Computer Security: Format String Vulnerabilities, Race Conditions, and Static Analysis

format string vulnerabilities

The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf()

How to exploit the format string vulnerabilities?

Exploit the possibility of memory leak - using x08 in previous examples will print more data from the stack until exhausting the entire stack (memory information leak)

race condition

A software bug that occurs when the behavior of a program depends on the timing or sequence of events that are not under the control of the program.

How to judge whether a given event is a race condition or not

Concurrency Property - At least two control flows execute concurrently

Shared Object Property - he concurrent flows must access a common shared object (race object)

Change State Property - At least one control flow must alter the state of the race object

Concurrency Property

At least two control flows execute concurrently

Shared Object Property

The concurrent flows must access a common shared object (race object)

Change State Property

At least one control flow must alter the state of the race object

security issuess of race conditions

Denial of Service, TOCTOU

How to mitigate race conditions

we should ensure race windows do not overlap by making them mutually exclusive (lock), Using synchronizations and atomic operations, No concurrency, Using immutable objects (not shared objects)

TOCTOU

when a program checks the state of a resource at one point in time, and then uses that resource based on that state at a later point in time, without checking the state of the resource again.

TOCTOU

Time of check to Time of Use

What is static analysis

Done through manual review, or through automated tools while the code is not running. McGraw Touchpoint 1:Code Review

What is the pros and cons for static analysis

Pro: Support a wide variety of static checks that may not be covered by the compiler itself

Con: "Partial verification"

tools for static analysis

CPPCheck, UNO Spinroot

specification

a set of documented requirements/conditions to be satisfied by a material, design, product, service, or program

hoare logic

A formal system with a set of logical rules for reasoning rigorously about the correctness of computer programs

What is hoare triple?

A triple describes how the execution of a piece of code changes the state of the computation

assertion

a statement that a predicate (Boolean-valued function, i.e. a true-false expression) is expected to always be true at that point in the code

post condition

f() is an assertion that holds when f() returns

pre-condition

f() is an assertion that must hold at input to f()

Partial Correctness

Doesn't always terminate or can terminate and is correct.

Total Correctness

Can always terminate and it is correct

symbolic execution

analyzing a program to determine what inputs cause each part of a program to execute

what is the difference between symbolic

execution and normal execution?

normal execution uses a concrete input value, symbolic uses a symbolic value that could take any value

What is the difference between symbolic execution and dynamic analysis

Dynamic analysis tests concrete inputs that Uusually execute one branch, Input-by-input, Simulate only one test run

Symbolic execution tests symbolic inputs, Execute all the branches/paths simultaneously, Path-by-path, When execute one path, we actually simulate many test runs, since we are considering all the

inputs that can exercise the same path

The tools for symbolic execution

KLEE

Empty statement axiom

{p} skip {p} - whatever holds true before skip also holds true afterwards

Assignment axiom

After the assignment, any predicate that was previously true for the right-hand side of the assignment now holds for the variable.

How to prove correctness of a program

Verify that, no matter how function is called, if precondition is met at function's entrance, then postcondition is guaranteed to hold upon function's return

UNO (SPIN) Stands for:

Uninitialized data, Nil-pointer dereferencing, Out-of-bound array indexing

CPPCheck

Automatic variable checking

Bounds checking for array overruns

Classes checking (e.g. unused functions, variable initialization and memory

duplication

Usage of deprecated / superseded functions

Exception safety checking, for example usage of memory allocation and destructor

checks

Memory leaks, resource leaks, etc.

Mitigation for TOCTOU?

Check again upon use, The program should use appropriate permissions and access controls to limit access to sensitive resources

Race window

a code segment that accesses the race object in a way that opens a window of opportunity for race condition

Synchronization primitives

used to ensure that a specific part of the program can't be executed by more than one thread at the same time.

Format Strings are used for

convert simple C data types to a string representation

%d

decimal

%u

unsigned decimal

%x

hexadecimal (unsigned int)

%s

string (const(unsigned)char *)

%n

number of bytes written so far

"%s%s%s%s%s" for a format string

For each %s, printf() will fetch a number from the stack, treat this number as an address, and print out the memory contents pointed by this address as a string, may also crash due to memory address not exisiting

Writing arbitary memory location

Read arbitrary memory location:

user_input = "\x08\x48\x01\x10%08x%08x%08x%08x%s"

What if the user_input is changed to:

user_input = "\x08\x48\x01\x10%08x%08x%08x%08x%n"

This allows to write arbitrary data to memory location 0x10014808

You've started learning these terms. Keep it up!