aadwal3's picture
From aadwal3 rss RSS  subscribe Subscribe

Static Analysis Techniques For Testing Application Security - Houston Tech Fest 



Static Analysis Techniques For Testing Application Security - Houston Tech Fest

 
 
 
Tags:  security  static analysis  net  dynamic analysis  pmd  application security  software security 
Views:  707
Downloads:  3
Published:  December 07, 2009
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
/* */
Related Plicks
Java Abs Scalable Wireless Ad Hoc Network Simulation Using Xtc Domain Name System Security

Java Abs Scalable Wireless Ad Hoc Network Simulation Using Xtc Domain Name System Security

From: bwschull
Views: 489 Comments: 0

 
INTERNET SECURITY SOFTWARE

INTERNET SECURITY SOFTWARE

From: larrysl2
Views: 4 Comments: 0
Getting The Security You Need When You Want it; http://pinder10.comauto.hop.clickbank.net

 
Linear Algebra

Linear Algebra

From: anon-390844
Views: 160 Comments: 0
Linear Algebra ,beaufort county public library, beatrice library phone, library security software, algoma public library
 
How to pick best security software

How to pick best security software

From: marymksek
Views: 3 Comments: 0
Security software related tips hthttp://marymdt317806.yourbetteropportunitynow.com/
 
Security software tips

Security software tips

From: marymksek
Views: 2 Comments: 0
Security software related tips hthttp://marymdt317806.yourbetteropportunitynow.com/
 
BEST INTERNET SECURITY SOFTWARE

BEST INTERNET SECURITY SOFTWARE

From: larrysl2
Views: 5 Comments: 0
Getting The Security You Need When You Want it; http://pinder10.comauto.hop.clickbank.net

