is usable– Most checks were done by students who were

neither tool nor package developers

• Showed that MOPS is useful– Founds dozens of bugs and counting

5

Outline

• Overview of MOPS• What have we done?

– Checked 700 packages on RedHat Linux 9– Checked EROS kernel

• How did we do it?• Conclusion• Demo

6

MOPS (MOdel checking Programs for Security properties)

• A static analysis tool that checks source programs for temporal safety properties

• Main features– Pushdown model checking– Inter-procedural analysis– Control flow centric

7

MOPS: MOdel checking Programsfor Security properties

Parser ModelChecker

Program

SecurityProperty

(FSA)

CFG Program OK

Error Traces

MOPS

8

Property 1: race conditionVictim

absent=stat(tmpfile,&s);

Adversary

if(absent){ fp=fopen(tmpfile,“w”);

Create tmpfile

9

FSA model for race condition

Check(f) Use(f)

Check(f): stat(f), lstat(f), access(f), readlink(f), statfs(f)Use(f): chmod(f), chroot(f), creat(f), execv(f), execve(f), execl(f), …

10

Race condition: bug 1

exists = lstat(to, &s) == 0;if (!exists || !S_ISLNK(s.st_mode) && s.st_nlink == 1)) { ret = rename(from, to); if (ret == 0) { if (exits) { chmod(to, s.st_mode & 0777); …

Program: ar (binutils-2.13.90.0.18-9)

11

Race condition: bug 2

we_own_log = 1;…if (stat(_PATH_LOG, &s1) != 0) …if ((stat(_PATH_LOG, &s2) != 0 || …) we_own_log = 0;…if (we_own_log){ unlink(_PATH_LOG);}

Program: minilogd (initscripts-7.14-1)

12

Package Program Reported bugs Real bugsbinutils ar 2 1coreutils chown 3 2coreutils chmod 2 1coreutils cp 2 1dos2unix dos2unix 4 2ftpcopy ftpcopy 8 3gaim gaim 2 3joe joe 1 1jpilot jpilot 2 1initscripts minilogd 1 1inn fastrm 1 1isdn4k-utils isdnlog 4 1lrzsz lsz 4 1LPRng checkpc 8 1make make 1 1mc mc 5 1Total 50 22

Race condition bugs

13

Property 2: drop privilege before making unsafe system calls

int main()

{

// ruid≠0, euid=0

do_something_with_privilege();

drop_privilege();

execl(“/bin/sh”, “sh”, NULL);

}

void drop_privilege()

{

struct passwd *passwd;

if ((passwd = getpwuid(getuid())) == NULL)

return;

fprintf(log, “User %s”, passwd->pw_name);

seteuid(getuid());

}

euid=0 euid≠0

seteuid(0)

seteuid(!0)

execl()

unsafe

14

A bug on dropping privilege

// ruid≠0, euid=suid=0seteuid(getuid());setuid(getuid());…execlp(askpass, askpass, msg, (char *) 0);

Progarm: ssh (openssh-3.5p1-6)

15

Problem: unportable semantics of setuid(getuid())

R≠0,E=S=0 R=E≠0,S=0

R=E=S≠0

R≠0,E=S=0 R=E≠0,S=0

R=E=S≠0

OpenBSD Linux

16

Vulnerability in ssh

R≠0, E=S=0

OpenSSH 3.5 on Linux

R=E≠0, S=0

R=E≠0, S=0

seteuid(getuid())

setuid(getuid())

R≠0, E=S=0

OpenSSH 3.5 on OpenBSD

R=E≠0, S=0

R=E=S≠0

seteuid(getuid())

setuid(getuid())

R≠0, E=S=0

OpenSSH 2.5.2 on Linux

R=E=S≠0

setuid(getuid())

safe safeunsafe!

Lessons:•Unportable API causes vulnerability•Programmer’s confusion causes vulnerability

17

Experiment on RedHat Linux 9

• Programs– Tried all 839 packages on RedHat Linux 9

(30M LOC)– Succeed on 85% packages– Failed on 15% packages

• Mainly due to parsing failures: C++, non-standard C

• Performance– Machine: 1.5GHz Pentium 4, 1G MB memory – Took about 40 hours to check one property on all

packages

18

Experience with EROS kernel• EROS

– Extremely Reliable Operating System [SSF95]

– 60,000 lines of code in the kernel

• Checked 5 properties (design invariants) – Verified 4 properties– Discovered 1 bug

• Provided preliminary evidence that – EROS’s design by invariants approach is effective

in reducing bugs

19

Commit() or Yield()

Init

sys_call(){ … Commit(); … ptr = malloc(); …}

malloc(){ … while (!buffer_available) Yield();}

Committed

Yielded Error

Lesson: static checking is good at catchingsurprising interaction among components

Commit()

Yield() Yield()Syscallreturn

20

Research challenge

• How to scale MOPS to large programs?– Solution: compact CFGs– Impact: reduce CFG sizes often by more than 100

times

• How to consolidate similar error traces?– Goal: report one error trace for each bug– Intuition

• Divide all error traces into categories

• One category represents one unique bug

• Report the shortest path from each category

21

Engineering challenge: integrating MOPS into software

build processes• 1st attempt: manually edit Makefiles

– Too complicated; does not survive autoconf

• 2nd attempt: setenv GCC_EXEC_PREFIX to run MOPS instead of gcc– Build processes generate & run code

• 3rd attempt: build CFG & machine code– Dangling CFGs; links to object files broken

• 4th attempt: Put CFGs into ELF files– Solves all identified problems!

22

Lessons: how to have impact

• Make the tool useful and usable– Can check large programs efficiently– Can be used easily by ordinary programmers

• Check lots of code– More code to check, more bugs to find

• Explore the full potential of your tool