David Evans evans@cs.virginia cs.virginia/~evans

  • View

  • Download

Embed Size (px)


The Bugs and the Bees Research in Programming Languages and Security. David Evans evans@cs.virginia.edu http://www.cs.virginia.edu/~evans. University of Virginia Department of Computer Science. Computer Science. “How to” knowledge: Ways of describing imperative processes (computations) - PowerPoint PPT Presentation

Text of David Evans evans@cs.virginia cs.virginia/~evans

  • David Evansevans@cs.virginia.eduhttp://www.cs.virginia.edu/~evansThe Bugs and the BeesResearch in Programming Languages and SecurityUniversity of VirginiaDepartment of Computer Science

    David Evans - CS696

  • Computer ScienceHow to knowledge:Ways of describing imperative processes (computations)Ways of reasoning about (predicting) what imperative processes will doMost interesting CS problems concern:Better ways of describing computationsWays of reasoning about what they do (and dont do)

    David Evans - CS696

  • My Research ProjectsThe Bugs Splint

    The Bees - Programming the SwarmHow can we detect code that describes unintended computations?How can we program massively distributed collections of simple devices and reason about their behavior in hostile environments?

    David Evans - CS696

  • A Gross OversimplificationEffort RequiredLowUnfathomableFormal VerifiersBugs DetectednoneallCompilers


    David Evans - CS696

  • (Almost) Everyone Likes TypesEasy to UnderstandEasy to UseQuickly Detect Many Programming ErrorsUseful Documentationeven though they are lots of work!1/4 of text of typical C program is for types

    David Evans - CS696

  • Limitations of Standard Types

    Type of reference never changesState changes along program pathsLanguage defines checking rulesSystem or programmer defines checking rulesOne type per referenceMany attributes per reference

    David Evans - CS696

  • Limitations of Standard TypesAttributes

    Type of reference never changesState changes along program pathsLanguage defines checking rulesSystem or programmer defines checking rulesOne type per referenceMany attributes per reference

    David Evans - CS696

  • ApproachProgrammers add annotations (formal specifications)Simple and preciseDescribe programmers intent:Types, memory management, data hiding, aliasing, modification, null-ity, buffer sizes, security, etc.Splint detects inconsistencies between annotations and codeSimple (fast!) dataflow analyses

    David Evans - CS696

  • Security FlawsReported flaws in Common Vulnerabilities and Exposures Database, Jan-Sep 2001.[Evans & Larochelle, IEEE Software, Jan 2002.]

    190 VulnerabilitiesOnly 4 having to do with crypto108 of them could have been detected with simple static analyses!

    David Evans - CS696










    Malformed Input16%



    CVE-2001-0379accessVulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights.ATSTAKE:A043001-1,BID:2671,XF:bugzilla-gobalpl-gain-information(6489)

    CVE-2001-0383accessbanners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.ISS:20010509 Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure,SGI:20010501-01-P,XF:irix-espd-bo(6502)

    CVE-2001-0405accessip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the fBUGTRAQ:20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability,MS:MS01-026,CERT:CA-2001-12,XF:iis-url-decoding(6534),BID:2708

    CVE-2001-0408accessvim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.MS:MS01-026,XF:iis-ftp-wildcard-dos(6535)

    CVE-2001-0412accessCisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode.MS:MS01-026,XF:iis-ftp-domain-authentication(6545),BID:2719

    CVE-2001-0434accessThe LogDataListToFile ActiveX function used in (1) Knowledge Center and (2) Back web components of Compaq Presario computers allows remote attackers to modify arbitrary files and cause a denial of service.MS:MS01-026,XF:iis-crosssitescripting-patch-dos(6858)

    CVE-2001-0455accessCisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration.MS:MS01-027,CIAC:L-087,XF:ie-crl-certificate-spoofing(6555),BID:2735

    CVE-2001-0456accesspostinst installation script for Proftpd in Debian 2.2 does not properly change the "run as uid/gid root" configuration when the user enables anonymous access, which causes the server to run at a higher privilege than intended.MS:MS01-027,CIAC:L-087,XF:ie-html-url-spoofing(6556),BID:2737

    CVE-2001-0482accessConfiguration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as MaxFiles, MaxInodes, and ModProbePath in /proc/sysMS:MS01-030,CIAC:L-091,XF:exchange-owa-script-execution(6652)

