Detecting Format String Vulnerabilities with Type Qualifier

Umesh Shankar, Kunal Talwar,

Jeffrey S. Foster, David Wanger

University of California at Berkeley

Format String Bugs

I/O functions in C use format strings

printf(“%s”, buf) print buf as string

But you can also do

printf(buf);

Format String Bugs

Attacker may set the content in the bufferbuf = <data-from-network>

printf(buf);

Set buf = “%s%s%s%s%s” to crash program Set buf = “…%n…” to write to memory

may yield exploits to gain root access

Format String Bugs

Application Found by Impact years

-------------------------------------------------------------------------------

wu-ftpd 2.* security.is remote root > 6

Linux rpc.statd security.is remote root > 4

IRIX telnetd LSD remote root > 8

Apache + PHP3 security.is remote user > 2

NLS / locale CORE SDI local root ?

screen Jouko Pynnonen local root > 5

BSD chpass TESO local root ?

OpenBSD fstat ktwo local root ?

Traditional Techniques

Testing – how to ensure coverage? Manual code review – bugs too subtle

while (fgets(buf, sizeof buf, f)){

lreply(200, buf);

}

void lreply(int n, char* fmt,…){

vsnprintf(buf, sizeof buf, ftm, ap);

}

Re-implement – not possible for legacy system

Using Type Qualifiers

Add qualifier annotations

int printf(untainted char *fmt, …);

tainted int getchar();

int main(int argc, tainted char *argv[]);

tainted = may be controlled by the attacker

untainted = must not be controlled by the attacker

The Basic Idea

void f(tainted int);

untainted int a;

tainted int b;

f(a); // OK

f(b); // OK

void g(untainted int)

untainted int a;

tainted int b;

g(a); // OK

g(b); // Error

Subtyping

void f(tainted int);

untainted int a;

f(a);

void g(untainted int)

tainted int b;

g(b);f accepts both tainted and untainted data.

g only accepts untainted data.

untainted < tainted

Type System

Type system will prove judgments of the form

Γ ├ e :

“In type environment Γ, expression e has type ”

Type Rules

├ e1: 1 2 ├ e2: 1

├ e1 e2: 2

“In type environment , if expression e1 has type from 1

to 2 and e2 has type 1, then application of e2 to e1 has

type 2”

Partial Order

A partial order is a relation that satisfies the following three properties:

1. reflexivity: a a

2. antisymmetry: If a b and b a then a = b

3. transitivity: If a b, b c, then a c

Lattice

A lattice is a partial order where any two

elements x and y have a least upper bound,

x y, and a greatest lower bound, x y.

a

b c

d

tainted

untainted

Qualifier Subtyping Rule

Q1 Q2

Q1 int Q2 int

untainted tainted

untainted int tainted int

int can replaced by any C primitive data type: char, double ….

How about pointer?

Pointer Qualifier Subtyping Rule

Q1 Q2 T1 T2

Q1 ptr(T1) Q2 ptr(T2) Wrong!

tainted char *t; // T2 = tainted char

untainted char *u; // T1 = untainted char

t = u; // allowed by the wrong rule

*t = <tainted data>; // t is alias of u

Pointer Aliasing

We have multiple names for the same memory location But they have different types And we can write into memory at different types

tainted untaintedt u

Pointer Qualifier Subtyping Rule

The right rule

Q1 Q2 T1 = T2

Q1 ptr(T1) Q2 ptr(T2)

Type Qualifier Inference

Recall the format string vulnerabilities We have legacy C program that had no information

about qualifiers We add qualifier annotation for the standard library

functions Then we check whether there were any contradiction

This requires type qualifier inference

Qualifier Inference

A small number of annotations at key places in the program

Generate a fresh qualifier variable at every position for a type

Analyze and generate sub-typing constraints Check if the constraints have a valid solution

Qualifier Inference Example

tainted char *getenv (const char *name)

int printf(untaintd const char *fmt, …)

char *s, *t

s = getenv(“LD_LIBRARY_PATH”);

t = s;

printf(t);

getenv_ret_p = tainted

printf_arg0_p = untainted

getenv_ret s

getenv_ret_p s_p

s t

s_p t_p

t printf_arg0

t printf_arg0_p

tainted = getenv_ret_p s_p t_p printf_arg0_p = untainted

tainted untainted Error!

Type Rules So Far

Primitive types

Q1 Q2

Q1 int Q2 int

Pointer Q1 Q2 T1 = T2

Q1 ptr(T1) Q2 ptr(T2)

Qualifier Inference Extension 1

Leaf Polymorphismchar id (char x) { return x }

…

tainted char t;

untainted char u;

char a, b;

a = id (t);

b = id (u);

x is tainted, id_ret is tainted

b is tainted

However id() is just a identity function. It preserves the qualifiers.

Polymorphism

Add in a qualifier variable to id() function

char id ( char x)

Instantiate the to the correct qualifier for each function call

a = id (t) tainted char id (tainted char x)

b = id (u) untainted char id (untainted char x)

Polymorphism - Subtyping

Use naming trick to specify subtyping relation for polymorphism

$_1_2 char* strcat($_1_2 char*, $_1 const char*)

{1} {1, 2} $_1 $_1_2

Qualifier Inference Extension 2

Explicit Type Casts Type cast should preserve the qualifier

void *y;

char *x = (char*) y; // if y is tainted, x should be tainted

Preserve by collapsing qualifierschar **s, **t;

void *v = (void *) s; s_p = s_p_p = v_p

t = (char **)v; v_p = t_p = t_p_p

If either *s or **s is tainted, then *v is tainted and *t and **t is tainted

Cast Type Qualifier

Allow qualifier castvoid *y;

char *x = (untainted char*) y;

Qualifier Inference Extension 3

Variable Argument Functions Annotate the varargs specifier …

int printf(untainted char*, untainted …);

Use naming trick to specify the subtyping relation

int sprintf($_1_2 char*, untainted char *, $_2 …);

Qualifier Inference Extension 4

Constf(const char *x);

char *unclean, *clean;

unclean = getenv(“PATH”); // returns tainted

f(unclean);

f(clean);

unclean is tainted

clean is tainted

Pointer Rule

Q1 Q2 T1 = T2

Q1 ptr(T1) Q2 ptr(T2)

Pointer Rule for Const

Const make sure the input data is not modified

If the pointer has a const qualifier, the pointer rule becomes

Q1 Q2 T1 < T2

Q1 ptr(T1) Q2 ptr(T2)

Evaluation

Conclusion

Qualifier is a generic static analysis technique User-Space/Kernel-Space Trust Errors Deadlock Detection

Has low false positive and negative rates

Demo of Cqual