Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann

1
Testing Static Analysis Tools using Exploitable
Buffer Overflows from Open Source Code Zitser,
Lippmann Leek

• Presented by
• José Troche

2
Motivation

• Real attacks in server software
• Malicious code and DoS
• Why Static Analysis tools?
• Dynamic approach is expensive incomplete
• Safe languages make runtime checks
• Perform an unbiased evaluation

3
Tools Evaluated
Tool Analysis Strategy Com
ARCHER Bottom-up inter-procedural, flow-sensitive, symbolic triggers
BOON Inter-procedural, flow-insensitive, only strings
PolySpace Inter-procedural, flow-sensitive, abstract interpretation Y
SPLINT Intra-procedural, lightweight analysis
UNO Inter-procedural, flow-sensitive, model checking
4
Test Cases

• BIND (4)
• Most popular DNS server
• WU-FTPD (3)
• Popular FTP daemon
• Sendmail (7)
• Dominant mail transfer agent
• Total vulnerabilities 14

5
Initial experience (145K lines)

• Splint issued parse errors
• ARCHER quit with a Div/0 error
• PolySpace run 4 days and quit

6
New Testing Approach

• Create lower scale models
• BAD vs. OK version
• Retrospective analysis

7
Results
System P(detection) P(false) P(fd)
PolySpace 0.87 0.5 0.37
Splint 0.57 0.43 0.30
Boon 0.05 0.05 -
Archer 0.01 0 -
Uno 0 0 -
8
Discussion

• Detection Rate 3 of 5 lt 5
• High rate of false alarms (1 in 12 46)
• Results only on marked lines
• Insensitive to corrections (lt40)
• None was able to analyze sendmail

9
Conclusion

• Results are promising
• Errors were detected
• Need of improvement because of
• False positives
• Poor discrimination