Detecting C Program Vulnerabilities

1
Detecting C Program Vulnerabilities
Tomsk State University Anton Ermakov, Natalia
Kushik Presented by Olga Kondratyeva
2
Program vulnerabilities

• Vulnerability is a property of the program that
  allows a user to disturb confidentiality,
  integrity, and/or availability of this software

Detection methods
Static methods The source code of a program is
analyzed without running the program
Dynamic methods Requires program runs
3
Source codes for detecting program vulnerabilities

• We experimented with student implementations of
  array algorithms of a various use
• - C implementation of average value calculating
  (contains type overflow vulnerability)
• - C implementation of the bubble sort (contains
  array overflow vulnerability)
• - C implementation of the insertion sort
  (contains array overflow vulnerability)

4
Source codes for detecting program vulnerabilities
Average value calculating The bubble sort The insertion sort
int main() unsigned short n0, a10 printf("Input size of array, please") scanf("d",n) for (int i0 iltn i) printf("d. ",i) scanf("d",ai) unsigned short sred0 for (int i0 iltn i) sredai sred/n printf("Middled",sred) system("pause") return sred int main() unsigned short length,key,arr10 int i0, j0, tmp0 coutltlt"Vvedite celoe chislo" cingtgtlength for (i0 iltlength i) coutltltiltlt" " cingtgtarri for (i0 i lt length i) tmp arri for (ji-1jgt0arrjgttmpj--) arrj1 arrj arrj1 tmp for (i0iltlength i) coutltltiltlt""ltltarriltltendl system("pause") return 1 int main() unsigned short j0,i0,n, a10 coutltlt"Vvedite celoe chislo" cingtgtn for (i0 iltn i) coutltltiltlt" " cingtgtai unsigned short temp bool t true while (ttrue) t false for (j0jltn-1 j) if (ajgtaj1) tempaj ajaj1 aj1temp ttrue for (i0iltn i) coutltltiltlt""ltltailtltendl system("pause")return1
5
Static code analyzers (1)
Analyzer Properties Vulnerabilities being detected
ITS4 (Cigital company, USA, 1992) Relies on database of potentially dangerous C functions ITS4 has reported that scanf() is a function of a high risk for a buffer overflow vulnerability
Flawfinder (David A. Wheeler, 2004) Relies on the list of potentially dangerous C instructions Flawfinder report has only one dangerous function system()
Graudit (Grep Utility) Returns a colorful report where some dangerous instructions are blue colored Graudit colored functions scanf(), printf() and stream input/output operators cin and cout
6
Static code analyzers (2)
Analyzer Properties Vulnerabilities being detected
CppCheck 1.46 (Daniel Marjamäki and Cppcheck team, 2007-2010) Memory leakage vulnerabilities No errors found
AEGIS (SPbSPU, Digitek Labs, since 2008) Memory leakage, incorrect pointers, incorrect array indexes, uninitialized variables, the use of potentially dangerous functions etc For average value calculating program AEGIS has detected an incorrect array index For array sorts programs AEGIS has mentioned only that there is a call of an unsafe function system()
7
SPIN based approach for detecting vulnerabilities
(1)

• SPIN is an well-known model checker
• Vulnerability is described as a property to be
  verified
• If the program is vulnerable, i.e., possesses a
  bad feature, then SPIN produces a
  counterexample
• The property is specified as a corresponding
  assertion

8
SPIN based approach for detecting vulnerabilities
(2)

• Type overflow vulnerability has been detected in
  average value calculating program (counterexample
  produced by SPIN has the value 10005 for each
  array item value)
• Array overflow vulnerability has been detected
  in both sorting programs (counterexample produced
  by SPIN has the value 11 for array dimension as
  well as for each array item value)
• Type overflow vulnerability has been detected in
  both sorting programs (counterexamples produced
  by SPIN have values 70035 and 80040 for array
  item values)

?
For some kinds of C code vulnerabilities static
analysis can be insufficient and SPIN based
approach for vulnerability detection seems to be
perspective
9
Thank you for attention!