Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other.

Published byGeoffrey Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other."— Presentation transcript:

1 Copyright © Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other retrieval system or transmitted in any form, or by any means whatsoever without the prior written permission of Coverity, Inc. Methods of increasing source code security automatically Ben Chelf CTO

2 Coverity Confidential: Do not distribute 10,000 foot view PHP Code C Code Java Code C++ Code SecurityVulnerabilities MAGIC STATIC ANALYSIS BOX dataflow analysis, pointer alias analysis, abstract interpretation, model checking, flow-sensitive, flow- insensitive, context-sensitive, context-insensitive, interprocedural, intraprocedural, solving constraints

3 Coverity Confidential: Do not distribute What to look for? { strcpy(dest, src); strcpy(dest, src);}

4 Coverity Confidential: Do not distribute What to look for? { char src[100]; char src[100]; char dest[50]; char dest[50]; strcpy(dest, src); strcpy(dest, src);}

5 Coverity Confidential: Do not distribute What to look for? { char src[50]; char src[50]; char dest[50]; char dest[50]; strcpy(dest, src); strcpy(dest, src);}

6 Coverity Confidential: Do not distribute What to look for? { char src[50]; char src[50]; char dest[50]; char dest[50]; src[sizeof(dest) – 1] = 0; src[sizeof(dest) – 1] = 0; strcpy(dest, src); strcpy(dest, src);}

7 Coverity Confidential: Do not distribute The Promise of Static Analysis Tools Design ReleaseQA Code Integrate Software Development Process SecurityVulnerabilities BENEFITS Detects problems early in SDLC No test cases required Points to specific LOC Systematic Static Analysis Bugs

8 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)

9 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002)

10 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)

11 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)

12 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005)Livshits and Lam (2005)

13 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005)Livshits and Lam (2005) Xie and Aiken (2006)Xie and Aiken (2006)

14 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005)Livshits and Lam (2005) Xie and Aiken (2006)Xie and Aiken (2006) Jovanovic, Kuregel, Kirda (2006)Jovanovic, Kuregel, Kirda (2006)

15 Coverity Confidential: Do not distribute Research techniques (not exhaustive) Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002)Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005)Livshits and Lam (2005) Xie and Aiken (2006)Xie and Aiken (2006) Jovanovic, Kuregel, Kirda (2006)Jovanovic, Kuregel, Kirda (2006) …many others…many others

16 Coverity Confidential: Do not distribute Making it work in the real world PHP Code C Code Java Code C++ Code Build Systems Parsing Code Analysis time Configuration for the code Noise versus False Positives What to report Reviewing the results

17 Coverity Confidential: Do not distribute Evil Tetris /* /* * Set times to 0 except for * Set times to 0 except for * high score on each level. * high score on each level. */ for (i = MINLEVEL; */ for (i = MINLEVEL; i < NLEVELS; i < NLEVELS; i++) levelfound[i] = 0; i++) levelfound[i] = 0; for (i = 0, sp = scores; for (i = 0, sp = scores; i < nscores; i < nscores; i++, sp++) { if (levelfound[sp->hs_level]) sp->hs_time = 0; else { sp->hs_time = 1; levelfound[sp->hs_level] = 1; } } i++, sp++) { if (levelfound[sp->hs_level]) sp->hs_time = 0; else { sp->hs_time = 1; levelfound[sp->hs_level] = 1; } }

18 Coverity Confidential: Do not distribute Do you use X? if (getuid() != 0 && if (getuid() != 0 && geteuid == 0) { ErrorF(“only root”); exit(1); } geteuid == 0) { ErrorF(“only root”); exit(1); } Since without the parentheses, the code is simply checking to see if the geteuid function in libc was loaded somewhere other than address 0 (which is pretty much guaranteed to be true), it was reporting it was safe to allow risky options for all users, and thus a security hole was born. - Alan Coopersmith, Sun Developer

Download ppt "Copyright © Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
1 Specifying and Verifying Hardware Support for Copy and Tamper-Resistant Software David Lie, John Mitchell, Chandramohan Thekkath and Mark Horowitz Computer.

1 Specifying and Verifying Hardware Support for Copy and Tamper-Resistant Software David Lie, John Mitchell, Chandramohan Thekkath and Mark Horowitz Computer.
1 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter 11 Collaboration and Workbook Distribution by Mary Anne Poatsy, Keith Mulbery,

1 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter 11 Collaboration and Workbook Distribution by Mary Anne Poatsy, Keith Mulbery,
An Analysis and Survey of the Development of Mutation Testing by Yue Jia and Mark Harmon A Quick Summary For SWE6673.

An Analysis and Survey of the Development of Mutation Testing by Yue Jia and Mark Harmon A Quick Summary For SWE6673.
INSERT BOOK COVER 1Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall. Exploring Microsoft Office Getting Started with Windows 7 by Robert.

INSERT BOOK COVER 1Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall. Exploring Microsoft Office Getting Started with Windows 7 by Robert.
By Mary Anne Poatsy, Keith Mulbery, Eric Cameron, Jason Davidson, Rebecca Lawson, Linda Lau, Jerri Williams Chapter 9 Fine-Tuning the Database 1 Copyright.

By Mary Anne Poatsy, Keith Mulbery, Eric Cameron, Jason Davidson, Rebecca Lawson, Linda Lau, Jerri Williams Chapter 9 Fine-Tuning the Database 1 Copyright.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.

1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.

Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.
Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.

Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.
With Microsoft ® Excel 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Excel.

With Microsoft ® Excel 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Excel.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)
RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.

RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.
Verifying the Safety of User Pointer Dereferences Suhabe Bugrara Stanford University Joint work with Alex Aiken.

Verifying the Safety of User Pointer Dereferences Suhabe Bugrara Stanford University Joint work with Alex Aiken.
With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.
Copyright © Coverity, Inc. 2004. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other.

Copyright © Coverity, Inc All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other.

Similar presentations

Ads by Google