Model Checking an Entire Linux Distribution for Security Violations
description
Transcript of Model Checking an Entire Linux Distribution for Security Violations
![Page 1: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/1.jpg)
Model Checking an Entire Linux Distribution for Security Violations
Work by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy Lin and Wei Tu
Jacob West,Security Research Group, Fortify Software
ACSAC 2005
![Page 2: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/2.jpg)
2
Outline
Introduction MOPS Background Analyzing Red Hat 9
Tool performance Human performance Security properties
Vulnerability Examples TOCTTOU Standard File Descriptors Temporary Files strncpy()
Results
![Page 3: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/3.jpg)
3
Introduction
Over 50% of security vulnerabilities caused by coding errors Automated detection possible
Rapidly expanding field Academic and commercial Feasible at large scale
![Page 4: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/4.jpg)
4
MOPS(MOdelchecking Programs for Security properties)
Static analysis for security C programs Enforce temporal safety rules
![Page 5: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/5.jpg)
5
Analyzing Red Hat 9:Overview
Tool performance Analysis of large code base feasible Compaction improves performance Reasonable resource requirements
Human performance Integration with existing build processes False positives Easy-to-review error traces Grouped error traces
Security properties Temporal safety properties Employable by other tools Iteratively refined for low false positives
![Page 6: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/6.jpg)
6
Analyzing Red Hat 9:Tool Performance
Red Hat 9: 839 packages, 60 million TLOC 732 packages (87%) 107 failures caused by parse errors
73 packages contained C++ code 34 packages used unsupported C99 constructs
Compaction improves performance Only consider relevant operations
Reasonable resource requirements TOCTTOU takes about 10 hours on P4 1.5 GHZ / 1GB
![Page 7: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/7.jpg)
7
Analyzing Red Hat 9:Human Performance
Integration with existing build processes Integrated with rpmbuild, make Interposed on gcc Analyze multiple packages easily
False positives Relatively low, permits human review
Easy-to-review error traces Navigate code quickly to verify error traces
Grouped error traces Understand multiple traces through representative samples
![Page 8: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/8.jpg)
8
Analyzing Red Hat 9:Security Properties
Temporal safety properties Security properties expressed as Finite State Automata (FSA)
Pattern variables e.g. foo(x); bar(x); where x is the same
Iteratively refined to reduce false positives Employable by other tools Properties include
TOCTTOU: Time-of-check, to time-of-use race conditions Standard File Descriptors: Vulnerable uses of stdin, stdout and stderr Temporary Files: Insecure creation of temporary files strncpy(): Dangerous uses of strncpy()
![Page 9: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/9.jpg)
9
Security Properties :TOCTTOU
Time-of-check to time-of-use race conditions occur when a program checks the access permission of an object and, if the check succeeds, makes a privileged system call on the object.
Example:if (access(pathname, R_OK) == 0) fd = open(pathname, O_RDONLY);
![Page 10: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/10.jpg)
10
Security Properties :TOCTTOU
Checks: access(), stat(), etc. Uses: creat(), open(), unlink(), etc.
![Page 11: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/11.jpg)
11
Vulnerability Example:TOCTTOU – binutils :: ar
exists = lstat (to, &s) == 0;/* Use rename only if TO is not a symboliclink and has only one hard link. */if (! exists || (!S_ISLNK (s.st_mode) && s.st_nlink == 1)){
ret = rename (from, to); if (ret == 0) { if (exists) { chmod (to, s.st_mode & 0777);
if (chown (to, s.st_uid, s.st_gid) >= 0) { chmod (to, s.st_mode & 07777); } ...
![Page 12: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/12.jpg)
12
Security Properties: Standard File Descriptors
Since the kernel does require that stdin, stdout and stderr point to terminal devices, an attacker may cause a victim program open one of them to a sensitive file.
Example /* victim.c */fd = open("/etc/passwd", O_RDWR);if (!process_ok(argv[0])) perror(argv[0]);
/* attack.c */int main(void) { close(2); execl("victim", "foo:<pw>:0:1:Super-User-2:...", NULL);}
![Page 13: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/13.jpg)
13
Security Properties: Standard File Descriptors
States correspond to the status of the three standard file descriptors and transitions occur on a "safe" open (/dev/null and /dev/tty).
open(…)
open(…)
![Page 14: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/14.jpg)
14
Vulnerability Example: Standard File Descriptors - gnuchess
void BookBuilder(short depth, ...){ FILE *wfp,*rfp; if (depth == -1 && score == -1) { if ((rfp = fopen(BOOKRUN,"r+b")) != NULL) { printf("Opened existing book!\n"); } else { printf("Created new book!\n"); wfp = fopen(BOOKRUN,"w+b"); fclose(wfp); if ((rfp = fopen(BOOKRUN,"r+b")) == NULL) { printf("Could not create %s file\n", BOOKRUN); return; } ...
![Page 15: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/15.jpg)
15
Security Properties:Temporary Files
Because many of the functions in the C standard library that create temporary files are insecure an adversary that is able to predict the filename can gain control of the file by precreating it.
Examplefd = mkstemp(action_file_name);...unlink(action_file_name);
![Page 16: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/16.jpg)
16
Security Properties:Temporary Files
tmpnam(), tempnam(), mktemp() and tmpfile() are always unsafe
mkstemp() is safe if the generated filename is not used
![Page 17: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/17.jpg)
17
Vulnerability Example:Temporary Files - yacc
static void open_files() { ... fd = mkstemp(action_file_name); if (fd < 0 || (action_file = fdopen(fd, "w")) == NULL){ ... open_error(action_file_name);
} }void open_error(char *filename) { warnx("f - cannot open \"%s\"", filename); done(2);}void done(int k) { ... if (action_file_name[0]) unlink(action_file_name);
![Page 18: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/18.jpg)
18
Security Properties:strncpy()
First strncpy() encourages off-by-one errors if the programmer is not careful to compute the value of n precisely. Secondly, because the function does not automatically null-terminate a string in all cases it is a common mistake for a program to create unterminated strings during its execution.
Examplebuf[sizeof(buf)-1] = '\0';strncpy(buf, ..., sizeof(buf));
![Page 19: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/19.jpg)
19
Security Properties:strncpy()
![Page 20: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/20.jpg)
20
Vulnerability Example:strncpy() - xloadimage
newopt->info.dump.type = argv[++a];...dumpImage(dispimage, dump->info.dump.type,dump->info.dump.file, verbose);
void dumpImage(Image *image, char *type, char *filename, int verbose) { int a; char typename[32]; char *optptr; optptr = index(type, ','); if (optptr) { strncpy(typename, type, optptr - type); typename[optptr - type] = '\0'; ...}
![Page 21: Model Checking an Entire Linux Distribution for Security Violations](https://reader035.fdocuments.net/reader035/viewer/2022062723/56813b4a550346895da4387d/html5/thumbnails/21.jpg)
21
Results
1358 strncpy() warnings; 53 audited; 11 real bugs* 200 human hours found 108 real bugs in 50 million lines of code Order of magnitude larger in scale than previous academic work Static analysis will be feasible and integral part of building systems
Property Reported Warnings
% FP Real Bugs
TOCTTOU 790 95% 41
Standard File Descriptors 56 61% 22
Insecure Temporary Files 108 69% 34
Total 954 90% 97
strncpy() 53/1358 79% 11/258*
Projected Total 2312 85% 355