Refining Buffer Overflow Detection via DemandDriven PathSensitive Analysis

1
Refining Buffer Overflow Detection via
Demand-Driven Path-Sensitive Analysis

• Wei Le and Mary Lou Soffa
• University of Virginia

sotesty.cs.virginia.edu
2
Motivation

• Buffer overflow 20 years since Morris Worm,
  still the most common exploit
• Challenge eliminate exploitable buffer
  overflows
• Detect where buffer overflow can occur
• Determine cause and remove it

2
3
Problems of Static Approaches

• Detection Precision false positives
• Report for errors does not provide much
  information for diagnosis
• report an overflow point in the program
• Not fully automatic manual annotation

3
4
Our Goals and Approaches

• Goal automatically identify paths on which a
  buffer overflow can occur and report the path
  segment that causes the overflow
• Challenge huge number of paths
• Approach
• interprocedual path-sensitive for precision
  and help diagnosis
• demand-driven for scalability

4
5
Five Types of Paths

• Infeasible no input can exercise the path
• Safe no input can overflow the buffer
• Vulnerable users can write any content to the
  buffer
• Overflow-user-independent the buffer content
  is statically determinable
• Dont-know the buffer status cannot be judged
  statically

5
6
An Example
Safe
Infeasible
Overflow
1
y
n
wbuf
resolved
2
3
rootd 1
rootd 0
4
\0
\0
strlen(wbuf)rootd1 strlen(resolved) gt LEN
5
LEN 6
y
n
exit
6
rootd 0
y
wu-ftpd 2.6.2 realpath.c
n
7
strcat(resolved, /)
8
strcat(resolved, wbuf)
7
Demand-Driven Analysis
Solved
char resolved LEN

Q053 (LEN-1ltl, f) Q153 (LENltl, f)
1
Q052 (LEN-1ltl, f)
y
n
2
3
rootd 1
rootd 0
Infeasible
4
Q05 (LEN-1-rootdltl, f) Q15 (LEN-rootdltl, f)
strlen(wbuf)rootd1 strlen(resolved) gt LEN
5
exit
Q1
Q0
y
n
6
rootd 0
Q1 (s1ltl, f)
s strlen(resolved)strlen(wbuf) l
sizeof(resolved) f wbuf
y
n
7
strcat(resolved, /)
8
strcat(resolved, wbuf)
8
The Demand-Driven Model

• PVS (potentially vulnerable statement)
  strcpy(a,b)
• Query sizeof(a) gt strlen(b), flag
• Information for Updating Queries char a9
• Propagation Rules
• interprocedural, loop, join point, infeasible
• Resolving the Query false, flag user input

8
9
Approach
Program
Feasibility Detection
Infeasible Paths
Node Information
PVS
Overflow Properties
Raise Query
Yes
Propagate Query
Update Query
Resolve Query
Propagate Results
Label Paths
No
9
10
Experiments

• Purpose
• Existence of the 5 types of paths
• Benefit of demand-driven analysis
• Implementation Microsoft Phoenix
  APIsphoenix
• Benchmarks
• 9 programs, size 0.4-97.3K LOC
• the BugBench06lu and Buffer Overflow
  Benchmark03Zitser

10
11
Experimental Results
11
12
Experimental Results

• All defined types of paths exist
• Problematic paths manifest certain complexity
• Memory usage 9-65MB
• Time cost 0.24-102.6s

13
User Scenario
Entry
PVS
14
User Scenario
Entry
Overflow User Independent
Vulnerable
PVS
15
User Scenario
Entry
Overflow User Independent
Vulnerable
PVS
16
User Scenario
Entry
Overflow User Independent
Vulnerable
Root Cause
PVS
17
Related Work

• Static Detection for Buffer Overflow
• ARCHER03xie BOON00wagner ESPx06hackett
  Prefastms Prefix00bush Splint96evans
• Path-Sensitive Analysis for Defects
• ARCHER03xie ESPx06hackett ESP 02das
  IPSSA03livshits MOPS02check Prefix00bush
• Demand-Driven Approach
• A general framework96Duesterwald
• Application for dataflow computation96Duesterwa
  ld, infeasible detection97bodik, memory
  leak06Orlovich , postmortem analysis04Manevich
  

17
18
Conclusions

• A categorization of five types of paths for
  buffer overflow
• An interprocedual demand-driven path-sensitive
  diagnosis tool for identifying the type of paths
  through a potential overflow
• Experimental results that demonstrate the path
  types existing in real program

18
19
Thank you and Questions?
19