Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Analysis for Security Amir Bazine Per Rehnberg.

Published bySheryl Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Static Analysis for Security Amir Bazine Per Rehnberg."— Presentation transcript:

1 Static Analysis for Security Amir Bazine Per Rehnberg

2 Content Background Static Analysis tools Our resarch and tests Test results Conclusion

3 Background Increase of reported vulnerabilities Dynamic analysis not enough Developed new static analysis tools –Ease the auditing process

4 !!!

5 Static analys tools How they work –Brake the code into stream of tokens –Compare with database What they prevent –TOCTTOU, Overflows, bad randomizations, format string attacks, file descriptor leakage… Sort risks Problems

6 Some analysis tools ITS4 RATS Flawfinder Splint –Enhanced lint –Lightweight static analysis –Annotations

7 Splint Example char *strcpy (char *s1, char *s2) /*@requires maxSet(s1) >= maxRead(s2) @*/ /*@ensures maxRead(s1) == maxRead (s2) @*/

8 Survey Our survey was about finding out how static analysis tools works and what they can do.

9 Buffer overflow example 13 void add_alias(char *ip, char *hostname, char *alias) { 14 char formatbuffer[256]; 15 FILE *file; 16 17 sprintf(formatbuffer, "%s\t%s\t%s\n", ip, hostname, alias); 18 19 file = fopen(HOSTFILE, "a"); 20 if (file == NULL) { 21 perror("fopen"); 22 exit(EXIT_FAILURE); 23 } 24 25 fprintf(file, formatbuffer); 26 if (fclose(file) != 0) { 27 perror("close"); 28 exit(EXIT_FAILURE); 29 } 30}

10 flawfinder Examining vuln_lab2.c vuln_lab2.c:17: [4] (buffer) sprintf: Does not check for buffer overflows. Use snprintf or vsnprintf. vuln_lab2.c:25: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. vuln_lab2.c:14: [2] (buffer) char: Statically-sized arrays can be overflowed. Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ITS4 vuln_lab2.c:25:(Urgent) fprintf Non-constant format strings can often be attacked. Use a constant format string. ---------------- vuln_lab2.c:17:(Very Risky) sprintf This function is high risk for buffer overflows Use snprintf if available, or precision specifiers, if available. Splint vuln_lab2.c: (in function add_alias) vuln_lab2.c:17:3: Buffer overflow possible with sprintf. Recommend using snprintf instead: sprintf Use of function that may lead to buffer overflow. (Use – bufferoverflow high to inhibit warning) RATS Analyzing vuln_lab2.c vuln_lab2.c:14: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. vuln_lab2.c:17: High: sprintf Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow. vuln_lab2.c:25: High: fprintf Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Result

11 Format string example 5int main(int argc,char **argv) { 6char buf[256]; 7snprintf(buf,sizeof buf,argv[1]); 8}

12 Splint Finished checking --- no warnings ITS4 fs1.c:7:(Urgent) snprintf Non-constant format strings can often be attacked. Use a constant format string. RATS fs1.c:6: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. flawfinder fs1.c:7: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0- terminate. Use a constant for the format specification. fs1.c:6: [2] (buffer) char: Statically-sized arrays can be overflowed. Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. Result

13 Integer overflow example 1int my_string_copy(char *dest, const char *src, int len) 2{ 3 if (len > MAX_LENGTH) 4 return -1; 5 6 memcpy(dest, src, len); 7 8 return len; 9}

14 Result ITS4 -- no warnings RATS -- no warnings Flawfinder my_func.c:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination. Make sure destination can always hold the source data. Splint my_func.c:6:21: Function memcpy expects arg 3 to be size_t gets int: len To allow arbitrary integral types to match long unsigned

15 Limitations of the tools Predefined vulnerability database Can’t handle pre-processing statements Generates much false positivies Doesn’t do any deeper analysis

16 Conclusions These tools gives you a starting point for performing manual security audits You have to do a deeper manual audit by our self They are simple and one can achieve they same result with common source navigation tools

17 Our recommendations Check the warnings that your compiler gives you! Use static/dynamic tools to check your source code for flaws Do manual security audits!

18 Questions?

Download ppt "Static Analysis for Security Amir Bazine Per Rehnberg."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; 0 1 2 3 4 5 6 7 8 9 \0 The “\0” (null character)

Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; \0 The “\0” (null character)
Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.

Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.

6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow

Similar presentations

Ads by Google