search

Code one C Instrukcja Użytkownika Strona 2

  • Pobierz
  • Dodaj do moich podręczników
  • Drukuj
  • Strona
    / 15
  • Spis treści
  • BOOKMARKI
    • Oceniono. / 5. Na podstawie oceny klientów
Przeglądanie stron 1
We have found previously unknown weaknesses in five
out of the eight programs that we checked. Our experience
has demonstrated that model checking security properties
in large, real programs is practical and useful. Though our
experiments focus on MOPS, MOPS is just one example
of a whole class of model checking tools, and the lessons
we learned are likely to be generally applicable to other
model checking systems, as well.
2. Overview of MOPS
MOPS is a static (compile-time) analysis tool [6].
Given a program and a security property, MOPS checks
whether the program can violate the security property.
The security properties that MOPS checks are tempo-
ral safety properties, i.e., properties requiring that pro-
grams perform certain security-relevant operations in cer-
tain orders. For example, MOPS might be used to check
the following property: a setuid-root program had bet-
ter drop root privilege before executing an untrusted pro-
gram; otherwise, the untrusted program may execute with
root privilege and therefore compromise the system (see
Section 3.1.1. for details on this property). The MOPS
user describes a security property by a Finite State Au-
tomaton (FSA). Figure 1(a) shows a simplified FSA de-
scribing the above property
1
and Figure 1(b) shows a pro-
gram that violates this property.
MOPS checks if a program may violate a temporal
safety property using pushdown model checking. Model
checking technique exhaustively searches the control flow
graph of a program to check if any path may violate
a safety property. Pushdown model checking enables
searching inter-procedural paths in a context-sensitive
manner. If MOPS finds violations, it reports error traces,
program paths that cause such violations. In general,
model checking tends to be best at checking properties
that refer primarily to the control flow of the program; in
contrast, model checking is usually less well suited for
checking data-flow intensive properties.
2.1. Soundness
MOPS strives for soundness, precision, and scalabil-
ity. A sound tool will not overlook any violations of the
security property in the program
2
. A precise tool will
have very few false alarms. However, it is challenging
to achieve all three criteria at once. Since MOPS is de-
signed to be a practical tool for checking lots of security
1
The FSA depicted here considers only one call,
setuid(getuid()), for dropping root privilege and only one
call, execl(...), for executing an untrusted program. Other calls are
omitted for clarity.
2
A tool that proves whether a program satisfies a property is sound
if all the programs that it can prove to satisfy the property do in deed
satisfy the property.
priv error
setuid(getuid())
unpriv
execl()
(a) An FSA describing this property.
// The program has root privilege
if ((passwd = getpwuid(getuid())) != NULL)
{
fprintf(log, “drop priv for %s”, passwd->pw
name);
setuid(getuid()); // drop privilege
}
execl(“/bin/sh”, “/bin/sh”, NULL); // risky syscall
(b) A setuid-root program that violates this property. One path of
the program satisfies the property, but the other path violates it,
giving the user a shell with full privilege.
Figure 1. An FSA describing the property
that “A setuid-root program should drop root priv-
ilege before executing an untrusted program and
a program violating it.
properties on large programs, it tries to strike a balance
between soundness, precision, and scalability. To strive
for soundness, MOPS is path sensitive, i.e., it follows ev-
ery path in the program (including arbitrary number of
iterations of loops) except a few minor cases discussed
below. MOPS is also context sensitive, i.e., MOPS can
match each function return with its call site. To ensure
scalability, MOPS takes the approach of sacrificing on the
precision of its data-flow analysis rather than sacrificing
on scalability. Since data-flow analysis presents many dif-
ficulties for scalability, MOPS chooses to be data-flow in-
sensitive. In other words, MOPS ignores most data values
in the program and assumes that each variable may take
any value
3
. Therefore, MOPS assumes that both branches
of a conditional statement may be taken and that a loop
may execute anywhere from zero to infinite iterations.
As such, MOPS is mostly suitable for properties that are
control-flow centric.
MOPS is sound under the following assumptions:
The program is single-threaded. In other words,
3
MOPS implements limited data flow analysis so that it recognizes
the same variable x in different expressions such as x=open() and
close(x).
Przeglądanie stron 1
1 2 3 4 5 6 7 ... 14 15

Komentarze do niniejszej Instrukcji

Brak uwag
Powiązane produkty i podręczniki dla Wykrywacze dymu Code one C
Wykrywacze dymu Code one C Instrukcja Użytkownika   (4 strony)
  • Purmo Data Connect Innovative technology Seymour Duncan Wilson Benesch
  • Renault Odbiorniki samochodowe Optiquest Części komputerowe Intenso Odtwarzacze MP3 / MP4 ICC Światłowody Asus Czytniki kontroli dostępu
  • Samsung SM-T210 Nikon D1H Sony MHC-V77DW Panasonic AG-HSC1U Braun MR4050 CA
  • Alcatel ONE TOUCH 6012X Instrukcja Użytkownika Cannon Fitzroy Instrukcja Użytkownika Delta UNISAW 36-L352 Instrukcja Użytkownika Hp Insight Control Instrukcja Użytkownika Sony SS-MFS500H Instrukcja Użytkownika