Model Checking One Million Lines of C Code - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Model Checking One Million Lines of C Code

Description:

MOPS (MOdel checking Programs for Security properties) ... MOPS is not complete but strives to eliminate as many error traces as possible. Questions? ... – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 15
Provided by: khanhn
Category:
Tags: checking | code | lines | million | model | mops | one

less

Transcript and Presenter's Notes

Title: Model Checking One Million Lines of C Code


1
Model Checking One Million Lines of C Code
  • Written By
  • Hao Chen, Drew Dean, and David Wagner
  • Presented by Khanh Nguyen

2
MOPS (MOdel checking Programs for Security
properties)
  • A static analysis tool that checks source
    programs for temporal safety properties.e.g. a
    setuid-root program must drop privilege before
    making risky system calls.

3
The MOPS process
Safety Property
FSA
Program satisfies safety property
C Program
CFG
Model Checker
Parser
Error Traces
FSA finite state automaton CFG control flow
graph
Treat the model checker as a black box for this
talk
4
Limitations
  • MOPS is only sound when programs are
  • Single threaded
  • Memory safe (no buffer overflows)
  • Portable (no inline assembly code)
  • Free from aliasing on properties
  • Current implementation does not support
  • Function pointers
  • Signal handlers
  • Long jumps
  • Run-time libraries (dlopen)

5
Programs
6
Experiments
  • Security Properties
  • Drop Privileges Properly
  • Create Chroot Jails Securely
  • Avoid Race conditions when accessing the file
    system
  • Avoid Attacks on Standard File Descriptor
  • Create Temporary Files Securely

7
Drop Privileges Properly
  • Property A process should drop privilege from
    all its user IDs before calling execl, popen,
    system, or any of their relatives.

execl()
error
priv
setuid(getuid())
unpriv
8
Create Chroot Jails Securely
Property After calling chroot, a process should
immediately call chdir("/") to change its working
directory to the root of the sub-filesystem.
chroot
Error
other
other
chdir(/)
../../etc/passwd
9
Avoid Race conditions when accessing the file
system
  • Property A program should not pass the same file
    name to two system calls on any path
  • This prevents race conditions that can occur if
    an attacker changes a file between the stat and
    open call

10
Avoid Attacks on Standard File Descriptor
  • Property Do not open a file in writing mode to
    stdout or stderr, no matter which file
    descriptors are open when the process starts

11
Create Temporary Files Securely
  • Property A program should (1) never call mktemp,
    tmpnam, tempnam, or tmpfile (2) never reuse the
    parameter x in mkstemp(x) and (3) call
    umask(077) before mkstemp

12
Results
13
Conclusion
  • Can check many properties
  • Can check diverse, widely-deployed programs
  • Can be used easily by non-tool developers
  • Can generate comprehensible error reports
  • MOPS is not complete but strives to eliminate as
    many error traces as possible

14
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Model Checking One Million Lines of C Code" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!