• No results found

Software security assessment based on static analysis

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Software security assessment based on static analysis"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Software security assessment

based on static analysis

Christèle Faure

Séminaire SSI et méthodes formelles

Réalisé dans le projet Baccarat cofinancé par

l’union européenne

(2)

Sa fe R ive r/Sé minaire S S I/ 201 1

Context

> 200 static tools for security at source code level

Many programming languages: C, C++, Java, Ada, Perl, Python, PHP, Javascript …

A wide range of underlying technologies: from grep to abstract interpretation

Main security issues:

• Identification of “dangerous” function calls • Textual analysis from data base

• Identification of dangerous patterns • Pattern matching from data base

• Detection of non conformances to design and coding rules • Data and control flows

(3)

Sa fe R ive r/Sé minaire S S I/ 201 1

Illustration of underlying techniques

Problem: Identify calls to fscanf and their impact on security

Code example

(123) fscanf (file,format,precious);

(124) If (cond){compute1(precious, result1);} (125) {compute2(precious, result2);}

Results

Textual analysis line 123

Pattern matching INPUT(file), FORMAT(format)

(4)

Sa fe R ive r/Sé minaire S S I/ 201 1

Identification of dangerous calls

RATS, (ITS4 dead), Flawfinder, Pscan

Flawfinder log extract

Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler. Number of dangerous functions in C/C++ ruleset: 160

Examining test.c Examining test2.c

test.c:32: [5] (buffer) gets:

Does not check for buffer overflows. Use fgets() instead.

(5)

Sa fe R ive r/Sé minaire S S I/ 201 1

Identification of dangerous patterns

McCabe IQ

• Microsoft SDL banned Function calls • Analysis kernel

• Function call relationships connecting

•Attack surface: input routines •Attack target: banned functions

• Complexity measures

Klocwork

• CWE software weaknesses • Analysis kernel

• Dataflow Analysis on the Control Flow Graph to monitor data objects creation, modification, use and deletion

• Symbolic Logic to remove any path that cannot be executed at runtime • Accurate Bug Identification and Vulnerability Analysis

(6)

Sa fe R ive r/Sé minaire S S I/ 201 1

McCabe IQ

Complexity and presence of dangerous function calls

(7)

Sa fe R ive r/Sé minaire S S I/ 201 1

Detection of non conformances

IBM Rational AppScan (Ounce Security analyst )

• Web flaws (OWAST Top 10)

• PCI Data Security Standards, ISO 17799, ISO 27001, Basel II, SB 1386,

PABP (Payment Application Best Practices).

• Analysis kernel • String analyses

• Hybrid analysis: automatic correlation of static and dynamic results

HP Fortify SCA

• Gary Mac Graw seven kingdoms • Analysis kernel

• Semantic analyzer detects use of vulnerable functions • Data flow analyzer tracks tainted input

(8)

Sa fe R ive r/Sé minaire S S I/ 201 1

Detection or proof of absence of errors

Class of errors Example of

errors Tools

Concurrency Deadlock, data

race conditions Fluid tools, RacerX, Warlock Memory Memory leak,

buffer overrun

Clousot, Sparrow, C Global

Surveyor, BoundsChecker, Code Advisor, Coverity

Runtime Non initialize variable,

division by 0

Astrée, PolySpace, Frama-C, Inspector, Lintplus

Numerical Cancellation Fluctuat

(9)

Sa fe R ive r/Sé minaire S S I/ 201 1

Detection or proof of absence of errors (cont.)

Constraints Assertion failure Astrée, PolySpace, Frama-C

Execution time Worst case

execution time Ait WCET Clones Cut and paste not

well used Bauhaus, CCFinderX, Clone Doctor, AntiCutandPaste 64 –bit Not portable

constructs 32 to 64 bits

Viva64

Dangerous

calls Format string … Vulncheck (gcc option) Protocol Secrecy properties CSur

(10)

Sa fe R ive r/Sé minaire S S I/ 201 1

Synthesis

Most security tools

Combine several methods

• Pattern matching and control flow • Static analysis and complexity

• Static analysis and dynamic analysis (test)

Tools based on abstract interpretation

Use one technique

Prove the absence of

• Targeted errors (memory errors) • Roots of security flaws

(11)

Sa fe R ive r/Sé minaire S S I/ 201 1

Approach

Development of a new tool

Enable users to

Define security objectives

Analyze exploitability of security flaws

Perform “depth on demand” analysis

Techniques

Combine techniques from syntactic to abstract interpretation

• Data and control flow analysis • Value analysis

(12)

Sa fe R ive r/Sé minaire S S I/ 201 1

Features

Detection of common weaknesses

• CWE including complex (race conditions, ToCToU] • OWASP

Analysis of user defined filtering and protection means

Verification of user defined security policies

• Access policies

• Flow control policies

Detection of covert/side channels

(13)

Sa fe R ive r/Sé minaire S S I/ 201 1

Carto-C tool

Software security audit

Input:

