3. 背景と設計方針 (Scalability vs False Negatives)
In designing vulnerability checker, we face the difficult choice between
precision and scalability. Particularly, security system design is forced
to emphasize either false negatives or false positives. In todayfs large
scale computing era, we conclude that a false negative rate should be
as close to 0 as possible.
As of January 2013, GitHub had grown to 3 million users and
4.9 million repositories (repositories are histories of code
shared on the site). [9] And by December of this year, the
company hit 10 million repositories.
http://slideplayer.us/slide/703331/
7. 提案方式:A task decomposition based concurrent parser
●並列化手法
■データ分割
■タスク並列
●アルゴリズム
マスタ・ワーカ方式による分割統治法
本手法では、1)ソースコードの規模や構造があらかじめ同定できない、2)データ分割のためのテーブル作成の
コストが高いとの想定から、タスク並列化を用いる。
pthr e ad mut ex ini t (&r e s u l t .mutex , NULL
/ g ene r a t ing thr eads /
pthr e ad c r e a t e (&master , NULL, ( void
) mas ter func , ( void )&targ [ 0 ] ) ;
f o r ( i = 1 ; i < thread num ; ++i )
pthr e ad c r e a t e (&worker [ i ] , NULL
, ( void ) worker func , ( void
)&targ [ i ] ) ;
/ wai t ing f o r thr eads to be
f i n i s h e d /
f o r ( i = 1 ; i < thread num ; ++i )
p t h r e a d j o i n ( worker [ i ] , NULL) ;
8. 検査方法の分類
■構文主導型 (Syntax Directed Translation)
- This translator consists of a parser (or grammar) with embedded actions that immediately generate output.
正規表現、有限オートマトン
ITS4: a static vulnerability scanner for C and C++ code, Computer Security Applications, ACSAC 2002
Chucky: exposing missing checks in source code for vulnerability discovery ccs 2013
■ルール方式 (Rule Based Translation)
- Rule-based translators use the DSL of a particular rule engine to specify a set of “this goes to that”
translation rules.
遷移規則、プッシュダウンオートマトン
Using programmer-written compiler extensions to catch security holes SSP 2002
Checking system rules using system-specific, programmer-written compiler extensions OSDI 2000
■モデル駆動方式 (Model Driven Translation)
- From the input model, a translator can emit output directly, build up strings, build up templates (documents
with “holes” in them where we can stick values), or build up specialized output objects
モデル検査・実行系
MOPS: an infrastructure for examining security properties of software CCS2002
Chucky: exposing missing checks in source code for vulnerability discovery ccs 2013
12. 提案手法3
Main Loop
Lexer
NFA(有限オートマトン)
PDA(プッシュダウンオートマトン)
Token Analyzer
Block Handler
識別子(制御文、メモリ操作命令など)
の検出と処理
ブロック文(繰り返し、
分岐)のネスト管理
Saturator-1
lightweight code checker with document database
https://github.com/RuoAndo/Saturator-1
Iteration for each token
switch (charatyp[ch]) f
case Letter:
for ( ; charatyp[ch]==Letter ||
charatyp[ch]==Digit;
ch=nextCh())
if (p < p 16) p++ = ch;
p = '0'
if(strcmp(tkn.text, “for")==0)
Document Database
処理系の状態情報
(プログラム中の位置など)
問い合わせ
格納
13. 評価実験 CVE-2013-4371
12
{"_id" : ObjectId("53f9ec4764e21cef244d69fb"), "
located" : "402", "functionName" : "
libxl_list_cpupool", "functionLine" : "388", "
filename" : "libxl.c“}
34
{"_id" : ObjectId("53f9ec9464e21cef244d6a0e"), "
start_line" : "398", "end_line" : "420", "
functionName" : "libxl_list_cpupool", "
functionLine" : "388", "filename" : "libxl.c“}
realloc
{"_id" : ObjectId("53d291fe40c2acf65bbbf9f7"), "located" : "145
"functionName" : "xc_vcpu_setaffinity", "functionLine" : "116", "filename" :
"xc_domain.c" }
Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when
running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users
to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors.
http://www.cvedetails.com/cve/CVE-2013-4371/
We compiled our system on ubuntu12 LTS with Linux kernel
3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4
GHZ clock.
version forloop realloc functions real user sys real user sys
4.0.4 5438 76 13143m41.925s 0m9.213s 0m22.837 0m17.817s 0m2.880s 0m0.328s
4.1.0 5579 80 13735m35.133s 0m9.381s 0m25.002s 0m18.597 0m2.980 0m0.448
4.1.2 5547 76 13682m2.915s 0m9.301s 0m23.545s 0m18.432s 0m3.012 0m0.396
青:並列化なし 赤:提案手法(タスク並列化)