Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covering CWE with Programming Languages and Tools

Published byArve Edvardsen Modified over 6 years ago

Similar presentations

Presentation on theme: "Covering CWE with Programming Languages and Tools"— Presentation transcript:

1

2 Covering CWE with Programming Languages and Tools
Robert Tice Technical Account Manager

3 What is a CWE? Formal list of software weakness types: Common language
Standard measuring stick for software security tools Baseline for weakness identification, mitigation, and prevention

4 Prevention vs Mitigation
Entirely absent from application. Mitigation Reduced risk but may exist.

5 Universal vs Application Specific
All software should be free of these vulnerabilities. i.e. buffer overflow Application Specific Dependent on the application. i.e. SQL Injection We will talk about these

6 CWEs Prevented by Ada These relate to specific features of other languages CWE Identifiers Note 467, 484 Only affects C and C++ 500 Only affects C++ and Java 520, 526 Only affects .NET languages 8, 9, 487, 555, 574 Only affects Java 103, 104, 107, 108, 109, 110, 608 Only affects Struts framework

7 CWEs Prevented by Ada These relate to general problems and constructs of other languages CWE Identifiers Note 588 Unsafe pointer usage 95 Unvalidated code in dynamic “eval” context 481, 482 Confusion between assignment and comparison 170 Improper null termination of Strings 228, 229, 233, 237, 240 (and variants) Parameters missing/extra/confused

8 CWEs Mitigated by Ada (runtime checks)
Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer * 2011 CWE/SANS Top 25 Most Dangerous Software Errors (

9 CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
void foo(int* arr, int length) { for(int i = 0; i < length; i++) { arr[i]++; } } void bar() { int myArray[10]; // init the array for(int i = 0; i < 10; i++) myArray[i] = 0; // or memset(&myArray[0], 0, 10 * sizeof(myArray[0])); foo(&myArray[0], 30); } type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type; Len : Natural) is begin for I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar is My_Array : My_Array_Type ( ) := (others => 0); begin Foo (Arr => My_Array, Len => 30); end Bar; type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type) is begin for I in Arr'Range loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar My_Array : My_Array_Type ( ) := (others => 0); -- no accidental length computation -- no accidental buffer overflow because of a typo Foo (Arr => My_Array); end Bar; Buffer overflow! raised CONSTRAINT_ERROR : buffer_overflow.adb:7 index check failed

10 CWE-190: Integer Overflow or Wraparound
volatile uint32_t myRegister; int waitForFlag() { int counter = 0; while(myRegister == 0) { counter++; } return counter; } My_Register : Integer; pragma Volatile (My_Register); function Wait_For_Flag return Integer is Counter : Integer := 0; begin while My_Register = 0 loop Counter := Counter + 1; end loop; return Counter; end Wait_For_Flag; Integer overflow! raised CONSTRAINT_ERROR : integer_overflow.adb:9 overflow check failed

11 Static Mitigation CWE-120: Classic Buffer Overflow
procedure Main is type My_Array_Type is array (Natural range <>) of Integer; procedure Foo (Arr : in out My_Array_Type; Len : Natural) is begin for I in 1 .. Len loop Arr (I) := Arr (I) + 1; end loop; end Foo; procedure Bar is My_Array : My_Array_Type ( ) := (others => 0); begin Foo (Arr => My_Array, Len => 30); end Bar; begin Bar; end Main; CodePeer Results: buffer_overflow.adb:18:7: high: precondition (array index check [CWE 120]) failure on call to main.foo: requires Len = 0 or Len <= Arr'Last

12 Static Mitigation CWE-190: Integer Overflow
procedure Main is My_Register : Integer := 0; pragma Volatile (My_Register); function Wait_For_Flag return Integer is Counter : Integer := 0; begin while My_Register = 0 loop Counter := Counter + 1; end loop; return Counter; end Wait_For_Flag; Ret : Integer; begin Ret := Wait_For_Flag; end Main; CodePeer Results: integer_overflow.adb:10:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1

13 CWEs Mitigated with CodePeer
Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE’s mitigated by Ada … plus these! CWE Description 137 Representation errors 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 366 Race Condition within a Thread 457 Use of Uninitialized Variable 561 Dead Code 563 Assignment to Variable without Use 570 Expression is always false 571 Expression is always true 820 Missing synchronization 821 Incorrect synchronization 835 Loop with unreachable exit CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer

14 Static Mitigation CWE-457: Use of Uninitialized Variable
with Ada.Text_IO; use Ada.Text_IO; procedure Main is Global : Integer; procedure Init_Global is begin Global := 0; end Init_Global; begin Init_Global; Global := Global + 5; Put_Line (Global'Img); end Main; CodePeer Results: uninit_var.adb:17:15: high: validity check [CWE 457]: Global is uninitialized here

15 How many CWE violations will CodePeer find?
with Ada.Text_IO; use Ada.Text_IO; procedure Main is Flag : Boolean := False; Counter : Integer; begin loop if Flag then Put_Line ("Exiting..."); exit; else Counter := Counter + 1; Put_Line ("Loop #" & Counter'Img); end if; end loop; end Main; CodePeer Results: unreachable_exit.adb:11:12: medium warning: loop does not complete normally [CWE 835] unreachable_exit.adb:11:12: low warning: test always false [CWE 570] because Flag = false unreachable_exit.adb:12:13: medium warning: dead code [CWE 561] because Flag = false unreachable_exit.adb:15:24: low: validity check [CWE 457]: Counter might be uninitialized unreachable_exit.adb:15:32: low: overflow check [CWE 190] might fail: requires Counter <= Integer_32'Last-1

