APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan:...
Transcript of APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan:...
![Page 1: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/1.jpg)
APISan:SanitizingAPIUsagesthrough
SemanticCross-checking
Insu Yun,Changwoo Min,Xujie Si, Yeongjin Jang,Taesoo Kim,Mayur Naik
GeorgiaInstituteofTechnology
1
![Page 2: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/2.jpg)
APIsintoday’ssoftwareareplentifulyetcomplex
•Example:OpenSSL- 3841 APIsin[v1.0.2h]- 3718in[v1.0.1t] ->3841in[v1.0.2h](+123 APIs)- OpenSSHuses158 APIsofOpenSSL
2
![Page 3: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/3.jpg)
ComplexAPIsresultinprogrammers’mistakes
•Problemsindocumentation- Incomplete:e.g.,lowdetailsinhostnameverification- Long:e.g.,43K linesinOpenSSL documentation- Lack:e.g.,internalAPIs
•Lackofautomatictoolsupport- e.g.,missingformalspecificationandprecisesemantics
3
![Page 4: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/4.jpg)
Problem:APImisusecancausesecurityproblems
4
àMITM
à Codeexecutionà PrivilegeEscalation
![Page 5: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/5.jpg)
Today’spracticestohelpprogrammers
•Formalmethod- Problem:lackofspecification
•Modelchecking- Problem:manual,lackofsemanticcontext
•Symbolicexecution- Problem:failedtoscaleforlargesoftware
5
![Page 6: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/6.jpg)
Promisingapproach:findingbugsbyusingexistingcode
•“Bugsasdeviantbehavior”[OSDI01]- Syntactictemplate:e.g.,checkNULLonmalloc()
•“Juxta”[SOSP15]-Inferringcorrectsemanticsfrommultipleofimplementations-Filesystemspecificbugfindingtool
6
Researchgoal:canweapplythismethodtoany kindofsoftwarewithoutmanualefforts?
![Page 7: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/7.jpg)
Ouridea:comparingAPIusagesinvariousimplementation
•Example:findingOpenSSL APImisuses
7
APISan
Majorityuses(Likelycorrect)
Deviantuses(Likelybug)
…curlcurlcurlnmapcurlnginx
nginxcurlnmapnginxcurlhexchat
![Page 8: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/8.jpg)
Ourapproachisverypromising
•EffectiveinfindingAPImisuses-76newbugs
•Scaletolarge,complexsoftware-Linuxkernel,OpenSSL,PHP,Python,etc.-Debian packages
8
![Page 9: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/9.jpg)
TechnicalChallenges
•APIusesaretoodifferentfromimpl.toimpl.
•SubtlesemanticsofthecorrectAPIuses
•Large,complexcodeusingAPIs
9
![Page 10: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/10.jpg)
Example:OpenSSL APIuses
• SSL_get_verify_result()-Getresultofpeercertificateverification-nopeercertificateà alwaysreturnsX509_V_OK
10
if(SSL_get_verify_result()==X509_V_OK){…}if(SSL_get_verify_result()==X509_V_OK&&SSL_get_peer_certificate()!=NULL ){…}
![Page 11: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/11.jpg)
Example:acorrectimplementationusingOpenSSL API
11
cert =SSL_get_peer_certificate(handle);if (!cert){…}err =SSL_get_verify_result(handle);if (err ==X509_V_OK){…}
curl
CorrectSemanticallysamewithcorrectusage
if(SSL_get_verify_result()==X509_V_OK&&SSL_get_peer_certificate()!=NULL ){…}
![Page 12: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/12.jpg)
Example:providingvariousimplementationsusingOpenSSL
12
cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err ==X509_V_OK){…}
curl
if(SSL_get_verify_result(conn)!=X509_V_OK)returnNGX_OK;
cert=SSL_get_peer_certificate(conn);if(cert){…}
nginx
cert=SSL_get_peer_certificate(ssl);if(cert==NULL)return0;
if(SSL_get_verify_result(ssl)!=X509_V_OK){…}
nmap
err=SSL_get_verify_result(ssl);switch(err){caseX509_V_OK:cert=SSL_get_peer_certificate(ssl);
hexchat
Correct
Correct
Correct
Incorrect
//if(cert)ismissed
Canwedistinguishbetweencorrect implementationsandbuggy implementations?
