Static Analysis James Walden Northern Kentucky University.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Testing and Quality Assurance

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

Code Reviews James Walden Northern Kentucky University.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Static code check – Klocwork

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

1 SOFTWARE QUALITY ASSURANCE Basic Principles. 2 Requirements System Design Detailed Design Implementation Installation & Testing Maintenance SW Quality:

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid( ) Mohammad Rashim Uddin( ) Masud Ur Rahman( )

Stoimen Stoimenov QA Engineer QA Engineer SitefinityLeads,SitefinityTeam6 Telerik QA Academy Telerik QA Academy.

Static Code Analysis and Governance Effectively Using Source Code Scanners.

Security Scanning OWASP Education Nishi Kumar Computer based training

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

Introduction to Software Testing (Paul deGrandis) [Reading assignment: Chapter 15, pp and notes by Paul deGrandis]

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.

Approaches to Application Security – DSM

CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University

Penetration Testing James Walden Northern Kentucky University.

Introduction Telerik Software Academy Software Quality Assurance.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

From Quality Control to Quality Assurance…and Beyond Alan Page Microsoft.

Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Axel Naumann. Outline  Static Code Analysis  Coverity  Reporting Tools, Report Quality  "Demo": Examples Axel Naumann Application Area Meeting2.

Injection CSC 482/582: Computer SecuritySlide #1.

Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Code Reviews James Walden Northern Kentucky University.

Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.

Javascript Static Code Analyzer

Dynamic Testing.

False Positives in Static Analysis * The Good, the Bad, and the Ugly Andy Earle Hewlett-Packard Enterprise Security Solutions Architect.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

Secure Programming with Static Analysis Brian Chess, Ph.D.

ESSoS: February Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.

CS223: Software Engineering Lecture 21: Unit Testing Metric.

Static Analysis Introduction Emerson Murphy-Hill.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Static Analysis Tools Emerson Murphy-Hill. A Comparison of Bug Finding Tools for Java Bug pattern detection PMD FindBugs JLint Theorem proving [involves.

Copyright © 2016, Cigital So you’ve purchased a SAST tool? Brenton Kohler Copyright © 2016, Cigital.

Presented by Rob Carver

OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap

Chapter 18 Maintaining Information Systems

James Walden Northern Kentucky University

Software Quality Engineering

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

SUDS: An Infrastructure for Creating Bug Detection Tools

Improving Security Using Extensible Lightweight Static Analysis

AdaCore Technologies for Cyber Security

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

CS5123 Software Validation and Quality Assurance

White Box testing & Inspections

Presentation transcript:

Static Analysis James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Topics 1.Why Static Analysis? 2.False Positives and Negatives 3.Static Analysis Internals 4.Using the Tools

CSC 666: Secure Software Engineering What is Static Analysis? Static = without program execution  Includes everything except testing.  Usually used to refer to compiler type tools. Examples  Static type checking  Vulnerability detection tools  Formal methods

CSC 666: Secure Software Engineering Why Static Analysis? 1.Code reviews require substantial expertise in secure programming. 2.Human readers are fallible and will miss mistakes. 3.Code reviews are slow. Unreviewed legacy code will take time to review.

CSC 666: Secure Software Engineering Verification Techniques Assurance Cost Penetration Testing Formal Verification Security Testing Code Review Static Analysis

CSC 666: Secure Software Engineering False Negatives and Positives False Positives  Tool reports bugs in code that aren’t there.  Complex control or data flow can confuse tools. False Negatives  Tool fails to discover bugs that are there.  Code complexity or lack of rules to check.

CSC 666: Secure Software Engineering False Negatives and Positives Mistakes False Negatives False Positives Check Heuristics

CSC 666: Secure Software Engineering Static Analyis Approaches 1.Standard compiler warnings and type checking. 2.Lexing source checkers that look for bad names like strcpy() and gets(). 3.Parsing source code checkers. 4.Parsing checkers with annotations. 5.Formal proof based program verification.

CSC 666: Secure Software Engineering Static Analysis Internals  Parser  Model Builder  Analysis Engine

CSC 666: Secure Software Engineering Parser  Convert programming language to AST.  Must have a parser for each language that tool supports. Abstract Syntax Tree

CSC 666: Secure Software Engineering Control Flow Graph nConsec = 0 s1 = getHexChar(a) s2 = getHexChar(b) return nConsec if(a > b)

CSC 666: Secure Software Engineering Data Flow with SSA Source Code: if (bytesRead < 8) { tail = (byte) bytesRead; } SSA Form: if (bytesRead 1 < 8) { tail 2 = (byte) bytesRead 1 ; } tail 3 = φ(tail 1, tail 2 );

CSC 666: Secure Software Engineering Taint Propagation Track flow of data from source to sink.  Source: where data comes into program.  Sink: function that consumes the data. Vulnerabilities reported if  Data comes from an untrusted source.  Data consumed by a dangerous sink.  No function between source and sink makes the data safe.

CSC 666: Secure Software Engineering Tainting SQL Injection Example $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $username = $_GET[‘username’]; $password = $_GET[‘password’]; $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query); Source Sink

CSC 666: Secure Software Engineering Local vs. Global Analysis Local Analysis: Analysis of an individual function, a.k.a. intraprocedural analysis. Global Analysis: Follows control and data flow between functions, a.k.a. interprocedural analysis.

CSC 666: Secure Software Engineering Rules Security knowledge base for tool.  Identify data sources.  Identify data sinks.  Model behavior of validation functions.  Check for dangerous configurations.  Check control flow (i.e. every lock released.) Customize for process + project  Check coding style is obeyed.  Check for custom functions, standards.

CSC 666: Secure Software Engineering Static Analysis Tools Simple search (lexing) tools  Flawfinder  ITS4  RATS Parsing Tools  Fortify Source Code Analyzer  Coverity Prevent  Klocwork K7 Suite  FindBugs  splint

CSC 666: Secure Software Engineering Using the Tools Who runs the tools?  Developers  Security team When do you run the tool?  While code is being written (IDE integration)  Before code check-in  After each build  After major milestones What do you do with the results?  Support code review process.  Support security metrics.  Use to decide if project should be released.

CSC 666: Secure Software Engineering Code Reviews Review Code Run Tool Review Results Fix Bugs Update Rules

CSC 666: Secure Software Engineering Static Analysis Metrics  Vulnerability density (vulns/KLOC)  Vulnerabilities divided by severity  Critical, high, medium, low  Vulnerability types  Injection, XSS, race conditions, etc.  Vulnerability dwell  How long bug remains in code after detection.  Audit coverage  Percentage of code covered by reviews.

CSC 666: Secure Software Engineering

Evolution of a Single Project

CSC 666: Secure Software Engineering References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison- Wesley, Eoin Keary et. al., OWASP Code Review Guide 1.1, ASP_Code_Review_Project, ASP_Code_Review_Project 3.Gary McGraw, Software Security, Addison- Wesley, PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, Karl Wiegers, Peer Reviews in Software, Addison-Wesley, 2002.