Presentation is loading. Please wait.

Presentation is loading. Please wait.

Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing."— Presentation transcript:

1 Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing

2 Agenda Motivation Solution space Security violations Taint analysis Demo Conclusion

3 Average number of bugs per KLOC is 15 [1] Developers find 6 defects per hour in code reviews [2] Some Statistics

4 There are 30 MLOC in e-Bay’s codebase –~45K bugs –~7.5K hours to find There are 50 MLOC in Windows Server 2003 –~75K bugs –~12.5K hours for find Some Math

5 Heavy-weight static-analysis techniques process ~1K LOC per second Light-weight static-analysis techniques process ~5K LOC per second Human reviewers can only (effectively) digest 300 LOC per hour = 0.2 LOC per second [3] Some More Statistics

6 Manual auditing is problematic: –Too costly! –Doesn’t fit into SDLC –Results influenced by subjective considerations Sometimes it’s also impossible: –3 rd -party component packaged as binary –Human auditing leaks IP –No in-house experts Bottom Line

7 Wide range of applications, including: –Run-time errors (e.g., NPE, unhandled exceptions, etc…) –Security analysis –Performance analysis –Liveness properties –Synchronization problems –Quality issues –Refactoring –… What Can Automation Do?

8 Static-analysis Tools

9 Dynamic-analysis Tools

10 Integrity –Untrusted inputs flowing into security- sensitive areas Confidentiality –Private information flowing into public areas DoS –Overwhelming the system –Causing crashes Software Security

11 Cross-site Scripting SQL injection (SQLi) Exemplary Integrity Violations

12 Error leakage Insufficient anonymity Exemplary Confidentiality Violations

13 Classic DoS/DDoS Through an integrity problem Denial of Service

14 Code Examples public partial class Customize : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { protected void Page_Load(object sender, System.EventArgs e) { … string langParam = Request.QueryString["lang"]; string langParam = Request.QueryString["lang"]; … if (langParam != "") { lang = langParam; } if (langParam != "") { lang = langParam; } … langLabel.Text = lang; langLabel.Text = lang; … } … } public partial class Transfer : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { protected void Page_Load(object sender, System.EventArgs e) { … string thisUser = Request.Cookies["amUserId"].Value; string thisUser = Request.Cookies["amUserId"].Value; GetAccounts(thisUser); GetAccounts(thisUser); … } … } … private void GetAccounts(string userId) { private void GetAccounts(string userId) { … string query ="SELECT accountid, acct_type From accounts string query ="SELECT accountid, acct_type From accounts WHERE userid = " + userId; WHERE userid = " + userId; … myAccount = new OleDbDataAdapter(query, myConnection); myAccount = new OleDbDataAdapter(query, myConnection); … } … } XSS SQLi

15 The problem of finding flows from unchecked/poorly checked inputs to security-sensitive operations Can be solved as graph-reachability problem Captures vast majority of integrity/confidentiality problems Taint Analysis

16 Build index of all relevant entities (type hierarchy, methods, etc…) Represent the program as a call graph Track control and data flow on top of the call graph Solve a reachability problem on top of the propagation graph (modulo some enhancements) Bird’s-eye View

17 Run the following algorithm: –Use statements defining untrusted inputs as slicing criterion –Find the set S of all statements that are (control-) and data-flow dependent on the slicing criterion –For each s in S such that s is a security- sensitive operation, report all flows from statements in the slicing criterion to s Taint Analysis Based on Program Slicing [4,5]

18 Taint Analysis Based on a Storeless Abstraction X x = req.getParameter(); Y y = new Y(); y.f = x; Z z = y.f; resp.getWriter().write(z); { x } { x } { x, y.f } { x, y.f, z }

19 Challenges The infamous precision-scalability tradeoff External resources –Configuration files –Framework-specific configurations Beyond graph reachability… SDLC-induced use cases

20 Precision versus Scalability Modular analysis Demand-driven strategies

21 External Resources Synthetic models Sometimes ignorance is a bliss…

22 Beyond Graph Reachability PQL [6] String analysis [7]

23 SDLC-induced Use Cases Incremental analysis Parallelization on multi-core build servers

24 DEMO

25 The Remaining 8 Yards Instead of killing n birds with 1 stone, use n stones to kill 1 bird (like humans) How do we catch up with changes in technology? How to tailor the analysis to the needs of different users? Useful heuristics often resilient to formal definition

26 S. McConnell. [1] S. McConnell. Code Complete: A Practical Handbook of Software Construction W. S. Humphrey. [2]W. S. Humphrey. Acquiring Quality Software in CrossTalk,18-12 [3]Code Review at Cisco Systems O. Tripp et al.. [4]O. Tripp et al.. TAJ: Effective Taint Analysis of Web Applications C. Hammer and G. Snelting. [5]C. Hammer and G. Snelting. Flow-sensitive, Context-sensitive, and Object- sensitive Information-flow Control Based on Program Dependence Graphs [6]B. Livshits and M. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language M. Christodorescu et al.. [7]M. Christodorescu et al..String Analysis for X86 Binaries References

Download ppt "Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.
Introduction to JAVA Vijayan Sugumaran School of Business Administration Oakland University Rochester, MI 48309.

Introduction to JAVA Vijayan Sugumaran School of Business Administration Oakland University Rochester, MI
Metrics for Process and Projects

Metrics for Process and Projects
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.
Static code check – Klocwork

Static code check – Klocwork
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Similar presentations

Ads by Google