16 CWEs Mitigated with SPARK Pro
Description 120* Buffer Overflow 123 Write-what-where condition 124 Buffer Underwrite 125 Out-of-bounds read 126 Buffer Over-read 127 Buffer Under-read 128 Wrap-around-error 129 Improper validation of array index 130 Improper handling of length parameter 131* Incorrect calculation of buffer size 136 Type errors 190* Integer overflow or wrap-around 191 Integer underflow or wrap-around 193 Off-by-one error CWE’s mitigated by Ada CWE Description 137 Representation errors 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 366 Race Condition within a Thread 457 Use of Uninitialized Variable 561 Dead Code 563 Assignment to Variable without Use 570 Expression is always false 571 Expression is always true 820 Missing synchronization 821 Incorrect synchronization 835 Loop with unreachable exit CWE’s mitigated with CodePeer … plus these! CWE Description 188 Reliance on data layout 466 Return of pointer value outside expected range 468 Incorrect pointer scaling 469 Use of pointer subtraction to determine size 822 Untrusted pointer access 823 Out-of-range pointer offset 825 Expired pointer dereference CWE Description 194 Unexpected sign extension 197 Numeric truncation error 252 Unchecked return value 253 Incorrect check of function return value 369 Divide-by-zero 476 Null pointer dereference 562 Return of stack variable address 682 Incorrect calculation 786 Access before start of buffer 787 Out-of-bounds write 788 Access after end of buffer 805 Buffer access with incorrect length 824 Uninitialized pointer

17 Restricting to Prevent
pragma Restrictions (Restriction_Identifier) Restriction Identifier CWE’s Prevented No_Allocators 122, 244, 415, 416, 467, 590, 761 No_Tasking 362, 364, 366, 432, 479, 543, 558, 567, 572, 585, 662, 663, 820, 821, 828, 831, 833 No_Recursion 674 No_Exceptions 248, 396, 397, 460, 584, 600 No_Exception_Handlers 396, 584 No_Finalization 568, 583, 586 No_Streams 499 No_Unchecked_Conversion 197, 588, 704, 843 No_Wide_Characters 135, 176 No_Dependence 676* * 2011 CWE/SANS Top 25 Most Dangerous Software Errors (

18 Reduce risk! Use Ada, SPARK, & CodePeer
Mitre recognized CWE-compatible products!

19

Download ppt "Covering CWE with Programming Languages and Tools"

Similar presentations

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Static code check – Klocwork

Static code check – Klocwork
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
Concurrency - 1 Exceptions General mechanism for handling abnormal conditions Predefined exceptions: constraint violations, I/O errors, communication errors,

Concurrency - 1 Exceptions General mechanism for handling abnormal conditions Predefined exceptions: constraint violations, I/O errors, communication errors,
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Defining and Using Procedures Creating Procedures.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Defining and Using Procedures Creating Procedures.
Pointers Applications

Pointers Applications
Examining the Code [Reading assignment: Chapter 6, pp. 91-104]

Examining the Code [Reading assignment: Chapter 6, pp ]
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.

EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Natalia Yastrebova 02.08.2010. What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.

Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
Runtime Environments Compiler Construction Chapter 7.

Runtime Environments Compiler Construction Chapter 7.
Slide: 1 Copyright © AdaCore Subprograms Presented by Quentin Ochem university.adacore.com.

Slide: 1 Copyright © AdaCore Subprograms Presented by Quentin Ochem university.adacore.com.
Programming for Beginners Martin Nelson Elizabeth FitzGerald Lecture 2: Variables & Data Types.

Programming for Beginners Martin Nelson Elizabeth FitzGerald Lecture 2: Variables & Data Types.
CS 215-401 Midterm Study Guide Fall 2014. General topics Definitions and rules Technical names of things Syntax of C++ constructs Meaning of C++ constructs.

CS Midterm Study Guide Fall General topics Definitions and rules Technical names of things Syntax of C++ constructs Meaning of C++ constructs.
C Programming Day 4. 2 Copyright © 2005, Infosys Technologies Ltd ER/CORP/CRS/LA07/003 Version No. 1.0 More on Pointers Constant Pointers Two ways to.

C Programming Day 4. 2 Copyright © 2005, Infosys Technologies Ltd ER/CORP/CRS/LA07/003 Version No. 1.0 More on Pointers Constant Pointers Two ways to.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
QA and Testing. QA Activity Processes monitoring Standards compliance monitoring Software testing Infrastructure testing Documentation testing Usability.

QA and Testing. QA Activity Processes monitoring Standards compliance monitoring Software testing Infrastructure testing Documentation testing Usability.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.

1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
School of Computer Science & Information Technology G6DICP - Lecture 4 Variables, data types & decision making.

School of Computer Science & Information Technology G6DICP - Lecture 4 Variables, data types & decision making.

Similar presentations

Ads by Google