CSSV – C String Static Verifier
description
Transcript of CSSV – C String Static Verifier
![Page 1: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/1.jpg)
CSSV – C String Static Verifier
Nurit DorMichael Rodeh
Mooly SagivGreta Yorsh
Tel-Aviv Universityhttp://www.cs.tau.ac.il/~nurr
![Page 2: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/2.jpg)
The Problem:Detecting String Manipulation Errors
• An important problem– Common errors– Cause security vulnerability
• A challenging problem – Use of pointers – Use of pointer arithmetic– Error point vs. failure point
![Page 3: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/3.jpg)
Example – unsafe call to strcpy()
simple(){
char s[20];char *p;char t[10];
strcpy(s,”Hello”);p = s + 5;strcpy(p,” world!”);strcpy(t,s);
}
![Page 4: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/4.jpg)
Complicated Example
/* from web2c [fixwrites.c] */#define BUFSIZ 1024char buf[BUFSIZ];
char insert_long(char *cp){
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)temp[i] = buf[i];
strcpy(&temp[i],”(long)”);strcpy(&temp[i+6],cp);…
cp
buf
(long)temp
![Page 5: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/5.jpg)
Complicated Example
/* from web2c [fixwrites.c] */#define BUFSIZ 1024char buf[BUFSIZ];
char insert_long(char *cp){
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)temp[i] = buf[i];
strcpy(&temp[i],”(long)”);strcpy(&temp[i+6],cp);…
cp
buf
( l o n g )temp
![Page 6: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/6.jpg)
Complicated Example
/* from web2c [fixwrites.c] */#define BUFSIZ 1024char buf[BUFSIZ];
char insert_long(char *cp){
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)temp[i] = buf[i];
strcpy(&temp[i],”(long)”);strcpy(&temp[i+6],cp);…
cp
buf
(long)temp
![Page 7: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/7.jpg)
Real Example
void RTC_Si_SkipLine(const INT32 NbLine, char ** const PtrEndText){
INT32 indice;
for (indice=0; indice<NbLine; indice++) {
**PtrEndText = '\n'; (*PtrEndText)++; }
**PtrEndText = '\0'; return;
}
NbLine + 1
PtrEndText
![Page 8: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/8.jpg)
Vulnerable String Manipulation
Pointers to buffers char *p= buffer; … while( ) p++;
Standard string manipulation functions
strcpy(), strcat(), … NULL termination
strncpy(), …
![Page 9: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/9.jpg)
9
Are String Violations Common?
FUZZ study (1995)• Random test programs on various
systems 9 different UNIX systems 18% – 23% hang or crash 80% are string related errors
CERT advisory• 50% of attacks are abuses of buffer
overflows
![Page 10: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/10.jpg)
Current Methods
• Runtime– Safe-C [PLDI’94]– Purify – Bound-checking…
• Static+ Runtime– CCured [POPL’02]
![Page 11: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/11.jpg)
Current Methods
• Static– Wagner et. al. [NDSS’00]– LCLint’s extension [USENIX’01]– Dor, Rodeh and Sagiv [SAS’01]
![Page 12: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/12.jpg)
Goals• Static detection of string errors
– References beyond array limit– Unsafe pointer arithmetic– Missing null terminator – Additional properties:
• References beyond null• Specified using preconditions
• Sound– Never miss errors– Few false alarms
IS IT POSSIBLE?
![Page 13: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/13.jpg)
13
Challenges in Static Analysis
• Soundness • Precision
– Combine integer and pointer analysis (p+i) = ‘\0’; strcpy(q, p);
• Scalability to handle real applications– Complexity of Chaotic iterations– Handles full C
![Page 14: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/14.jpg)
CSSV Solution
• Use powerful static domain– Exponential abstract interpretation
• Use pre- and post-conditions to specify procedure requirements on strings– No interprocedural analysis– Modular analysis
• Automatic generation of procedure specification
![Page 15: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/15.jpg)
CSSV
Cfiles
Procedure’sPointer info
Pointer Analysis
C2IP
PreModPost Integer Proc
Integer Analysis Potential Error Messages
Procedure name
Cfiles
AWP
![Page 16: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/16.jpg)
Advantages of Specifications
• Allows modular analysis – Not all the code is available– Enables more precise analyses
• User control of the verification– Detect errors at point of logical error– Improve the precision of the analysis– Check additional properties
• Beyond ANSI-C
![Page 17: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/17.jpg)
Specification and Soundness
• Preconditions are handled conservatively • All errors are detected
– Inside a procedure’s bodyOR
– At call statements to the procedure
![Page 18: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/18.jpg)
char* strcpy(char* dst, char *src)requires
modensures
Specification– strcpy
( string(src) alloc(dst) > len(src))
dst.strlen, dst.is_nullt( len(dst) = = pre@len(src) return = = pre@dst)
![Page 19: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/19.jpg)
Specification – insert_long()
/* insert_long.c */#include "insert_long.h" char buf[BUFSIZ];char * insert_long (char *cp) { char temp[BUFSIZ]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; }
char * insert_long(char *cp) requires( string(cp)
buf cp < buf + BUFSIZ
) mod cp.strlen ensures ( cp.strlen = = pre[cp.strlen + 6]
return_value = = cp + 6 ;
)
![Page 20: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/20.jpg)
20
Difficulties with Specifications
• Legacy code• Complexity of software• Need to know context
![Page 21: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/21.jpg)
CSSV
Cfiles
Pointer Analysis
C2IP
PreModPost Integer proc
Integer Analysis Potential Error Messages
Procedure name
Cfiles
Procedure’sPointer info
![Page 22: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/22.jpg)
CSSV – Pointer Analysis
• Models the string objects • Pre compute points-to information• Determines which objects may be
updated thru a pointerchar s[20];char *p;…p = s + 5;strcpy(p,” world!”);
![Page 23: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/23.jpg)
Integrating Pointer Information?
