1 / 18

Language-Based Security

Language-Based Security. Outline. CQUAL CCured Valgrind Memcheck, Addrcheck Helgrind Applying on PttBBS. CQUAL. By Jeffrey Foster, Manuel Fähndrich, Alexander Aiken and others Extending the type system of C with extra user-defined type qualifiers . Sample usage

alicedickinson
Télécharger la présentation

Language-Based Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Language-Based Security

  2. Outline • CQUAL • CCured • Valgrind • Memcheck, Addrcheck • Helgrind • Applying on PttBBS

  3. CQUAL • By Jeffrey Foster, Manuel Fähndrich, Alexander Aiken and others • Extending the type system of C with extra user-defined type qualifiers. • Sample usage • User-space/kernel-space trust errors • Deadlock detection • Format-string vulnerability detection • Y2K bug detection • const Inference

  4. CQUAL (cont.) • Three components • Core, inference algorithm • Lattice • Prelude • Assign qualifiers on variables • When it is used as function parameters • Via change_type • Unless using change_type, the variable carries the qualifier forever • Propagate qualifiers • Assignment • Non-constness

  5. CQUAL prelude & lattice int printf(const char $untainted * format, ...); $tainted char * getenv(const char *name); char $tainted $_1 * fgets(char $tainted $_1* s, int size, FILE *stream); char $_1_2 * strcpy(char $_1_2 * s1, const char $_1 * s2); partial order { $untainted [level = value, color = "pam-color-untainted", sign = neg] $tainted [level = value, color = "pam-color-tainted", sign = pos] $untainted < $tainted }

  6. CQUAL read/write lattice partial order [flow-sensitive] { $readwrite_unchecked < $read_unchecked $readwrite_unchecked < $write_unchecked $read_unchecked < $open_unchecked $write_unchecked < $open_unchecked $closed < $readwrite_unchecked $readwrite < $read $readwrite < $write $read < $open $write < $open $open < $open_unchecked $read < $read_unchecked $write < $write_unchecked $readwrite < $readwrite_unchecked }

  7. CCured • By George Necula, Scott McPeak, Westley Weimer, Matthew Harren, Jeremy Condit and others • implemented on top of the CIL (C Intermediate Language) framework • Source-to-source translator for C • Add runtime information for pointers • SAVE • SEQ, FSEQ • WILD

  8. CCured (cont.) • SAFE pointer • The same as standard pointer • No pointer arithmetic • SEQ, FSEQ • Upper and base for boundary checking • Three/two word wide • WILD pointer • Cast between incompatible pointers • Wrapping libraries • ptrof, check_string, ensure_length, mkptr, mkptr_size, mkptr_string

  9. CCured pointers x: int *WILD; *x => assert(x.b = null); assert(x.b ? x.p ? x.b+len(x.b) 1); *(x.p) x: τ*WILD *WILD; *x => assert(x.b = null); assert(x.b ? x.p ? x.b+len(x.b) 2); assert(tag(x.b,x.p+1) == 1); *(x.p)

  10. CCured pointers (cont.) struct hostent{ char * h_name; /* String */ char ** h_aliases; /*Array of strings */ short h_addrtype; };

  11. CCured wrapper #pragma ccuredwrapper("strchr_wrapper", for("strchr")) __inline static char*strchr_wrapper(char* str, int chr) { __check_string(str); char*result = strchr(__ptrof(str), chr); return __mkptr(result,str); } #pragma ccuredwrapper("open_wrapper", for("open")); #pragma ccuredvararg("open_wrapper", sizeof(int)) __inline static int open_wrapper(char* file, int oflag, ...) { __check_string(file); if(oflag & O_CREAT){ int mode; va_list argptr; va_start(argptr, oflag); mode = va_arg(argptr, int); va_end(argptr); return open(__ptrof(file), oflag, mode); } else return open(__ptrof(file), oflag); }

  12. CCured wrapper (cont.) static void* __qsort_base; static int (*__qsort_compare)(void*, void*); static int __qsort_compare_wrapper(void* SAFE left, void* SAFE right){ void* wideleft = __mkptr(left, qsort_base); void* wideright = __mkptr(right, qsort_base); return __qsort_compare(wideleft, wideright); } #pragma ccuredwrapper("qsort_wrapper", for("qsort")); inline static void qsort_wrapper(void* base, size_t nmemb, size_t size, int (*compare)(void* left, void* right)){ __cleartags(base, nmemb * size); __qsort_base = base; __qsort_compare = compare; qsort(__ptrof(base), nmemb, size, __qsort_compare_wrapper); __qsort_base=0; }

  13. Valgrind • By Julian Seward and others • A program supervision framework • Initial before all others and run the client code in a simulated CPU • Translate x86 machine code into UCode • Manipulate by skins • Translate back to x86 instructions • Skins • Memcheck, Addrcheck • Helgrind • Cachegrind and others

  14. Valgrind: Memcheck • Shadow each byte of memory used with nine bits • One A (addressability) bit • Eight V (validity) bits • Check A bit for every memory access • Check V bits if the following operations deponend on it • Branching • System call • Memory addressing

  15. Valgrind: Memcheck (cont.) • Replacing library functions • malloc/new/new[] • free/delete/delete[] • Hook system calls • mmap, mremap, munmap, mprotect,brk • read, write

  16. Valgrind: Other Skins • Addrcheck: similar to Memcheck but hold A bit only • Helgrind: data-race detector using the Eraser algorithm (not work with v3.1) • Cachegrind: cache profiler • Massif: heap profiler • Lacky: simple profiler

  17. Applying on PttBBS • CQUAL • Successfully applied • Many false alert because of “general buffer” admin.c:1168 type of actual argument 1 doesn't match type of formal genbuf[]: $kernel $nonconst $noninit $tainted $untainted const prelude.cq:38 $tainted <= *fgets_ret@1168 admin.c:1168 <= genbuf[] admin.c:1334 <= *fmt stuff.c:889 <= *vsnprintf_arg3 prelude.cq:54 <= $untainted

  18. Applying on PttBBS (cont.) • CCured • Script failed • Valgrind • Have been used for a long time • Detect many memory related problems • Memory leak • Buffer overflow • Use after free

More Related