Towards Practical Reactive Security Audit Using Extended Static Checkers

This paper describes our experience of performing reactive security audit of known security vulnerabilities in core operating system and browser COM components, using an extended static checker HAVOCLITE. We describe the extensions made to the tool to be applicable on such large C++ components, along with our experience of using an extended static checker in the large. We argue that the use of such checkers as a configurable static analysis in the hands of security auditors can be an effective tool for finding variations of known vulnerabilities. The effort has led to finding and fixing around 70 previously unknown security vulnerabilities in over 10 millions lines operating system and browser code.

[1]  Hong Chen,et al.  Residue objects: a challenge to web browser security , 2010, EuroSys '10.

[2]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[3]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[4]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[5]  Wolfram Schulte,et al.  VCC: Contract-based modular verification of concurrent C , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[6]  Alexander Aiken,et al.  Verifying the Safety of User Pointer Dereferences , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.

[8]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[10]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[11]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[12]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[13]  Shuvendu K. Lahiri,et al.  Towards Scalable Modular Checking of User-Defined Properties , 2010, VSTTE.

[14]  Shuvendu K. Lahiri,et al.  Static and Precise Detection of Concurrency Errors in Systems Code Using SMT Solvers , 2009, CAV.

[15]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[16]  Shuvendu K. Lahiri,et al.  Unifying type checking and property checking for low-level code , 2009, POPL '09.

[17]  Zhe Yang,et al.  Modular checking for buffer overflows in the large , 2006, ICSE.

[18]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[20]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[21]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.