Security objective (security policy)

Piece of software (source code)

Output:

Arguments to show

Insecurity w.r.t. the objective: problems found

Security w.r.t. the objective

(14)

Sa fe R ive r/Sé minaire S S I/ 201 1

Use cases (1)

Audit objective: Valid attack surface

Tool knowledge

• Elements of the attack surface are IO functions, C library functions

User provided input:

• Source code

• Specification of constraints on the attack surface

• Overall size

• Absence of some calls

Output:

• Actual attack surface

(15)

Sa fe R ive r/Sé minaire S S I/ 201 1

Use case (2)

Objective: Absence of information leak

User provided input:

• Source code

• List of asset names

Output:

• Accesses to assets (read / write) • Impact of assets on output

(16)

Sa fe R ive r/Sé minaire S S I/ 201 1

Use case (3)

Objective: Correctness of asset protections

User provided input:

• Source code

• List of asset names

• List of asset protection functions

Output:

• Accesses to assets (read / write)

• Location of call to protections on the source code

• Presence/absence of protections on computational flows • List of unprotected assets

(17)

Sa fe R ive r/Sé minaire S S I/ 201 1

Use case (4)

Objective: Correctness of input/output filtering

User provided input:

• Source code

• List of IO filtering functions (sanitization)

Output:

• List of input/output channels

• Location of filtering functions on the source code • Presence/absence of filtering on computational flows

• Input: between input and use

• Output: between definition and output

(18)

Sa fe R ive r/Sé minaire S S I/ 201 1

Example Inputs

Source code : User provided input :

0: x=getc(fic1); 1: gets(line); 2: system(line); 3: fscanf(fic2,format,precious); 4: y=compute(decrypt(precious),x); 5: z=makefullcomputation(x,y); 6: printf(z); Asset (precious) Protection(precious,In, decrypt) Filter(system,In, filter_command)

(19)

Sa fe R ive r/Sé minaire S S I/ 201 1

Exemple Output (1)

Map Channel Asset

0 IN(getc) fic1 1 IN(gets) keyboard 2 OUT(system) 3 IN(fscanf) Occurrence(precious) fic2 precious 4 Occurrence(precious) Occurrence(decrypt) precious decrypt 5 6 OUT(printf) environment

(20)

Sa fe R ive r/Sé minaire S S I/ 201 1

Example output (2)

fic1 (0) fic2 (3) keybd (2)

x Z y precious line envt Error initial graph Protection(precious,In,decode) Protection(system,In,filter_command) decrypt system

(21)

Sa fe R ive r/Sé minaire S S I/ 201 1

Underlying technologies

Data-flow, control-flow, abstract interpretation

Exploration of the source code

Computation of IO interfaces

Search for occurrences of declared assets

Search for protections

Dependencies computation

Inter-procedural

Aliasing

(22)

Sa fe R ive r/Sé minaire S S I/ 201 1

Conclusions

Carto-C: first implementation over Frama-C

Need for C++, Java languages

Coupling with

• Dynamic analysis (FLOID)

• Binary/bytecode analysis (Binsec)

Open to new collaborations

References

Download now ( PDF - 22 Page - 189.73 KB )

Related documents

RISK MANAGEMENT AT HERITAGE SITES A CASE STUDY OF THE PETRA WORLD HERITAGE SITE

The aim of Risk Management at Heritage Sites: A Case Study of the Petra World Heritage Site is to outline how to design a risk management methodology that will enable the systematic

Robust hovering and trajectory tracking control of a quadrotor helicopter using acceleration feedback and a novel disturbance observer

7 Robust Hovering and Trajectory Tracking Control of the Quadro- tor Helicopter Using a Novel Disturbance Observer 55 7.1 Position Control Utilizing Acceleration Based

Australia Life Insurance Program Activity

The AULI Program Steering Committee has set up several major initiatives independent of day-to-day standards maintenance responsibilities and the working groups activities

MEDIATOOLS is a family of integrated components that provides a seamless media planning environment for advertisers and advertising agencies.

And because it shares the same robust central database and security model, MEDIATOOLS WEB ACCESS offers the same accurate, real-time reporting that has made

Leaf-litter overyielding in a forest biodiversity experiment in subtropical China

We investigated the relationship between tree species richness and litter production in a large-scale forest bio- diversity experiment set up in subtropical China. These

LIST OF CONTENTS AND TABLES

In spite of most alcoholic drinks categories, such as spirits and wine, also having an important component of imported products, they did not register price increases as severe as

Better Buildings Residential Network Workforce/Business Partners Peer Exchange Call Series: Contractor-Funded Incentives

 Program is implementing a loan fee – and letting contractors know how this will directly benefit them (funding for direct marketing services,. sales

Lithology, dynamism and volcanic successions at Melka Kunture (Upper Awash, Ethiopia)

In thin section (Fig. 30), the base of sample 9912 is micro-con- glomeratic, mostly made of feldspathic elements in an abundant matrix (a sludge of heterometric minerals), with a