Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu,...
-
Upload
blaise-charles -
Category
Documents
-
view
215 -
download
0
description
Transcript of Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu,...
![Page 1: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/1.jpg)
Rule-based static analysis of network protocol implementations
Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster
Usenix Security Symposium 2006Speaker: Chang Huan Wu
2008/10/29
![Page 2: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/2.jpg)
2
Outline
IntroductionRule-Based Protocol SpecificationAnalysis of Protocol Source CodeExperiment ResultsConclusions
![Page 3: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/3.jpg)
3
Introduction - Motivation
Network protocols must be reliable and secure– Most works focuses on abstract protocols– Implementation can introduce vulnerabilities
Goal: Check that implementations match specifications
![Page 4: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/4.jpg)
4
Introduction - Architecture
![Page 5: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/5.jpg)
5
Rule-Based Protocol Specification A simple protocol
0. int main(void) {1. int sock, val = 1, recval;2. send(sock, &val, sizeof(int));3. while(1) {4. recv(sock, &recval, sizeof(int));5. if (recval == val)6. val += 2;7. send(sock, &val, sizeof(int));8. }9. }
1. Start by sending n = 12. If n is received, send n + 13. Otherwise resend n
![Page 6: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/6.jpg)
6
Rule-Based Protocol Specification Developed rules from specification document
such as an RFC or IETF standard Ex. (2) means “ if recv in, and in equals n, th
en we have to send out, which is in’s value plus 1 , and we change current state by setting n:= out ”
n: ghost variable, representing protocol state
![Page 7: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/7.jpg)
7
Analysis of Protocol Source Code
Construct a control-flow graph (CFG) from the program source code
Each statement forms a node, and there is an edge from s1 to s2 if statement s1 occurs immediately before statement s2
![Page 8: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/8.jpg)
8
Analysis – Rule 1 (1/3)
Ø (empty hypothesis)=> send(_, out, _) out[0..3] = 1 n := 1
Fact: {}(Matches the empty hypothesis)
![Page 9: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/9.jpg)
9
Analysis – Rule 1 (2/3)
Ø (empty hypothesis)=> send(_, out, _) out[0..3] = 1 n := 1
Fact: {val = 1}
![Page 10: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/10.jpg)
10
Analysis – Rule 1 (3/3)
Ø (empty hypothesis)=> send(_, out, _) out[0..3] = 1 n := 1
Fact: {val = 1, out = &val}Show: Fact → (out[0..3] = 1)Action: n := 1
![Page 11: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/11.jpg)
11
Analysis – Rule 3 (1/3) recv(_, in, _) in[0..3] ≠ n=> send(_, out, _) out[0..3] = n
Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n}
![Page 12: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/12.jpg)
12
Analysis – Rule 3 (2/3) recv(_, in, _) in[0..3] ≠ n=> send(_, out, _) out[0..3] = n
Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n, recval ≠ val}
![Page 13: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/13.jpg)
13
Analysis – Rule 3 (3/3) recv(_, in, _) in[0..3] ≠ n=> send(_, out, _) out[0..3] = n
Fact: {val = 1, n = 1, in = &recval, in[0..3] ≠ n, recval ≠ val, out = &val}
Show: Fact → (out[0..3] = n)
![Page 14: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/14.jpg)
14
Analysis – Rule 2 (1/4) recv(_, in, _) in[0..3] = n=> send(_, out, _) out[0..3] = n
Fact: {val = 1, n = 1, in = &recval, in[0..3] = n}
![Page 15: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/15.jpg)
15
Analysis – Rule 2 (2/4) recv(_, in, _) in[0..3] = n=> send(_, out, _) out[0..3] = n
Fact: {val = 1, n = 1, in = &recval, in[0..3] = n, recval = val}
![Page 16: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/16.jpg)
16
Analysis – Rule 2 (3/4) recv(_, in, _) in[0..3] = n=> send(_, out, _) out[0..3] = n
Fact: {val = 3, n = 1, in = &recval, in[0..3] = n, recval = val}
![Page 17: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/17.jpg)
17
Analysis – Rule 2 (4/4) recv(_, in, _) in[0..3] = n=> send(_, out, _) out[0..3] = n
Fact: {val = 3, n = 1, in = &recval, in[0..3] = n, recval = val, out = &val}
Show: Fact → (out[0..3] = in[0..3] +1) Fail!!!
![Page 18: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/18.jpg)
18
Experiment Results (1/3)
Evaluated Pistachio by analyzing the LSH implementation of SSH2 and the RCP implementation from Cygwin’s package
Chose these systems because of their extensive bug databases and the number of different versions available
![Page 19: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/19.jpg)
19
Experiment Results (2/3) 96 rules for SSH2 58 rules for RCP
![Page 20: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/20.jpg)
20
Experiment Results (3/3) Add some rules that is strongly recommended
but not required by specification 9 new for LSH, 7 new for RCP
![Page 21: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/21.jpg)
21
Sample compatibility bug
Spec: reply to every version
In LSH version 0.2.9
![Page 22: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/22.jpg)
22
Sample functionality bug
Spec: can’t use “none” method
In LSH version 0.1.3
![Page 23: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/23.jpg)
23
Sample buffer overflow
strcpy() is not safe
In LSH version 0.9.1
![Page 24: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/24.jpg)
24
ConclusionDefined a rule-based method for the
specification of network protocols which closely mimics protocol descriptions in RFC or similar documents
Shown how static analysis techniques can be employed in checking protocol implementations against the rule-based specification
![Page 25: Rule-based static analysis of network protocol implementations Octavian Udrea, Cristian Lumezanu, and Jeffrey S. Foster Usenix Security Symposium 2006.](https://reader036.fdocuments.us/reader036/viewer/2022081605/5a4d1bae7f8b9ab0599cbb1a/html5/thumbnails/25.jpg)
25
CommentsIt is important that network
protocols must be reliable and secure
Can only handle rule violationFalse-positive rate is kind of high