Automatic discovery of API-level exploits

We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demonstrate a tool that identifies a previously known exploit.

[1]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[2]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[3]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[4]  Sarfraz Khurshid,et al.  Software assurance by bounded exhaustive testing , 2004, IEEE Transactions on Software Engineering.

[5]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[6]  Daniel Jackson Automating first-order relational logic , 2000, SIGSOFT '00/FSE-8.

[7]  Andreas Thuemmel,et al.  Analysis of Format String Bugs , 2001 .

[8]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[9]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[10]  Sanjit A. Seshia,et al.  Modeling and Verifying Systems Using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions , 2002, CAV.

[11]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[12]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[13]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[14]  Sanjit A. Seshia,et al.  Deciding quantifier-free Presburger formulas using parameterized solution bounds , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[15]  Thomas A. Henzinger,et al.  Generating tests from counterexamples , 2004, Proceedings. 26th International Conference on Software Engineering.

[16]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[17]  Harald Ruess,et al.  Lazy Theorem Proving for Bounded Model Checking over Infinite Domains , 2002, CADE.

[18]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[19]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[20]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[21]  Richard Gerber,et al.  Model-checking concurrent systems with unbounded integer variables: symbolic representations, approximations, and experimental results , 1999, TOPL.

[22]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[23]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[24]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[25]  David L. Dill,et al.  CVC: A Cooperating Validity Checker , 2002, CAV.

[26]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[27]  Mike Bond A Chosen Key Difference Attack on Control Vectors , 2000 .

[28]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[29]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[30]  Pavol Cerný,et al.  Synthesis of interface specifications for Java classes , 2005, POPL '05.

[31]  Michael J. Kelly,et al.  Common Cryptographic Architecture Cryptographic Application Programming Interface , 1991, IBM Syst. J..

[32]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[33]  James R. Larus,et al.  Mining specifications , 2002, POPL '02.

[34]  Keith H. Randall,et al.  Denali: a goal-directed superoptimizer , 2002, PLDI '02.

[35]  Stephen M. Matyas,et al.  A Key-Management Scheme Based on Control Vectors , 1991, IBM Syst. J..