Model Checking One Million Lines of C Code

1
Model Checking One Million Lines of C Code

• Written By
• Hao Chen, Drew Dean, and David Wagner
• Presented by Khanh Nguyen

2
MOPS (MOdel checking Programs for Security
properties)

• A static analysis tool that checks source
  programs for temporal safety properties.e.g. a
  setuid-root program must drop privilege before
  making risky system calls.

3
The MOPS process
Safety Property
FSA
Program satisfies safety property
C Program
CFG
Model Checker
Parser
Error Traces
FSA finite state automaton CFG control flow
graph
Treat the model checker as a black box for this
talk
4
Limitations

• MOPS is only sound when programs are
• Single threaded
• Memory safe (no buffer overflows)
• Portable (no inline assembly code)
• Free from aliasing on properties
• Current implementation does not support
• Function pointers
• Signal handlers
• Long jumps
• Run-time libraries (dlopen)

5
Programs
6
Experiments

• Security Properties
• Drop Privileges Properly
• Create Chroot Jails Securely
• Avoid Race conditions when accessing the file
  system
• Avoid Attacks on Standard File Descriptor
• Create Temporary Files Securely

7
Drop Privileges Properly

• Property A process should drop privilege from
  all its user IDs before calling execl, popen,
  system, or any of their relatives.

execl()
error
priv
setuid(getuid())
unpriv
8
Create Chroot Jails Securely
Property After calling chroot, a process should
immediately call chdir("/") to change its working
directory to the root of the sub-filesystem.
chroot
Error
other
other
chdir(/)
../../etc/passwd
9
Avoid Race conditions when accessing the file
system

• Property A program should not pass the same file
  name to two system calls on any path
• This prevents race conditions that can occur if
  an attacker changes a file between the stat and
  open call

10
Avoid Attacks on Standard File Descriptor

• Property Do not open a file in writing mode to
  stdout or stderr, no matter which file
  descriptors are open when the process starts

11
Create Temporary Files Securely

• Property A program should (1) never call mktemp,
  tmpnam, tempnam, or tmpfile (2) never reuse the
  parameter x in mkstemp(x) and (3) call
  umask(077) before mkstemp

12
Results
13
Conclusion

• Can check many properties
• Can check diverse, widely-deployed programs
• Can be used easily by non-tool developers
• Can generate comprehensible error reports
• MOPS is not complete but strives to eliminate as
  many error traces as possible

14
Questions?