 
See all 
 
More from this user
Internet Trends

Internet Trends

From: aadwal3
Views: 233
Comments: 0
Viagra Buy Order Purchase Online

Viagra Buy Order Purchase Online

From: aadwal3
Views: 32
Comments: 0
SQL Server 2000 Database Administration

SQL Server 2000 Database Administration

From: aadwal3
Views: 45
Comments: 0
Java Projects, Final Year Projects

Java Projects, Final Year Projects

From: aadwal3
Views: 4878
Comments: 5
System to your FINANCIAL FREEDOM

System to your FINANCIAL FREEDOM

From: aadwal3
Views: 20
Comments: 0
Enterprise Grade Open Source Virtualization

Enterprise Grade Open Source Virtualization

From: aadwal3
Views: 13
Comments: 0
See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 
 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: Static Analysis Techniques for Testing Application Security Houston TechFest January 24, 2009 Dan Cornell – dan@denimgroup.com
Slide 2: Agenda • • What is Application Security? What is Static Analysis? – Static versus Dynamic – Overview • • Different Approaches Examples of Static Analysis Tools – – – – FindBugs (Java) PMD (Java) FxCop (.NET) XSSDetect (.NET) • • Process Implications Questions
Slide 3: What is Application Security? • • • Ensuring that applications behave as expected under the entire range of possible inputs Really a subset of software correctness/QA – however… More typically focused on what an application is NOT supposed to do rather than what it IS supposed to do
Slide 4: Software Implementation – Perfect World Actual Functionality Intended It dd Functionality 4
Slide 5: Software Implementation – Real World Actual At l Functionality Intended It dd Functionality Built Features Bugs Unintended And Undocumented y Functionality 5
Slide 6: How Not To Do It • • • • • • • • Q: What are you all doing to address application security concerns in your organization? A: We bought “XYZ Scanner” Q: Okay… Are you actually using it? A: We ran some scans Q: And how did that go? A: Oh we found some stuff… Q: How did you address those issues? A: I think we sent the report to the developers. Not sure what they did with them. I guess I ought to check in on that… 6
Slide 7: What is Static Analysis? • Analyzing software artifacts in order to gain information about the software – Source code – Binaries – Configuration files • • • Analyzing soft are Anal ing software “at rest” Also called “white box testing” and “source code review” PLEASE NOTE: Unless otherwise discussed, Static Analysis will refer to Static Analysis being performed by an automated tool
Slide 8: Dynamic Analysis • Examining running software to see how it behaves under different stimuli – Analyzing request and response patterns – Checking remotely-detectable configuration settings
Slide 9: Which to Use? • Static Analysis – Advantages – Disadvantages • Dynamic Analysis – Advantages – Di d Disadvantages t • Actually Making a Decision
Slide 10: Static Analysis Advantages • Have access to the actual instructions the software will be executing – No need to guess or interpret behavior – Full access to all of the software’s possible behaviors
Slide 11: Static Analysis Disadvantages • • • Require access to source code or at least binary code – Typically need access to enough software artifacts to execute a build Typically require proficiency running software builds Will not find issues related to operational deployment environments
Slide 12: Dynamic Analysis Advantages • • • • Only requires a running system to perform a test No requirement to have access to source code or binary code No need to understand how to write software or execute builds – Tools tend to be more “fire and forget” Tests a specific, operational deployment p ,p py – Can find infrastructure, configuration and patch errors that Static Analysis tools will miss
Slide 13: Dynamic Analysis Disadvantages • Limited scope of what can be found – Application must be footprinted to find the test area – That can cause areas to be missed – You can only test what you have found • No access to actual instructions being executed – T l is exercising th application Tool i i i the li ti – Pattern matching on requests and responses
Slide 14: Dynamic, Static and Manual Testing
Slide 15: Actually Making a Decision • • No access to source or binaries? Dynamic Not a software developer, don’t understand software builds? Dynamic Performing a “pen test” or other test of an operational environment? Dynamic None of the previous problems? Static Really R ll want t d th j b right? B th ( d then some…) t to do the job i ht? Both (and th ) • • •
Slide 16: Actually Making a Decision • • In our experience: Information Security practitioners are more comfortable with the Dynamic Analysis tools – Analog to scanners such as Nessus or ISS • Software Development practitioners are comfortable with both Static and Dynamic Analysis tools, but can get the most value out of Static Analysis tools – More complete view of the software – It Integration with IDEs is a plus ti ith IDE i l • Understand that there are things that tools can find, and things tools can’t find. Running a tool doesn’t make you “secure”
Slide 17: Overview • • General Approach Source or Binary?
Slide 18: General Approach
Slide 19: Source or Binary? • • Access to source typically provides more information to the analysis tool than only having access to the binaries Advantages of binaries: – More commonly available – If you dynamically generate binaries based on database schema, etc
Slide 20: Source or Binary – C/C++ • • “Vanilla” C can be reasonably easy to decompile, but… C++ and C compiled with compiler optimizations can be challenging to decompile sensibly
Slide 21: Source or Binary – Java or .NET • • These environments are pretty easy to decompile – “Source” recovery is typically pretty easy Most .NET tools actually use binaries and disassemble them into IL – Thus they only have to have one parser to process IL rather than one for every .NET language NET
Slide 22: Different Approaches • • Increasing the scope of analysis increases the capability of the tool to find potential errors As scope increases, tools must either effectively prioritize analysis options or risk having excessive runtimes
Slide 23: Scope and Capability Scope of Analysis versus Capability of Tool 5 4 3 2 1 0 Line Function Module Program System
Slide 24: Line Focus • • • • • Like using “grep” to identify banned or suspect function calls This was the approach taken by early tools Good way to make a quick pass for potential vulnerabilities – Good for targeting manual review Challenging to use on large codebases gg g The more “signatures” that are included, the higher the noise to signal ratio will be – Just looking for specific functions g p