![Page 13: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/13.jpg)
Challenge1:APIusagesaredifferentfromeachother
13
cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err ==X509_V_OK){…}
curl
if(SSL_get_verify_result(conn)!=X509_V_OK)returnNGX_OK;
cert=SSL_get_peer_certificate(conn);if(cert){…}
nginx
cert=SSL_get_peer_certificate(ssl);if(cert==NULL)return0;
if(SSL_get_verify_result(ssl)!=X509_V_OK){…}
nmap
err=SSL_get_verify_result(ssl);switch(err){caseX509_V_OK:cert=SSL_get_peer_certificate(ssl);
hexchat
//if(cert)ismissed
Correct
Correct
Correct
Incorrect
![Page 14: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/14.jpg)
Challenge2:subtlesemanticsofthecorrectAPIusages
14
cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err ==X509_V_OK){…}
curl
if(SSL_get_verify_result(conn)!=X509_V_OK)returnNGX_OK;
cert=SSL_get_peer_certificate(conn);if(cert){…}
nginx
cert=SSL_get_peer_certificate(ssl);if(cert==NULL)return0;
if(SSL_get_verify_result(ssl)!=X509_V_OK){…}
nmap
err=SSL_get_verify_result(ssl);switch(err){caseX509_V_OK:cert=SSL_get_peer_certificate(ssl);
hexchat
//if(cert)ismissed
Correct
Correct
Correct
Incorrect
![Page 15: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/15.jpg)
Challenge3:Large,complexcodeusingAPIs
•Onaverage,morethan100KLoC-curl:110KLoC-nginx :127KLoC-nmap:169KLoC-hexchat:61KLoC
•Linux:>1MLoC
15
![Page 16: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/16.jpg)
Challenge3:Large,complexcodeusingAPIs
16
cert =SSL_get_peer_certificate(handle);if(!cert){…}...len =BIO_get_mem_data(mem, (char**)&ptr);infof(data, "start date:%.*s\n",len,ptr);rc =BIO_reset(mem);…err =SSL_get_verify_result(handle);if(err ==X509_V_OK){…}
curl
cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err ==X509_V_OK){…}
curl(simplified)
![Page 17: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/17.jpg)
OverviewofAPISan
17
Returnvaluechecker
Argumentchecker
Causalitychecker
Conditionchecker
4Checkers
SourcecodeSourcecodeSourcecode
APIs Arguments
Constraints
Symbolicexecutiondatabase
RelaxedSymbolicExecution
:minor,butnotbug
:minorandbug
…Minorityuses
...Rankedminorityuses
![Page 18: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/18.jpg)
OverviewofAPISan
18
Returnvaluechecker
Argumentchecker
Causalitychecker
Conditionchecker
4Checkers
SourcecodeSourcecodeSourcecode
APIs Arguments
Constraints
Symbolicexecutiondatabase
RelaxedSymbolicExecution
:minor,butnotbug
:minorandbug
…Minorityuses
...Rankedminorityuses
![Page 19: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/19.jpg)
SymbolicexecutioncanberelaxedinfindingAPIcontexts
•Symbolicexecutionisnotscalable-Pathexplosion-SMTisexpensive,naturallyNP-complete
•Methodstorelaxsymbolicexecution-Limitinginter-proceduralanalysis-Removingbackedges-Range-based
19
![Page 20: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/20.jpg)
Method1:Limitinginter-proceduralanalysis
•HowAPIsareused O•HowAPIsareimplemented X
20
cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err !=X509_V_OK){…}
![Page 21: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/21.jpg)
Method2:Removingbackedges•APIcontextscanbecapturedwithinloops-e.g.,malloc()andfree()arematchedinsidealoop
21
for(…){cert =SSL_get_peer_certificate(handle);if(!cert){…}err =SSL_get_verify_result(handle);if(err !=X509_V_OK){…}}
![Page 22: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/22.jpg)
Method3:Range-based•Mostofarguments&returnvaluesareinteger
•Clangusesrange-basedsymbolicexecution
22
cert!=NULL∧ err==X509_V_OK
cert= {[-MAX,-1],[1,MAX]}err={[X509_V_OK,X509_V_OK]}
![Page 23: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/23.jpg)
Buildingper-pathsymbolicabstractions
•Path-sensitive,context-sensitive
•Recordsymbolicabstractions-APIcalls-Symbolicexpressionofarguments-Constraints
23
![Page 24: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/24.jpg)
Examples:Buildingper-pathsymbolicabstractionsfromsourcecode
24
Call SSL_get_peer_certificate(handle)
Constraint SSL_get_peer_certificate(handle)={[-MAX,-1],[1, MAX]}
Call SSL_get_verify_result(handle)
Constraint SSL_get_verify_result(handle)={[X509_V_OK, X509_V_OK]}
cert =SSL_get_peer_certificate(handle);if (!cert){…}err =SSL_get_verify_result(handle);if (err ==X509_V_OK){…}
Sourcecode
Symbolicabstractions
![Page 25: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/25.jpg)
Examples:Buildingper-pathsymbolicabstractionsfromsourcecode
25
cert =SSL_get_peer_certificate(handle);if (!cert){…}err =SSL_get_verify_result(handle);if (err ==X509_V_OK){…}
Sourcecode
SymbolicAbstractions#1
….
