Title: Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann
1Testing Static Analysis Tools using Exploitable
Buffer Overflows from Open Source Code Zitser,
Lippmann Leek
2Motivation
- Real attacks in server software
- Malicious code and DoS
- Why Static Analysis tools?
- Dynamic approach is expensive incomplete
- Safe languages make runtime checks
- Perform an unbiased evaluation
3Tools Evaluated
Tool Analysis Strategy Com
ARCHER Bottom-up inter-procedural, flow-sensitive, symbolic triggers
BOON Inter-procedural, flow-insensitive, only strings
PolySpace Inter-procedural, flow-sensitive, abstract interpretation Y
SPLINT Intra-procedural, lightweight analysis
UNO Inter-procedural, flow-sensitive, model checking
4Test Cases
- BIND (4)
- Most popular DNS server
- WU-FTPD (3)
- Popular FTP daemon
- Sendmail (7)
- Dominant mail transfer agent
- Total vulnerabilities 14
5Initial experience (145K lines)
- Splint issued parse errors
- ARCHER quit with a Div/0 error
- PolySpace run 4 days and quit
6New Testing Approach
- Create lower scale models
- BAD vs. OK version
- Retrospective analysis
7Results
System P(detection) P(false) P(fd)
PolySpace 0.87 0.5 0.37
Splint 0.57 0.43 0.30
Boon 0.05 0.05 -
Archer 0.01 0 -
Uno 0 0 -
8Discussion
- Detection Rate 3 of 5 lt 5
- High rate of false alarms (1 in 12 46)
- Results only on marked lines
- Insensitive to corrections (lt40)
- None was able to analyze sendmail
9Conclusion
- Results are promising
- Errors were detected
- Need of improvement because of
- False positives
- Poor discrimination