Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

Published byNancy Byram Modified over 10 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx."— Presentation transcript:

1 The OWASP Foundation OWASP http://www.owasp.org OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx

2 OWASP Agenda  Algorithms and code

3 OWASP Data Flow Graph  Represents the flow of data through code.  Each LOC has its own vertex.  Edge represents direct influence of data in the source vertex on the data in the destination vertex (therefore, assignment statements are source vertexes)

4 OWASP Data Flow Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

5 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

6 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

7 OWASP Tainted value propagation Can be used for many vulnerabilities: SQL Injection XSS Stored XSS Second Order SQL Injection Log forgery Some types of race condition LDAP Injection Command injection Directory traversal … Input Data influencing on XXXX And not sanitized by YYYY

8 OWASP But … Parameters Data members Static variables Events Global Generics And many many many many many more issues Resolve - Code most compile? Direct Access to the engine?

9 OWASP And again - SQL Injection Parameterized queries SqlConnection con = (acquire connection) con.Open(); SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE name = @userName", con) cmd.Parameters.Add("@userName", userName); SqlDataReader rdr = cmd.ExecuteReader()

10 OWASP more SQL Injection What about: data=input() if (isValid(data)) { SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE age = “ + data, con) }

11 OWASP Control Dependence Graph  Enhances CFG.  Each LOC has its own vertex  Edge B is directed by edge A iff the execution if B depends on the execution of A

12 OWASP Control Dependence Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

13 OWASP What is the benefit of super-imposing graphs? bool b = true; if (b) { ExecuteCommand(x); }

14 OWASP Slicing  Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

15 OWASP Slicing  Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

16 OWASP CDG Start Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

17 OWASP DFG Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

18 OWASP (DFG+CDG)’ Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

19 OWASP (DFG+CDG)’ Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

20 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); }

21 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Backward slicing

22 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Backward slicing

23 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Forward slicing

24 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Forward slicing

25 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Chopping on “Execute”

26 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1;Execute(s1); } Chopping on “Execute”

27 OWASP 27 Thank you Maty Siman maty@checkmarx.com OWASP September 2008 Q&A

Download ppt "The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx."

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
1 Storage Duration and Scope –Local and global variables Storage classes –automatic, static, external, register Todays Material.

1 Storage Duration and Scope –Local and global variables Storage classes –automatic, static, external, register Todays Material.
DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].

DATAFLOW TESTING DONE BY A.PRIYA, 08CSEE17, II- M.s.c [C.S].
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Overview Structural Testing Introduction – General Concepts

Overview Structural Testing Introduction – General Concepts
A Survey of Program Slicing Techniques A Survey of Program Slicing Techniques Sections 3.1,3.6 Swathy Shankar 1000808953.

A Survey of Program Slicing Techniques A Survey of Program Slicing Techniques Sections 3.1,3.6 Swathy Shankar
Program Slicing – Based Techniques

Program Slicing – Based Techniques
Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.

Flow insensitive pointer analysis: fixed S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l.
 Program Slicing 1001024238 Long Li. Program Slicing ? It is an important way to help developers and maintainers to understand and analyze the structure.

 Program Slicing Long Li. Program Slicing ? It is an important way to help developers and maintainers to understand and analyze the structure.
Program Slicing; Andreas Linder eXtreme Programming lab course 2004.

Program Slicing; Andreas Linder eXtreme Programming lab course 2004.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
CS590F Software Reliability What is a slice? S: …. = f (v)  Slice of v at S is the set of statements involved in computing v’s value at S. [Mark Weiser,

CS590F Software Reliability What is a slice? S: …. = f (v)  Slice of v at S is the set of statements involved in computing v’s value at S. [Mark Weiser,
The Application of Graph Criteria: Source Code  It is usually defined with the control flow graph (CFG)  Node coverage is used to execute every statement.

The Application of Graph Criteria: Source Code  It is usually defined with the control flow graph (CFG)  Node coverage is used to execute every statement.
1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.
(Page 554 – 564) Ping Perez CS 147 Summer 2001 Alternative Parallel Architectures  Dataflow  Systolic arrays  Neural networks.

(Page 554 – 564) Ping Perez CS 147 Summer 2001 Alternative Parallel Architectures  Dataflow  Systolic arrays  Neural networks.
In C# program Before you can start using the ODBC class definitions, you will need to include the right module. using System.Data.Odbc; // ODBC definitions.

In C# program Before you can start using the ODBC class definitions, you will need to include the right module. using System.Data.Odbc; // ODBC definitions.
The OWASP Foundation Injection Flaws.

The OWASP Foundation Injection Flaws.
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.

Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.
ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.

ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.
1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.

1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.

Similar presentations

Ads by Google