This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: MOPS * : an Infrastructure for Examining Security Properties of Software † Hao Chen University of California at Berkeley [email protected] David Wagner University of California at Berkeley [email protected] ABSTRACT We describe a formal approach for finding bugs in security- relevant software and verifying their absence. The idea is as follows: we identify rules of safe programming practice, en- code them as safety properties, and verify whether these properties are obeyed. Because manual verification is too expensive, we have built a program analysis tool to auto- mate this process. Our program analysis models the pro- gram to be verified as a pushdown automaton, represents the security property as a finite state automaton, and uses model checking techniques to identify whether any state vi- olating the desired security goal is reachable in the program. The major advantages of this approach are that it is sound in verifying the absence of certain classes of vulnerabilities, that it is fully interprocedural, and that it is efficient and scalable. Experience suggests that this approach will be use- ful in finding a wide range of security vulnerabilities in large programs efficiently. Categories and Subject Descriptors D.4.6 [ Operating Systems ]: Security and Protection— verification ; D.2.4 [ Software Engineering ]: Software/ Pro- gram Verification— formal methods, model checking General Terms Security, Languages, Verification Keywords security, model checking, verification, static analysis 1. INTRODUCTION * MOPS: MOdel Checking Programs for Security properties † This research was supported in part by DARPA contract N66001-01-C-8040 and by an equipment grant from Intel. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS’02, November 18–22, 2002, Washington, DC, USA. Copyright 2002 ACM 1-58113-612-9/02/0011 ... $ 5.00. Software vulnerabilities are an enormous cause of security incidents in computer systems. A system is only as secure as its weakest link, and often the software is the weakest link. We can attribute software vulnerabilities to several causes. Some bugs, like buffer overruns in C, reflect poorly designed language features and can be avoided by switching to a safer language, like Java. However, safer programming languages alone cannot prevent many other security bugs, especially those involving higher level semantics. As a typical example, OS system calls have implicit constraints on how they should be called; if coding errors cause a program to violate such constraints when interacting with the OS kernel, this may introduce vulnerabilities....
View Full Document
- Fall '08
- Computer Security, Secunia, model checking, MOPS