foo(char *p, char *q){
char local[100];…p = local;*q = 0;…
}main(){
char s[10], t[20], r[30];
char *temp;foo(s,t);foo(s,r);…temp = s…
}
s t r
temp
local
p q
![Page 24: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/24.jpg)
Projection for foo()
foo(char *p, char *q){
char local[100];…p = local;…
}
param#1
local
p q
param#2
![Page 25: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/25.jpg)
CSSV
Cfiles
Pointer Analysis
C2IP
PreModPost Integer proc
Integer Analysis Potential Error Messages
Procedure name
Cfiles
Procedure’sPointer info
![Page 26: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/26.jpg)
C2IP – C to Integer Program
• Generate an integer program– Integer variables only– No function calls– Non deterministic
• Goal:
String error in the C program
Assert violated in the IP
![Page 27: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/27.jpg)
C2IP – C to Integer Program
• Inline specification• Based on points-to information
– Generate constraint variables– Generate assert statements– Generate update statements
![Page 28: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/28.jpg)
C2IP - Constraint Variable
• For every pointerp.offset
s p.offset = 2
![Page 29: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/29.jpg)
C2IP - Constraint Variable
• For every abstract locationaloc.is_nulltaloc.lenaloc.msize
s taloc5 0
aloc5.lenaloc5.msize
![Page 30: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/30.jpg)
char buf[BUFSIZ]; int buf.offset = 0; int sbuf.msize = BUFSIZ; int sbuf.len; int sbuf.is_nullt;
char * insert_long (char *cp) { int cp.offset;char temp[BUFSIZ] int temp.offset = 0;
int stemp.msize = BUFSIZ; int stemp.len ; int stemp.is_nullt;
int i int i
require string(cp); assume(sbuf.is_nullt 0 cp.offset sbuf.len sbuf.alloc );
for(i=0; &buf[i] < cp; ++i) { temp[i]=cp[i]; }
for (i=0; i< cp.offset ; ++i ) { assert(0 i stemp.msize (stemp.is_nullt i stemp.len)); assert(-i cp.offset< -i +sbuf.len); if (sbuf.is_nullt sbuf.len == i ) { stemp.len = i; stemp.is_nullt = true; } else …
C2IP
![Page 31: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/31.jpg)
assert(0 i < 6 - stemp.msize );assume(stemp.len == i + 6);…
char * insert_long (char *cp) { int cp.offset;char temp[BUFSIZ] int temp.offset = 0;
int stemp.msize = BUFSIZ; int stemp.len ; int stemp.is_nullt;
int i int i
require string(cp); assume(sbuf.is_nullt 0 cp.offset sbuf.len sbuf.alloc );
for(i=0; &buf[i] < cp; ++i) { temp[i]=cp[i]; }
for (i=0; i< cp.offset ; ++i ) { assert(0 i stemp.msize (stemp.is_nullt i stemp.len)); assert(-i cp.offset< -i +sbuf.len); if (sbuf.is_nullt sbuf.len == i ) { stemp.len = i; stemp.is_nullt = true; } else …
strcpy(&temp[i],"(long)");
C2IP
![Page 32: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/32.jpg)
C2IP - Update statements
p = s + 5;p.offset = s.offset + 5;
![Page 33: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/33.jpg)
C2IP - Use points-to information
*p = 0;if (…) {
aloc1.len = p.offset;aloc1.is_nullt = true; }
else {alloc5.len = p.offset;alloc5.is_nullt = true; }
paloc1
aloc5
![Page 34: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/34.jpg)
Handling structures
• Pointer analysis handles structures • C2IP handles pointer arithmetic• Generate constraint variables per field
![Page 35: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/35.jpg)
CSSV
Cfiles
Pointer Analysis
C2IP
PreModPost Integer proc
Integer Analysis Potential Error Messages
Procedure name
Cfiles
Procedure’sPointer info
![Page 36: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/36.jpg)
Integer Analysis
• Interval analysis is not enough
assert(-i cp.offset< -i +sbuf.len); • Use a powerful abstract domain• Polyhedra (Cousot Halbwachs, 78)Statically analyzes program variable
relations and detects constraints:a1* var1 + a2* var2 + … + an* varn b
![Page 37: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/37.jpg)
41
Linear Relation Analysis
Statically analyzes program variable relations and detects constraints:
a1* var1 + a2* var2 + … + an* varn b Polyhedron
y 1 x + y 3-x + y 1
0 1 2 3 x
0
1
2
3
y V = <(1,2) (2,1) >R = <(1,0) (1,1)>
![Page 38: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/38.jpg)
