Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Analysis for Security

Published bySamantha Peterson Modified over 11 years ago

Similar presentations

Presentation on theme: "Static Analysis for Security"— Presentation transcript:

1 Static Analysis for Security
POSTECH Laboratory for UNIX Security (PLUS) Kwang Yul Seo

2 Static Analysis for Security
Detecting security problems through source code (or binary) Identifying many common coding problems automatically

3 Dynamic vs Static Static tools examine the text of a program statically, without attempting to execute it Source code Binary E.g., Java Bytecode Dynamic Poor testability: due to hard-to-reach states, unusual circumstances

4 Manual vs Automatic Manual Automatic Time cosuming Auditor dependent
Fast Easy to use

5 Pitfalls Aim for good, not perfect Require human evaluation
Check a fixed set of patterns, or rules in the code Require human evaluation Priority, supression Undecideable Rice’s theorem: every non-trivial problem-> halting problem False negatives <-> False positives

6 Example of Static Analysis: grep
Grep can be a static analysis tool for security $ grep gets * Cannot differntiate comments, declarations, defintions… (1) gets(&buf); (2) /* never ever call gets */ (3) int begetsNextChild = 0; Lexical analysis is required!

7 Lexical Analysis Tools
ITS4 FlawFinder( RATS( Matt Bishop & Mike Dilger’s TOCTOU(time-of-check time-of-use) check tool Preprocess and tokenize the source files, and then match the result token stream against a library of vulnerable constructs

8 Lexical Analysis Tool: Pitfalls
No semantic checks! Many false positives Must borrow compiler technologies E.g., AST (Abstract Syntax Tree) Data-flow analysis

9 Analysis Scopes Local analysis Module-level analysis
One function at a time Module-level analysis One class/or compilation unit Global(interprocedural) analysis Entire program More context is better, but computation grows so fast!

10 Tool Tradeoffs Sound vs unsound Flexible(General) vs special-purpose
General tools are able to read definitions of bugs and apply them

11 Example: Boon Integer range analysis However, Bool is imprcise
Catch bugs indexing an array outside its bounds in C However, Bool is imprcise Ignores statement order Can’t model interprocedural dependencies Ignores pointer aliasing

12 Example: CQual Inspired by Perl’s taint mode
Detects format string vulnerabilities in C programs Use type qualifiers to perform a taint analysis Annotate a few variables as tainted/untainted Use type inference rules to propagate the qualifiers The system can check format string bugs by type checking

13 Example: xg++ Use template-driven compiler extension to find kernel vulnerabilities in Linux/OpenBSD Looks for locations where kernel uses data from untrusted source without checking it first E.g., A user can cause the kernel to allocate memory and not free it A user can cause the kernel to deadlock

14 Example: Eau Claire Use a theorem-prover to create a general specification-checking framework for C programs Find common security bugs Buffer overflows File access race conditions Format string bugs Developers can use specifications to verify that a function implementations behave as expected

15 Example: MOPS Model-checking approach to look for violations of temporal safety properties Developer can model their own safety properties Privilege management errors Incorrect construction of chroot jails File access race conditions Ill-conceived temporary file schemes

16 Example: Splint Extends lint concept into security realm
By adding annotations, find Abstraction violations Unannounced modifications to global variables Possible use-before-initialization Reason about minimum and maximum array bounds accesses if it is provided with function pre and post conditions

17 Example: Other tools ESP, a large-scale property verification approach
Model checkers such as SLAM and BLAST Use predicate abstraction to examine program safety properties FindBugs, a lightweight checker with a good reputation for unearthing common errors in Java programs

18 Further Requirements Easy to use even for non-security people
Easy to apply regularly

19 Revised Software Development Life Cycle

20 References Static Analysis for Security by Gary McGraw

Download ppt "Static Analysis for Security"

Similar presentations

Symbol Table.

Symbol Table.
Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg Preventing Buffer Overflows (and more) An overview of scientific approaches.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Reasons to study concepts of PL

Reasons to study concepts of PL
Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.

Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
Language Evaluation Criteria

Language Evaluation Criteria

Similar presentations

Ads by Google