SymbolicAbstractions#2
SymbolicAbstractions#3
![Page 26: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/26.jpg)
OverviewofAPISan
26
Returnvaluechecker
Argumentchecker
Causalitychecker
Conditionchecker
4Checkers
SourcecodeSourcecodeSourcecode
APIs Arguments
Constraints
Symbolicexecutiondatabase
RelaxedSymbolicExecution
:minor,butnotbug
:minorandbug
…Minorityuses
...Rankedminorityuses
![Page 27: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/27.jpg)
Foursemanticcontextshavesecurityimplications
•Orthogonal,essential,security-relatedcontexts-Returnvalue-Arguments-Causality-Condition
27
![Page 28: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/28.jpg)
Context1:Returnvalue
•Returncomputationresultorexecutionstatus
•NULLdereference•Privilegeescalation-e.g,Windows,CVE-2014-4113
28
ptr =malloc(size)if(!ptr){…}
![Page 29: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/29.jpg)
Context2:Arguments
• InputsforcallingAPIsandtheirrelationship
•Formatstringbug•Memorycorruption
29
printf(buf);
ptr =malloc(size1);memcpy(ptr,src,size2);
![Page 30: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/30.jpg)
Context3:Causality
•CausalrelationshipbetweenAPIs
•Deadlock•Memoryleak
30
lock();unlock();
malloc();free();
![Page 31: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/31.jpg)
Context4:Condition
• Implicitpre- andpostconditionforcallingAPIs
•MITM
31
if(SSL_get_verify_result()==X509_V_OK&&SSL_get_peer_certificate()!=NULL)
![Page 32: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/32.jpg)
Extractcontextsfromsymbolicabstractions
•Symbolicabstractionscontains{APIs,Arguments,Constraints}
•Returnvalue ß Constraints•Arguments ß Arguments•Causality ß APIs•Condition ß Constraints+APIs
32
![Page 33: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/33.jpg)
Example:extractconditioncontextsfromsymbolicabstractions
33
Call SSL_get_peer_certificate(handle)
Constraint SSL_get_peer_certificate(handle)={[-MAX,-1],[1, MAX]}
Call SSL_get_verify_result(handle)
Constraint SSL_get_verify_result(handle)={[X509_V_OK,X509_V_OK]}
curl
Event Line
SSL_get_verify_result={[X509_V_OK,X509_V_OK]} {curl}
Constraint Line
SSL_get_peer_certificate={[-MAX,-1],[1,MAX]} {curl}
… ….
Anyconstraintorcall
Linenumberswheneventiscalled
![Page 34: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/34.jpg)
Example:extractconditioncontextsfromsymbolicabstractions
34
Event Line
SSL_get_verify_result={[X509_V_OK,X509_V_OK]} {curl,nginx}
Constraint Line
SSL_get_peer_certificate={[-MAX,-1],[1,MAX]} {curl,nginx}
… ….
Call SSL_get_verify_result(conn)
Constraint SSL_get_verify_result(handle)== {[X509_V_OK,X509_V_OK]}
Call SSL_get_peer_certificate(conn)
Constraint SSL_get_peer_certificate(conn)!= {[-MAX,-1],[1, MAX]}
nginx
![Page 35: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/35.jpg)
Example:extractconditioncontextsfromsymbolicabstractions
35
Call SSL_get_peer_certificate(ssl)
Constraint SSL_get_peer_certificate(ssl)={[-MAX,-1],[1, MAX]}
Call SSL_get_verify_result(ssl)
Constraint SSL_get_verify_result(ssl)={[X509_V_OK,X509_V_OK]}
nmap
Event Line
SSL_get_verify_result={[X509_V_OK,X509_V_OK]} {curl,nginx,nmap}
Constraint Line
SSL_get_peer_certificate={[-MAX,-1],[1,MAX]} {curl,nginx,nmap}
… ….
![Page 36: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/36.jpg)
Example:extractconditioncontextsfromsymbolicabstractions
36
Call SSL_get_verify_result(ssl)
Constraint SSL_get_verify_result(ssl)={[X509_V_OK,X509_V_OK]}
Call SSL_get_peer_certificate(ssl)
hexchat
Event Line
SSL_get_verify_result={[X509_V_OK,X509_V_OK]}
{curl,nginx,nmap,hexchat}
Constraint Line
SSL_get_peer_certificate={[-MAX,-1],[1,MAX]} {curl,nginx,nmap}
… ….
![Page 37: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/37.jpg)
Example:findmajority&minorityusagesfromcontexts
37
Event Line
SSL_get_verify_result={[X509_V_OK,X509_V_OK]}
{curl,nginx,nmap,hexchat,…}
Constraint Line
SSL_get_peer_certificate={[-MAX,-1],[1,MAX]} {curl,nginx,nmap,…}
… ….
