Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Advanced programming tools at Microsoft

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Architecture Support for Security Peter Chapman Michael Maass.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

Teaching Buffer Overflow Ken Williams NC A&T State University.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

The Safe-Tcl Security Model John K. Ousterhout Jacob Y. Levy Brent B. Welch Sun Microsystems Laboratories 2550 Garcia Avenue, MS UMTV Mountain View,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.

Static Analysis for Security Amir Bazine Per Rehnberg.

Secure Coding Weasel nomad mobile research centre.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Computer Security and Penetration Testing

Attacking Applications: SQL Injection & Buffer Overflows.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Static Analysis James Walden Northern Kentucky University.

CSCE 548 Integer Overflows Format String Problem.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.

Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.

Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Static Analysis Tools Emerson Murphy-Hill. A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves.

Content Coverity Static Analysis Use cases of Coverity Examples

Buffer Overflow Defenses

Major Problem Areas for Secure Programming

Sabrina Wilkes-Morris CSCE 548 Student Presentation

SE-1021 Software Engineering II

Software Security Buffer Overflows more countermeasures

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

CSCE 548 Secure Software Development Risk-Based Security Testing

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Types for Programs and Proofs

Secure Code Scanners Cameron Davidson.

Performance Optimization for Embedded Software

Software Watermarking Deterring Software Piracy

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Introduction to Static Analyzer

FlawFinder Chris Durham CS297 June 30th, 2005.

Presentation transcript:

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005

Outline  Results  New and Significant  Static Analysis and Limitations  Previous Work  Flawfinder/RATS  VoteHere Sentinel and VHTi Reference Implementation  Static Analysis Results  Future Work  References

Results  Static analysis with Flawfinder and RATS found only 19 potential security problems in over 10,000 lines of source code.  The security problems must be mitigated from within the system that uses the VHTi Reference Implementation API.  Different static analysis tools have different trade- offs. Use as many tools as possible.  False positives can consume a large amount of time.

New and Significant  Applies Flawfinder and RATS open source static analysis tools to the VoteHere VHTi Reference Implementation.  Compares performance of Flawfinder and RATS against VHTi Reference Implementation.

Static Analysis  Compiled from Michael/Lavenhar paper:  Potentially Insecure Library Functions –Database of vulnerabilities  Type confusion between references and pointers  Detect memory allocation errors –Double free, write to freed memory, buffer overflow  Temporal Safety constraints (ordered steps)  Data Flow Analysis – tainted variables  Pointer Aliasing Analysis – two pointers to same memory loc

Limitations of Static Analysis  Problem bounded by Rice’s Theorem: –there exists no automatic method that decides with generality non-trivial questions on the black-box behavior of computer programs (Wikipedia)  False positives vs. false negatives trade-offs  Local, module, program analysis

Previous Work  Static Analysis Best Practice by DHS Build In Security Site (also overview of tools)  Microsoft SLAM project: Static Driver Verifier uses Specification Language for Interface Checking to encode temporal safety constraints (Ball/Rajamani)  MOPS – Model Checking Programs for Security Properties (Chen/Wagner)

More Previous Work  Flanagan et al. ESC/Java –Automated theorem prover: null references, array error bounds, type cast errors, race conditions  Livshits DynaMine –Add revision history information  Blanchet et al. Static Analyzer for Large Safety- Critical Software – refinements and parameterization

Flawfinder  David Wheeler, author of Secure Programming for Linux and Unix HOWTO, latest 2004  Use lexical analysis and database for C/C++  buffer overflow risks –e.g., strcpy(), strcat(), gets(), sprintf(), scanf()  format string problems –[v][f]printf(), [v]snprintf(), and syslog()  Time Of Check to Time of Use (TOCTOU) race conditions  poor random number acquisition

Rough Auditing Tool for Security (RATS)  Secure Software, latest 2002  Commercial offering CodeAssure  Lexical analysis and database for –C/C++ –Perl, PHP, Python  Buffer overflow problems  TOCTOU race conditions

VoteHere Sentinel  Add on to Diebold AccuVote-TS to independently verify election results  Based on Neff’s E-Voting secure shuffle implemented as VHTi Reference Implementation  Reference Implementation freely downloadable

VHTi Reference Implementation Docs  API Developer’s Guide –How to build, third-party libs, usage, security concerns, DTDs for XML data structures  Known Issues doc –Results from reviews  VHTi Threat Analysis Doc –Attack tree and mitigation techniques

VHTi Reference Implemenation

RATS: getenv warning./util/result.cpp:625: High: getenv./util/vh_cout.cpp:123: High: getenv Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.

Flawfinder: Warning about memcpy./pki/crypt.cpp:244: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination. Make sure destination can always hold the source data.

Memcpy Mitigation if (sizeof (iv) != initialization_vector.size ()) {... throw VHUtil::Exception (...) } memcpy (iv, initialization_vector.data (), initialization_vector.size ());

Results from Static Analysis  Flawfinder: 64 total/9 actual (~7:1)  RATS: 41 total/14 actual (~3:1)  Overlapping problems found: 4  Unique problems: 19  Statically declared arrays –36 unique declaration –Flawfinder: 32; RATS: 20

Findings  The 19 potential problems are not problems by themselves –Defensive Programming –Library code – greatest reusability –Must implement mitigation techniques and correct usage of API in implemented system

Future Work  Use commercial static analysis tool such as Klocwork K7, Ounce Labs Prexis or Secure Software CodeAssure  Analyze complete source code for VoteHere Sentinel system

Selected References  Chess, B. & McGraw, G. (2004), 'Static analysis for security', Security & Privacy Magazine, IEEE 2(6), 76—79.  Flanagan, C.; Leino, K.R.M.; Lillibridge, M.; Nelson, G.; Saxe, J.B. & Stata, R. (2002),Extended static checking for Java, in 'PLDI '02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation', ACM Press, New York, NY, USA, pp. 234—245.  Martin, M.; Livshits, B. & Lam, M.S. (2005),Finding application errors and security flaws using PQL: a program query language, in 'OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications', ACM Press, New York, NY, USA, pp

More Selected References  Neff, C.A. (2001),A verifiable secret shuffle and its application to e- voting, in 'CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security', ACM Press, New York, NY, USA, pp. 116—125.  RABA (2004),'Trusted Agent Report Diebold AccuVote-TS Voting System',  Michael, C. & Lavenhar, S.R. (2005),'Source Code Analysis Tools -- Overview', cert.gov/portal/article/tools/code_analysis/overview.xml, Published via the U.S. Department of Homeland Security Build Security In website.