Static%20Detection%20of%20Buffer%20Overflow%20%20%20in%20C%20using%20LCLint

1
Static Detection of Buffer Overflow in C
using LCLint
CS655 Group3
2
Motivation
RSA hacked
ATN hacked
One of the most common attacks is
Buffer-Overflow-Attack.
3
The C language allows pointer arithmetic and
array accesses without bounds checking, which
makes writing data past the end of a buffer and
overwriting other values possible Malicious users
exploit this to cause programs to run arbitrary
code --- classical buffer-overflow attack
Buffer overflow examples strcpy (char arg1,
char arg2) / bufSize (arg1) lt stringLen (arg2)
/ gets (char s) / length of stdin gt sizeof
(s) /
4
Two important reasons for buffer overflow to
happen
1. Non-Nullterminated strings are used where
Null-terminated are expected char strcpy
(char dst, const char src) 2. Size of storage
buffer is smaller than the amount of data to be
stored strncpy (char dst, const char src,
size_t n) / buffer overflow happens if bufSize
(dst) lt n /
5
Related work on memory error detection
Dynamic approach detect problems at run time,
can only find problems that occur in the given
test case, infeasible for applications
constrained by space or time (real-time-systems) E
xample Stackguard, GCCBOUNDS, PURIFY Static
approach analyze source code to find potential
problems, can detect problems that are unlikely
to occur in a test-case execution. Example
LCLint LCLint allows programmer-assisted-annotatio
n /_at_null_at_/ char x / x is null /
6
Our solution modify LCLint to detect buffer
overflows statically by introducing a series of
annotations.
nullterminated /_at_nullterminated_at_/ char
x bufSize /_at_bufSize10_at_/ char
x10 stringLen /_at_stringLen11_at_/ char
xHello world
7
Formal semantics for the annotations
Nullterminated (NT) 4 rules developed.
Example 3a. A - x NT A -
return x ok 3b. A - f_returnValue NT, x
NT A - return x ok bufSize and StringLen
12 rules developed
8
LCLint structure
CHANGE TO SUPPORT NULLTERMINATED
Lexical Analyzer
Syntax checking
parser
Semantic analysis
Complete Analysis
9
Implementation strategies of nullterminated
Modify the parser and introduce the checking for
the nullterminated semantics in the
analyzer Associate the following information
with each buffer bbufstate bufstate NT,
possibly NT, not NT / state of the buffer
/ int size / size of the buffer allocated
/ int len / len of the buffer VALID ONLY if
state is NT/ The state of the buffer changes
according to the inference made by the analyzer
or the user-provided annotations Both caller and
callee of a function call need to honor
error-checking requirements.
10
Evaluation
manually done means that the modified LCLint
will be able to detect the buffer overflows after
implementing bufSize and stringLen. We can
manually trace down the problems now using these
two annotations.
11
Example output
Case 1 Non-nullterminated passed as
nullterminated. Code include ltstdio.hgt int
temp (/_at_nullterminated_at_/ int tptr) char
x strcpy (x, tptr) . return (NULL) int
main () int c, d c malloc (34 sizeof
(int) ) temp(c) d c return d
Selected LCLint Messages NULLTERMINATED ERROR
test2.c (in function main) test2.c156
Possibly non-nullterminated storage c passed as
nullterminated param temp (c)
A possibly non-nullterminated string/memory is
used/referenced as a nullterminated one,
(-nullterminated will suppress message) SYMBOL
REFERENCED IS NOT NULLTERMINATED!
12
wu-ftpd a convoluted, insecure real-world
program
/ / at start of path, set the start of the
mapped_path to / / if( path0 '/' )
mapped_path0 '/'
mapped_path1 '\0' path
while( (sl strchr( path, '/' )) )
char dir, last dir
path sl '\0'
path sl 1 if( dir )
do_elem( dir ) if(
path '\0' ) break
if( path ) do_elem( path )
if( (ret chdir( mapped_path )) lt 0 )
strcpy( mapped_path, old_mapped_path )
return ret / From now on use the
mapping version / define chdir(d)
mapping_chdir(d) define getwd(d)
mapping_getwd(d) define getcwd(d,u)
mapping_getwd(d) endif / MAPPING_CHDIR /

• char mapped_path MAXPATHLEN "/"
• / Make these globals rather than local to
  mapping_chdir to avoid stack overflow /
• char pathspace MAXPATHLEN
• char old_mapped_path MAXPATHLEN
• void do_elem(char dir)
• / . /
• if( dir0 '.' dir1 '\0' )
• / ignore it /
• return
• / append the dir part with a leading /
  unless at root /
• if( !(mapped_path0 '/'
  mapped_path1 '\0') )
• strcat( mapped_path, "/" )
• strcat( mapped_path, dir )
• int
• mapping_chdir(char orig_path)

13
A Real World Example

• int mapping_chdir(
• char orig_path )
• / .../
• char path
• path pathspace0
• strcpy(path, orig_path )
• / .. /
• if( path )
• do_elem( path )
• /../

/_at_nullterminated_at_/
14

char cdpathMAXPATHLEN 1 /../ snprintf(cdpa
th, sizeof cdpath, "s/s", ARG0, path)
if (chdir(cdpath) gt 0) / /

• void do_elem( /stringLen lt MAXPATHLEN /
  /_at_nullterminated_at_/ char dir)
• if( !(mapped_path0 '/' mapped_path1
  '\0') )
• strcat( mapped_path, "/" )
• strcat( mapped_path, dir )

15
Conclusions and future work
We have already formally defined the semantics of
some very important annotations nullterminated,
bufSize and stringLen and have implemented
and evaluated the nullterminated annotation as
a proof of concept. Future work Implementation
of the bufSize and stringLen annotations and
evaluation of their correctness. Annotations for
handling possible buffer overflow errors in
printf, scanf type functions could be
added. Annotations that detect buffer overflow
errors in variable argument lists could be added.
16
Acknowledgement
Prof. Evans
Yanlin Huang\0 Avneesh Saxena\0 Seejo
Sebastine\0 David Larochelle possibly not
nullterminated!
THANK YOU