Majorityuses(Likelycorrect)
Deviantuses(Likelybug) =total_event – majority_use ={hexchat,…}
![Page 38: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/38.jpg)
OverviewofAPISan
38
Returnvaluechecker
Argumentchecker
Causalitychecker
Conditionchecker
4Checkers
SourcecodeSourcecodeSourcecode
APIs Arguments
Constraints
Symbolicexecutiondatabase
RelaxedSymbolicExecution
:minor,butnotbug
:minorandbug
…Minorityuses
...Rankedminorityuses
![Page 39: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/39.jpg)
Falsepositivescanbehappenedinmajorityanalysis
•Lackofinter-proceduralanalysis-e.g.,checkareturnvalueofmalloc()insideafunction
•Correlation≠ Causation-e.g.,fprintf()isusedforprintingdebugmessageswhenopen()isfailed
•Correctminoruses-e.g.,strcmp()==0,strcmp()>0
39
![Page 40: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/40.jpg)
Rankingcanmitigatefalsepositives
•Moremajoritypatternrepeated,morebug-likely-e.g.,999majority,1minority>10majority,1minority
•Generalinformation-e.g.,mostofallocationfunctionshave“alloc”intheirnamesandarerequiredtochecktheirreturnvalues
•Domainspecificknowledge-e.g.,SSLAPIsstartwithastring“SSL”
40
![Page 41: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/41.jpg)
Ourapproachisformalizedasageneralframework
41
![Page 42: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/42.jpg)
ImplementationofAPISan
•9KLoC intotal-Symbolicdatabasegeneration:6KLoC ofC/C++(Clang3.6)-APISan library:2KLoC ofPython
•Checkers:1KLoC ofPython-Returnvaluechecker:131LoC-Argumentchecker:251LoC-…
42
![Page 43: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/43.jpg)
Evaluationquestions
•HoweffectiveisAPISan infindingnewbugs?
•Howeasytouseandeasytoextend?
•HoweffectiveisAPISan’s rankingsystem?
43
![Page 44: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/44.jpg)
APISan iseffectiveinfindingbugs
•Found76newbugs inlarge,complexsoftware-Linuxkernel,OpenSSL,PHP,Python,andDebian packages
•Securityimplication-e.g.,CVE-2016-5636:Pythonzipimporterheap overflow(CodeexecutioninGoogleAppEngine)
44
![Page 45: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/45.jpg)
APISan iseasytousewithoutanymanualannotation
•Togeneratesymboliccontextdatabase$apisan make#useexistingbuildcommand
•Runachecker$apisan --checker=cpair #cpair :causalitychecker
•Runachecker(inter-application)$apisan --checker=cpair --db=app1,app2
45
![Page 46: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/46.jpg)
APISan iseasytoextend
•e.g.,Integeroverflowcheck• IntegeroverflowsensitiveAPIs-Havesecurityimplicationswhenintegeroverflowhappens-e.g.,memoryallocationfunctions
• Integeroverflowß Arguments+Constraints-Ifargumentscontainsbinaryoperatorsà checkintegeroverflowwithingivenconstraints
46
![Page 47: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/47.jpg)
CheckintegeroverflowwithAPISan
•Collectallintegeroverflows•Rankingstrategy-Moreintegeroverflowpreventedbyconstraintsà APIsarelikelyintegeroverflowsensitive
-Incorrectconstraints>Missingconstraints;Missingconstraintscanbecausedbylimitedanalysis
•Found6integeroverflows(167LoC)
47
![Page 48: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/48.jpg)
APISan’s rankingsystemiseffective
• LinuxKernelwithReturnValueChecker
• Total2,776reports• Audited445reports• Found54bugs
48
30bugs in20APIs 24bugs in3APIs
15bugsin1APIs
![Page 49: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/49.jpg)
Limitation•Nosoundness&Nocompleteness•Highfalsepositiverate:>80%•Tooslowtofrequentlyanalyze-32-coreXeonserverwith256GBRAM-ForLinuxkernel,
Generatingdatabase:8hoursEachchecker:6hours
•Notfullyresolvepathexplosion-stoppedinfunctionswhichhavepathexplosion
49
![Page 50: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/50.jpg)
Conclusion
•APISan:anautomaticwayforfindingAPImisuse-Effective:Finding76newbugs-Scalable:TestedwithLinuxkernel,Debian packages,etc
•APISan *WILL*bereleasedasopensource-https://github.com/sslab-gatech
50
![Page 51: APISan: Sanitizing API Usages through Semantic Cross-checking - … · 2019-12-18 · APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, ChangwooMin, XujieSi,](https://reader034.fdocuments.us/reader034/viewer/2022043019/5f3bba2caa7add6c425b7053/html5/thumbnails/51.jpg)
Thankyou!
Questions?
51