    CVE-2001-0488accesspcltotiff in HP-UX 10.x has unnecessary set group id permissions, which allows local users to cause a denial of service.BUGTRAQ:20010625 NSFOCUS SA2001-03 : Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability,MS:MS01-035,BID:2906,XF:frontpage-ext-rad-bo(6730)

    CVE-2001-0331boBuffer overflow in Embedded Support Partner (ESP) daemon (rpc.espd) in IRIX 6.5.8 and earlier allows remote attackers to execute arbitrary commands.MS:MS01-032,CIAC:L-095,XF:mssql-cached-connection-access(6684)

    CVE-2001-0341boBuffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll.MS:MS01-031,BID:2843,XF:win2k-telnet-idle-sessions-dos(6667)

    CVE-2001-0353boBuffer overflow in the line printer daemon (in.lpd) for Solaris 8 and earlier allows local and remote attackers to gain root privileges via a "transfer job" routine.MS:MS01-031,XF:win2k-telnet-handle-leak-dos(6668)

    CVE-2001-0414boBuffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.MS:MS01-031,CIAC:L-092,BID:2847,XF:win2k-telnet-domain-authentication(6665)

    CVE-2001-0440boBuffer overflow in logging functions of licq before 1.0.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands.BINDVIEW:20010608 Range checking fault condition in Microsoft Windows 2000 Telnet server,MS:MS01-031,CIAC:L-092,XF:win2k-telnet-username-dos(6666)

    CVE-2001-0494boBuffer overflow in IPSwitch IMail SMTP server 6.06 and possibly prior versions allows remote attackers to execute arbitrary code via a long From: header.MS:MS01-031,CIAC:L-092,XF:win2k-telnet-system-call-dos(6669),BID:2846

    CVE-2001-0361cryptoImplementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 versISS:20010619 Remote Buffer Overflow Vulnerability in Solaris Print Protocol Daemon,SUN:00206,CERT:CA-2001-15,XF:solaris-lpd-bo(6718),BID:2894

    CVE-2001-0351dosMicrosoft Windows 2000 telnet service allows a local user to make a certain system call that allows the user to terminate a Telnet session and cause a denial of service.BUGTRAQ:20010207 [CORE SDI ADVISORY] SSH1 session key recovery vulnerability,CIAC:L-047,FREEBSD:FreeBSD-SA-01:24,DEBIAN:DSA-027,CISCO:20010627 Multiple SSH Vulnerabilities,SUSE:SuSE-SA:2001:04,XF:ssh-session-key-recovery(6082),BID:2344

    CVE-2001-0429dosCisco Catalyst 5000 series switches 6.1(2) and earlier will forward an 802.1x frame on a Spanning Tree Protocol (STP) blocked port, which causes a network storm and a denial of service.BUGTRAQ:20010430 A Serious Security Vulnerability Found in BearShare (Directory Traversal),BID:2672,XF:bearshare-dot-download-files(6481)

    CVE-2001-0368filesDirectory traversal vulnerability in BearShare 2.2.2 and earlier allows a remote attacker to read certain files via a URL containing a series of . characters, a variation of the .. (dot dot) attack.BUGTRAQ:20010328 Inframail Denial of Service Vulnerability,XF:inframail-post-dos(6297)

    CVE-2001-0462filesDirectory traversal vulnerability in Perl web server 0.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.CONFIRM:ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/024_readline.patch,XF:bsd-readline-permissions(6586)

    CVE-2001-0465filesTurboTax saves passwords in a temporary file when a user imports investment tax information from a financial institution, which could allow local users to obtain sensitive information.HP:HPSBUX0103-147,XF:hp-newgrp-additional-privileges(6282)

    CVE-2001-0467filesDirectory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a \... (modified dot dot) in an HTTP URL request.BUGTRAQ:20010401 Php-nuke exploit...,CONFIRM:http://phpnuke.org/download.php?dcategory=Fixes,XF:php-nuke-url-redirect(6342),BID:2544

    CVE-2001-0495filesDirectory traversal in DataWizard WebXQ server 1.204 allows remote attackers to view files outside of the web root via a .. (dot dot) attack.BUGTRAQ:20010412 HylaFAX vulnerability,BUGTRAQ:20010415 **SECURITY ADVISORY** - HylaFAX format string vulnerability,FREEBSD:FreeBSD-SA-01:34,SUSE:SuSE-SA:2001:15,MANDRAKE:MDKSA-2001:041,BID:2574,XF:hylafax-hfaxd-format-string(6377)