buf.offset = 0temp.offest = 0 0 cp.offset = ii sbuf.len < s buf.msize sbuf.msize = 1024stemp.msize= 1024
assert(0 i < 6 - stemp.msize ); // strcpy(&temp[i],"(long)");
Potential violation when
cp.offset 1018
cp
buf
temp
i = cp.offset 1018
Integer Analysis – insert_long()
( l o n g )
![Page 39: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/39.jpg)
CSSV
Cfiles
Pointer Analysis
C2IP
PreModPost Integer proc
Integer Analysis Potential Error Messages
Procedure name
Cfiles
AWP
Procedure’sPointer info
![Page 40: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/40.jpg)
CSSV
Cfiles
Pointer Analysis
C2IPside effect
ModInteger proc
LeafProcedure
Cfiles
AWP
Pre
Procedure’sPointer info
![Page 41: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/41.jpg)
CSSV
Cfiles
PreMod
LeafProcedure
Cfiles
Integer Analysis Potential Error Messages
Post
Pointer Analysis
C2IPside effect
Integer proc
Procedure’sPointer info
![Page 42: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/42.jpg)
AWP
• Approximate the Weakest Precondition• Backward integer analysis• Generates a precondition
![Page 43: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/43.jpg)
AWP – insert_long()
• Generate the following precondition:sbuf.is_nullt
sbuf.len < sbuf.alloc
0 cp.offset sbuf.len …
![Page 44: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/44.jpg)
AWP – insert_long()
• Generate the following precondition:string(cp)
sbuf.len cp.offset + 1017
Not the weakest precondition:string(cp) sbuf.len 1017
![Page 45: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/45.jpg)
Implementation
• Using:– ASToolKit [Microsoft]– GOLF [Microsoft – Das Manuvir]– New Polka [IMAG - Bertrand Jeannet]
• Main steps:– Simplifier– Pointer analysis– C2IP– Integer Analysis
![Page 46: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/46.jpg)
Implementation – step 1
Cfiles
SimplifierPreModPost
Procedure name
Cfiles Inline Annotation
C’
Core C
![Page 47: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/47.jpg)
Core C
• Simplify the analysis implementation• A limited form of C expressions
– Adds temporaries – At most one operator per statement– Convert value into location computation– No lost of precision
![Page 48: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/48.jpg)
Implementation – step 2
Procedure name
CoreC
GOLF pointer analysis
GlobalPointer info
GFCvisible variables
Visiblevariables
Procedure’spointer projection
Procedure’sPointer info
![Page 49: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/49.jpg)
Implementation – step 3 , 4
Procedure name
CoreC GFC
C2IP
ModularPointer info
Integer Program
PreInteger Analysis
Potential Error Messages
forward
backward
![Page 50: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/50.jpg)
Preliminary results (web2C)ProclinecoreC
linetime(sec)
space(Mb)
errorsFA
insert_long14642.01320
fprintf_pascal_string10250.10.320
space_terminate9230.10.200
external_file_name14280.21.720
join15530.65.221
remove_newline251050.64.600
null_terminate9230.10.220
Up to four times faster than SAS01
![Page 51: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/51.jpg)
Preliminary results (EADS/RTC_Si)
ProclinecoreCline
time(sec)
space(Mb)
errorsFA
FiltrerCarNonImp19341.60.500
SkipLine12420.81.900
StoreIntInBuffer371347.92100
![Page 52: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/52.jpg)
Status
• Implemented– Simplifier – GFC– Procedure’s pointer analysis– C2IP excluding structures– AWP excluding side effect
• TBD– Structure – Inline specification– Side effect analysis– More applications
![Page 53: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/53.jpg)
Conclusion
• Static checking for string errors is feasible!– Can show the absence of string errors in complicated
string manipulation procedures• Identified rare bugs• Techniques used
– Modular analysis (assume/guarantee)– Pointer analysis– Integer analysis
• Open questions– Can this be fully automated?
• Extension to handle dynamic allocations (ITVLA)
![Page 54: CSSV – C String Static Verifier](https://reader035.fdocuments.us/reader035/viewer/2022081505/56815a7a550346895dc7e3f4/html5/thumbnails/54.jpg)