Model Checking One Million Lines of C Code检查C代码一百万行模型.ppt

Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley MOPS (MOdel checking Programs for Security properties) A static analysis tool that checks source programs for temporal safety properties.e.g. a setuid-root program must drop privilege before making risky system calls. Analysis Pushdown model checking Inter-procedural Control flow centric The MOPS process Is software model checking readyfor prime time? Can model checking be used by open source developers to find security vulnerabilities? Criteria for a successful tool It is useful Can check many properties Can check diverse, widely-deployed programs Requires moderate computational resources It is usable Can be used easily by non-tool developers Can generate comprehensible error reports Outline Experiment Programs: 8 widely-deployed programs, with over 1 million LOC Properties: 5 security-related properties Findings More than a dozen vulnerabilities and weaknesses Usability improvements Conclusion Programs Security properties Drop privilege completely when needed Avoid stderr vulnerability Avoid race condition (TOCTTOU) Create chroot-jail safely chdir(“/”) must follow chroot() immediately Create temporary files safely Use only the safe function mkstemp() Never reuse filename in mkstemp(filename) Property: drop privilege completely Setuid-root programs should drop root privilege completely before executing an untrusted program via system(), popen(), execvp() and friends, or when the program intends to do so Otherwise, the remaining privilege may be exploited by the untrusted program that is executed malicious code injected via buffer overrun attacks Vulnerability: fail to drop privilege completely What is wrong? Potential Vulnerability Weaknesses ssh: fails to drop privilege before executing a user program ssh-keysign: fails to drop privilege before doing complex cryptographic operations A buffer overrun would allow the attacker to regain root p