Property 3: standard file descriptors vulnerability

1
Property 3 standard file descriptorsvulnerabilit
y
Standard File Descriptors 0stdin 1stdout
2stderr
tty tty tty
tty ltclosedgt ltclosedgt
close(1) close(2) execl(at, )
attack.c
tty ltclosedgt ltclosedgt
tty LOCK ltclosedgt
open(LOCK, O_WRONLY) fdopen(atfile,O_CREAT)
perror(user_str)
at.c
tty LOCK atfile
Program at (at-3.1.8-33)
2
Model Checking Millions of Lines of C Code

• Hao Chen
• Drew Dean, David Wagner
• Ben Schwarz, Geoff Morrison, Jacob West, Jeremy
  Lin

3
Problem statement

• Demonstrate the impact of MOPS for improving
  software security
• MOPS MOdel checking Programs for Security

4
Achievements

• Showed that MOPS is scalable
• Checked 700 packages in RedHat Linux 9 (85
  packages, 30 million LOC)
• Showed that MOPS is usable
• Most checks were done by students who were
  neither tool nor package developers
• Showed that MOPS is useful
• Founds dozens of bugs and counting

5
Outline

• Overview of MOPS
• What have we done?
• Checked 700 packages on RedHat Linux 9
• Checked EROS kernel
• How did we do it?
• Conclusion
• Demo

6
MOPS (MOdel checking Programs for Security
properties)

• A static analysis tool that checks source
  programs for temporal safety properties
• Main features
• Pushdown model checking
• Inter-procedural analysis
• Control flow centric

7
MOPS MOdel checking Programsfor Security
properties
Security Property (FSA)
Program OK
CFG
Model Checker
Parser
Program
Error Traces
MOPS
8
Property 1 race condition
Victim
Adversary
absentstat(tmpfile,s)
Create tmpfile
if(absent) fpfopen(tmpfile,w)
9
FSA model for race condition
Check(f)
Use(f)
Check(f) stat(f), lstat(f), access(f),
readlink(f), statfs(f) Use(f) chmod(f),
chroot(f), creat(f), execv(f), execve(f),
execl(f),
10
Race condition bug 1
exists lstat(to, s) 0 if (!exists
!S_ISLNK(s.st_mode) s.st_nlink 1))
ret rename(from, to) if (ret 0) if
(exits) chmod(to, s.st_mode 0777)

Program ar (binutils-2.13.90.0.18-9)
11
Race condition bug 2
we_own_log 1 if (stat(_PATH_LOG, s1) ! 0)
if ((stat(_PATH_LOG, s2) ! 0 )
we_own_log 0 if (we_own_log)
unlink(_PATH_LOG)
Program minilogd (initscripts-7.14-1)
12
Race condition bugs
13
Property 2 drop privilege before making unsafe
system calls
int main() // ruid?0, euid0
do_something_with_privilege()
drop_privilege() execl(/bin/sh, sh,
NULL) void drop_privilege() struct passwd
passwd if ((passwd getpwuid(getuid()))
NULL) return fprintf(log, User s,
passwd-gtpw_name) seteuid(getuid())
seteuid(!0)
euid0
euid?0
seteuid(0)
execl()
unsafe
14
A bug on dropping privilege
// ruid?0, euidsuid0 seteuid(getuid()) setuid(g
etuid()) execlp(askpass, askpass, msg, (char
) 0)
Progarm ssh (openssh-3.5p1-6)
15
Problem unportable semantics of setuid(getuid())
Linux
OpenBSD
R?0,ES0
RE?0,S0
R?0,ES0
RE?0,S0
RES?0
RES?0
16
Vulnerability in ssh
OpenSSH 2.5.2 on Linux
OpenSSH 3.5 on Linux
OpenSSH 3.5 on OpenBSD
R?0, ES0
R?0, ES0
R?0, ES0
seteuid(getuid())
seteuid(getuid())
RE?0, S0
RE?0, S0
setuid(getuid())
setuid(getuid())
setuid(getuid())
RES?0
RE?0, S0
RES?0
unsafe!
safe
safe

• Lessons
• Unportable API causes vulnerability
• Programmers confusion causes vulnerability

17
Experiment on RedHat Linux 9

• Programs
• Tried all 839 packages on RedHat Linux 9 (30M
  LOC)
• Succeed on 85 packages
• Failed on 15 packages
• Mainly due to parsing failures C, non-standard
  C
• Performance
• Machine 1.5GHz Pentium 4, 1G MB memory
• Took about 40 hours to check one property on all
  packages

18
Experience with EROS kernel

• EROS
• Extremely Reliable Operating System SSF95
• 60,000 lines of code in the kernel
• Checked 5 properties (design invariants)
• Verified 4 properties
• Discovered 1 bug
• Provided preliminary evidence that
• EROSs design by invariants approach is effective
  in reducing bugs

19
Commit() or Yield()
sys_call() Commit() ptr malloc()
malloc() while (!buffer_available)
Yield()
Commit()
Init
Committed
Syscall return
Yield()
Yield()
Yielded
Error
Lesson static checking is good at
catching surprising interaction among components
20
Research challenge

• How to scale MOPS to large programs?
• Solution compact CFGs
• Impact reduce CFG sizes often by more than 100
  times
• How to consolidate similar error traces?
• Goal report one error trace for each bug
• Intuition
• Divide all error traces into categories
• One category represents one unique bug
• Report the shortest path from each category

21
Engineering challenge integrating MOPS into
software build processes

• 1st attempt manually edit Makefiles
• Too complicated does not survive autoconf
• 2nd attempt setenv GCC_EXEC_PREFIX to run MOPS
  instead of gcc
• Build processes generate run code
• 3rd attempt build CFG machine code
• Dangling CFGs links to object files broken
• 4th attempt Put CFGs into ELF files
• Solves all identified problems!

22
Lessons how to have impact

• Make the tool useful and usable
• Can check large programs efficiently
• Can be used easily by ordinary programmers
• Check lots of code
• More code to check, more bugs to find
• Explore the full potential of your tool