Model Checking One Million Lines of C Code∗Hao Chen Drew Dean David WagnerUC Berkeley SRI International UC [email protected] [email protected]
An option in the Apache web server httpd lets the serverexecute CGI programs as the program owner (e.g. usingthe owner’s user ID and group ID). Since
We are unaware of any way to exploit this bug. Thoughit is possible for an attacker to corrupt the task file, the at-tacker has little control over the
• mops ld: a linker that takes a set of CFG files andmerges them into a single CFG file, resolving crossreferences of external functions and variables.•
in the future. Take OpenSSH, for example. In version2.5.2p2, ssh drops all privileges permanently by callingsetuid(getuid()). In the newer version 3.5
ties in C/C++ programs. It uses a global context-sensitive,control-flow-insensitive analysis in the first phase and aninter-procedural,context-sensitive
[18] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. De-tecting format string vulnerabilities with type qualifiers.In Proceedings of the 10th USENI
We have found previously unknown weaknesses in fiveout of the eight programs that we checked. Our experiencehas demonstrated that model checking securi
MOPS is unsuitable for checking concurrent pro-grams.• The program is memory safe, e.g., no buffer over-runs.• The program is portable. For instance,
calls are safe. So we check the following property, whichis a good approximation of the desired behavior (see Fig-ure 2):Property 1 A process should d
ruid=0,euid!=0,suid=0ruid=0,euid=0,suid=0ruid!=0,euid!=0,suid!=0ruid=0,euid!=0,suid!=0ruid!=0,euid=0,suid=0ruid=0,euid=0,suid!=0ruid!=0,euid=0,suid!=0
stat(f)open(f)rename(f, *)...other otherstat(f)open(f)rename(f, *)...(a) An FSA describing Property 3stat(logfile, &st);if (st.stuid != getuid())re
Program LOC DescriptionApache 2.0.40-21 229K An HTTP serverAt 3.1.8-33 6K A program to queue jobs for later executionBIND 9.2.1-16 279K An implementat
Package LOC Pro- Time Error Tracesgrams (m:s) Real TotalApache 229K 2 :45 1 4At 6K 2 :05 0 0BIND 279K 1 :53 0 1OpenSSH 59K 3 :23 2 8Postfix 94K 3 :17 0
unique programming error. This improvement greatly re-duced the number of error traces that we had to examinemanually in Figure 7.To evaluate the usab
Commentaires sur ces manuels