Model Checking One
Million Lines of C Code
Written By:
Hao Chen, Drew Dean, and David Wagner
Presented by: Khanh Nguyen
MOPS (MOdel checking Programs
for Security properties)

A static analysis tool that checks source
programs for temporal safety properties.
e.g. a setuid-root program must drop privilege before
making risky system calls.
The MOPS process
Safety
Property
FSA
C Program
Parser
CFG
FSA: finite state automaton
CFG: control flow graph
Model
Checker
Program satisfies
safety property
Error Traces
Treat the model checker as a black box for this talk
Limitations

MOPS is only sound when programs are:





Single threaded
Memory safe (no buffer overflows)
Portable (no inline assembly code)
Free from aliasing on properties
Current implementation does not support




Function pointers
Signal handlers
Long jumps
Run-time libraries (dlopen)
Programs
Program
Lines of Code (LOC)
Apache HTTPD 2.0.40-21
At 3.1.8-33
BIND 9.2.1-16
OpenSSH 3.5p1-6
229K
6K
279K
59K
Postfix 1.1.11-11
Samba 2.2.7a-7.9.0
Sendmail 8.12.8-4
94K
254K
222K
VixieCron 3.0.1-74
Total
4K
1147K
Experiments

Security Properties
Drop Privileges Properly
 Create Chroot Jails Securely
 Avoid Race conditions when accessing the file
system
 Avoid Attacks on Standard File Descriptor
 Create Temporary Files Securely

Drop Privileges Properly

Property: A process should drop privilege from all its user IDs before
calling execl, popen, system, or any of their relatives.
priv
execl()
setuid(getuid())
unpriv
error
Create Chroot Jails Securely
Property: After calling chroot, a process should
immediately call chdir("/") to change its working
directory to the root of the sub-filesystem.
chroot
other
other
chdir(“/”)
../../etc/passwd
Error
Avoid Race conditions when
accessing the file system


Property: A program should not pass the same file name to two system
calls on any path
This prevents race conditions that can occur if an attacker
changes a file between the stat and open call
Avoid Attacks on Standard File
Descriptor

Property: Do not open a file in writing mode to stdout or stderr, no
matter which file descriptors are open when the process starts
Create Temporary Files Securely

Property: A program should (1) never call mktemp, tmpnam, tempnam,
or tmpfile; (2) never reuse the parameter x in mkstemp(x); and (3) call
umask(077) before mkstemp
Results
Program
Errors (All Properties)
Real
2
1
0
Total
6
7
4
OpenSSH
Postfix
Samba
5
0
2
24
6
8
Sendmail
VixieCron
0
3
13
11
4
70
Apache HTTPD
At
BIND
Total
Conclusion





Can check many properties
Can check diverse, widely-deployed programs
Can be used easily by non-tool developers
Can generate comprehensible error reports
MOPS is not complete but strives to eliminate as
many error traces as possible
Questions?