Slide 25: Line Focus Example • Rule: gets() is BAD • Input: my_str = gets(); • • Result: Flag this line for review Pretty b i b t b tt than thi P tt basic, but better th nothing
Slide 26: Line Focus: C/C++ • Known “bad” APIs: – – – – strcpy() gets() scanf() sprintf()
Slide 27: Line Focus: Java • • • SQL injection – [Connection].createStatement() XSS – <%= More general parameter tampering: – – – – [HttpServletRequest].getParameter() [HttpServletRequest].getParameterValue() [HttpServletRequest].getCookies() [HttpServletRequest].getHeader() [HttpServletRequest] getHeader()
Slide 28: Line Focus: .NET • • • SQL Injection: – SqlCommand XSS – <%= More general parameter tampering – Request[ – Request.Cookies[ – Request.Headers[
Slide 29: Two (Crappy) Scripts I Wrote • • dotnetcheck.sh and javacheck.sh Implement the checks I mentioned above
Slide 30: Function and Module Focus • • At this point the tool needs to be acting as a compiler – Parse into tokens, determine lexical structure This allows for much more sophisticated analysis – State machines – Control flow – D t flow Data fl
Slide 31: Function and Module Focus p Example • • Rule: Memory should only be freed once Input: void f() { my_mem = malloc(256); ll (256) free(my_mem); free(my_mem); } • Result: – my_mem is marked as allocated – my_mem is marked as freed – Flag the second call to free(my_mem) as an issue
Slide 32: Program and System Focus • • Expanding the scope of inquiry allow tools to find more and more subtle flaws Also helps avoid false positives
Slide 33: Dataflow and Taint Tracking • • Track dataflows through the system – Sources and Sinks Attach taint flags to inputs – – – – – Web parameters and cookies Data read from files Environment variables Data read from databases Data read from web services • What type of taint? – – – – From the network From a configuration setting From a database And so on • Identify “cleaning” functions
Slide 34: Taint Sources and Sinks for a pp Web Application
Slide 35: Taint Sources and Sinks for an y SUID Root Binary
Slide 36: Program and System Focus p Example • Rule: – User-supplied data should never be included in a SQL query without being properly escaped l d
Slide 37: Program and System Focus p( ) Example (continued) • Input: public void doGet(HttpServletReqest req, HttpServlet Response resp) { String user = req.getParameter(“username”); logStuff(user, “my_page”); // Render out HTML… } private logStuff(String user, String location) { Connection con = getConnection(); Statement stmt = con createStatement(); con.createStatement(); String sql = “INSERT INTO log (user, location) VALUES (‘” + user + “’, ‘” + location + “’” stmt.executeUpdate(sql); }
Slide 38: Program and System Focus p( ) Example (continued) • Result: – Input from getParameter() call is marks user variable as tained (Source) – Flow of data is traced into the logStuff() method – sql variable is also marked as tainted when it is concatenated with username parameter – executeUpdate() is marked as a security issue because it received tainted data (Sink)
Slide 39: Examples of Static Analysis Tools • • • • FindBugs (Java) PMD (Java) FxCop (.NET) XSSDetect (.NET)
Slide 40: FindBugs (Java) • • • Java-based static analysis tool LGPL-licensed Originally developed by Dr. Bill Pugh from the University of Maryland Intended to find correctness issues, also identifies some security issues • findbugs.sourceforge.net
Slide 41: PMD (Java) • • • Java-based static analysis tool BSD-licensed Lead developers are David DixonPeugh and Tom Copeland • Intended to find correctness and complexity issues, also finds some security issues pmd.sourceforge.net p g
Slide 42: FxCop (.NET) • Microsoft-provided tool for .NET static analysis • Freely available • Enforces coding standards (variable naming, etc) • Similar to FindBugs in its security capabilities www.gotdotnet.com/Team/FxCop/ www gotdotnet com/Team/FxCop/
Slide 43: XSSDetect (.NET) • • • Microsoft-provided tool for .NET static analysis Freely available (BETA!) Performs data flow analysis to identify Cross Site Scripting (XSS) defects blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx • Based on the Microsoft Research Phoenix framework – For software analysis and optimization – research.microsoft.com/phoenix/
Slide 44: Limitations • • Static Analysis tools are a starting point for code review. Not a complete solution. Static Analysis tools (like all automated tools) do not understand what your application is supposed to do – Out of the box rules are for general classes of security defects – Applications can still have issues with authorization and other trust issues – Only cover 50% of security defects (Dr. Gary McGraw) • • False positives can be time consuming to address Solutions? – Custom rules can help to add some application specific context
Slide 45: Process Implications • • • Static Analysis tools can provide tremendous benefits It is easier to start a new project using a tool than to impose one on an existing system I have found that using a Static Analysis tool while developing helps to improve my coding skills – Immediate feedback when mistakes are made – Learn more about language and platform internals
Slide 46: Process Implications: Questions • • • • Who is going to run the tool? When is the tool going to be run? What will be done with the results? Until you can answer these questions you should not assume questions, that a Static Analysis tool will help you improve security
Slide 47: OWASP Open Review Project • • • • Provide automated static analysis services to Open Source projects Also manual source code review Based on technology made available from Fortify Software Language: gg – PHP and Java supported online – Other platforms (.NET, C/C++) supported by contributors who are also Fortify SCA licensees • Currently working with: – Many OWASP Tools projects – Moodle – A tiS AntiSamy.NET NET http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project •
Slide 48: Additional Resources • • • • Book: Secure Programming With Static Analysis (Brian Chess and Jacob West) Blog: Microsoft Code Analysis and Code Metrics Team Blog – blogs.msdn.com/fxcop/ Website: FindBugs publications page – findbugs.sourceforge.net/publications.html Various commercial vendors…
Slide 49: Questions Dan Cornell - dan@denimgroup.com (210) 572-4400 Website: www denimgroup com www.denimgroup.com Blog: denimgroup.typepad.com

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location