david evans http://www.cs.virginia.edu/evans these slides:...

Download David Evans http://www.cs.virginia.edu/evans These slides: http://www.cs.virginia.edu/evans/talks/cs340-s04.ppt Introduction to Static Analysis

Post on 04-Jan-2016

220 views

Category:

Documents

6 download

Embed Size (px)

TRANSCRIPT

  • David Evanshttp://www.cs.virginia.edu/evansThese slides: http://www.cs.virginia.edu/evans/talks/cs340-s04.pptIntroduction to Static Analysis

    Static Analysis

  • How do you decide if a system is dependable?

    Static Analysis

  • Validation: Dictionary Definitionvalidate To declare or make legally valid. To mark with an indication of official sanction. To establish the soundness of; corroborate. Can we do any of these with software?

    Static Analysis

  • Suns Java License5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    Static Analysis

  • Javas License2. RESTRICTIONS. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun disclaims any express or implied warranty of fitness for such uses.

    Static Analysis

  • Software ValidationProcess designed to increase our confidence that a program works as intendedFor complex programs, cannot often make guaranteesThis is why typical software licenses dont make any claims about their program working

    Static Analysis

  • Increasing ConfidenceTestingRun the program on set of inputs and check the resultsVerificationArgue formally or informally that the program always works as intendedAnalysisPoor programmers verification: examine the source code to increase confidence that it works as intended

    Static Analysis

  • TestingIf all the test cases produce the correct results, you know that a particular execution of the program on each of the test cases produced the correct resultConcluding that this means the program is correct is like concluding there are no fish in the river because you didnt catch one!What makes a good test case?

    Static Analysis

  • AnalysisMake claims about all possible paths by examining the program code directly, not executing itUse formal semantics of programming language to know what things meanUse formal specifications of procedures to know that they do

    Static Analysis

  • Example Software PropertiesDoes what the customer wantsDoes what the programmer intendsDoesnt do anything dangerousAlways eventually haltsNever dereferences nullAlways opens a file before writing to itNever prints 3

    Static Analysis

  • Hopelessness of AnalysisIt is impossible to correctly decide if any interesting property is true for an arbitrary program!

    Static Analysis

  • Halting ProblemCan we write a program that takes any program as input and returns true if that program always halts, and returns false if it sometimes doesnt halt.bool alwaysHalts (Program p) { // returns true iff p will halt}

    Static Analysis

  • Informal ProofSuppose we could write alwaysHalts.Proof by contradiction:bool contradictHalts () { if (alwaysHalts (contradictHalts)) { while (true) ; // loop forever } else { return false; }}What is alwaysHalts (contradictHalts) ?

    Static Analysis

  • Hopelessness of AnalysisBut this means, we cant write a program that decides any other interesting property either:

    bool dereferencesNull (Program p) // EFFECTS: Returns true if p ever dereferences null, // false otherwise.

    bool alwaysHalts (Program p) { return (derefencesNull (new Program (p (); *NULL;)));}

    Static Analysis

  • Give Up and go to the Beach?

    Static Analysis

  • CompromisesOnly work for some programsAccept unsoundness and incompletenessFalse positives: sometimes an analysis tool will report warnings for a program, when the program is actually okay (incompleteness cant prove a property that is true)False negatives: sometimes an analysis tool will report no warnings for a program, even when the program violates properties it checks (unsoundness proves a property that is not true)

    Static Analysis

  • Properties to AnalyzeGeneric PropertiesDangerous CodeC: memory leaks, dereferencing null, type mismatches, undefined behavior, etc.Concurrency: race conditions, deadlocksDont need a specification (but it may help across procedure boundaries)Application-Specific PropertiesNeed some way of describing the properties we want

    Static Analysis

  • SplintAnnotation-assisted lightweight analysis tool for C

    Static Analysis

  • A Gross OversimplificationEffort RequiredLowUnfathomableFormal VerifiersBugs DetectednoneallCompilers

    Splint

    Static Analysis

  • (Almost) Everyone Likes TypesEasy to UnderstandEasy to UseQuickly Detect Many Programming ErrorsUseful Documentationeven though they are lots of work!1/4 of text of typical C program is for types

    Static Analysis

  • Limitations of Standard Types

    Type of reference never changesState changes along program pathsLanguage defines checking rulesSystem or programmer defines checking rulesOne type per referenceMany attributes per reference

    Static Analysis

  • Limitations of Standard TypesAttributes

    Type of reference never changesState changes along program pathsLanguage defines checking rulesSystem or programmer defines checking rulesOne type per referenceMany attributes per reference

    Static Analysis

  • ApproachProgrammers add annotations (formal specifications)Simple and preciseDescribe programmers intent:Types, memory management, data hiding, aliasing, modification, null-ity, buffer sizes, security, etc.Splint detects inconsistencies between annotations and codeSimple (fast!) dataflow analyses

    Static Analysis

  • Sample Annotation: onlyReference (return value) owns storageNo other persistent (non-local) references to itImplies obligation to transfer ownershipTransfer ownership by:Assigning it to an external only referenceReturn it as an only resultPass it as an only parameter: e.g., extern void free (only void *);extern only char *gptr;extern only out null void *malloc (int);

    Static Analysis

  • Example1int dummy (void) {2 int *ip= (int *) malloc (sizeof (int));3 *ip = 3;4 return *ip;5 }extern only null void *malloc (int); in librarySplint output:dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become nulldummy.c:4:14: Fresh storage ip not released before returndummy.c:2:43: Fresh storage ip allocated

    Static Analysis

  • Security FlawsReported flaws in Common Vulnerabilities and Exposures Database, Jan-Sep 2001.[Evans & Larochelle, IEEE Software, Jan 2002.]

    190 VulnerabilitiesOnly 4 having to do with crypto108 of them could have been detected with simple static analyses!

    Static Analysis

    Chart2

    37

    11

    11

    19

    20

    30

    31

    31

    Malformed Input16%

    Pathnames10%

    Sheet1

    CVE-2001-0379accessVulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights.ATSTAKE:A043001-1,BID:2671,XF:bugzilla-gobalpl-gain-information(6489)

    CVE-2001-0383accessbanners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.ISS:20010509 Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure,SGI:20010501-01-P,XF:irix-espd-bo(6502)

    CVE-2001-0405accessip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the fBUGTRAQ:20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability,MS:MS01-026,CERT:CA-2001-12,XF:iis-url-decoding(6534),BID:2708

    CVE-2001-0408accessvim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.MS:MS01-026,XF:iis-ftp-wildcard-dos(6535)

    CVE-2001-0412accessCisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode.MS:MS01-026,XF:iis-ftp-domain-authentication(6545),BID:2719

    CVE-2001-0434accessThe LogDataListToFile ActiveX function used in (1) Knowledge Center and (2) Back web components of Compaq Presario computers allows remote attackers to modify arbitrary files and cause a denial of service.MS:MS01-026,XF:iis-crosssitescripting-patch-dos(6858)

    CVE-2001-0455accessCisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration.MS:MS01-027,CIAC:L-087,XF:ie-crl-certificate-spoofing(6555),BID:2735

    CVE-2001-0456accesspostinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended.MS:MS01-027,CIAC:L-087,XF:ie-html-url-spoofing(6556),BID:2737

    CVE-2001-0482accessConfiguration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as M

Recommended

View more >