Static Analysis for Security A Case Study in the Automation of Code Auditing
description
Transcript of Static Analysis for Security A Case Study in the Automation of Code Auditing
![Page 1: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/1.jpg)
Omer TrippNovember 9th, 2009
Static Analysis for Security A Case Study in the Automation of
Code Auditing
![Page 2: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/2.jpg)
Agenda• Motivation• Solution space• Security violations• Taint analysis• Demo• Conclusion
![Page 3: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/3.jpg)
• Average number of bugs per KLOC is 15 [1]
• Developers find 6 defects per hour in code reviews [2]
Some Statistics
![Page 4: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/4.jpg)
• There are 30 MLOC in e-Bay’s codebase– ~45K bugs– ~7.5K hours to find
• There are 50 MLOC in Windows Server 2003– ~75K bugs– ~12.5K hours for find
Some Math
![Page 5: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/5.jpg)
• Heavy-weight static-analysis techniques process ~1K LOC per second
• Light-weight static-analysis techniques process ~5K LOC per second
• Human reviewers can only (effectively) digest 300 LOC per hour = 0.2 LOC per second [3]
Some More Statistics
![Page 6: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/6.jpg)
• Manual auditing is problematic:– Too costly!– Doesn’t fit into SDLC– Results influenced by subjective
considerations• Sometimes it’s also impossible:
– 3rd-party component packaged as binary– Human auditing leaks IP– No in-house experts
Bottom Line
![Page 7: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/7.jpg)
• Wide range of applications, including:– Run-time errors (e.g., NPE, unhandled
exceptions, etc…)– Security analysis– Performance analysis– Liveness properties– Synchronization problems– Quality issues– Refactoring– …
What Can Automation Do?
![Page 8: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/8.jpg)
Static-analysis Tools
![Page 9: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/9.jpg)
Dynamic-analysis Tools
![Page 10: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/10.jpg)
• Integrity– Untrusted inputs flowing into security-
sensitive areas• Confidentiality
– Private information flowing into public areas
• DoS– Overwhelming the system– Causing crashes
Software Security
![Page 11: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/11.jpg)
• Cross-site Scripting
• SQL injection (SQLi)
Exemplary Integrity Violations
![Page 12: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/12.jpg)
• Error leakage
• Insufficient anonymity
Exemplary Confidentiality Violations
![Page 13: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/13.jpg)
• Classic DoS/DDoS
• Through an integrity problem
Denial of Service
![Page 14: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/14.jpg)
Code Examplespublic partial class Customize : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string langParam = Request.QueryString["lang"]; … if (langParam != "") { lang = langParam; } … langLabel.Text = lang; … } … }
public partial class Transfer : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string thisUser = Request.Cookies["amUserId"].Value; GetAccounts(thisUser); … } … private void GetAccounts(string userId) { … string query ="SELECT accountid, acct_type From accounts WHERE userid = " + userId; … myAccount = new OleDbDataAdapter(query , myConnection); … } … }
XSS
SQLi
![Page 15: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/15.jpg)
• The problem of finding flows from unchecked/poorly checked inputs to security-sensitive operations
• Can be solved as graph-reachability problem
• Captures vast majority of integrity/confidentiality problems
Taint Analysis
![Page 16: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/16.jpg)
• Build index of all relevant entities (type hierarchy, methods, etc…)
• Represent the program as a call graph
• Track control and data flow on top of the call graph
• Solve a reachability problem on top of the propagation graph (modulo some enhancements)
Bird’s-eye View
![Page 17: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/17.jpg)
• Run the following algorithm:– Use statements defining untrusted
inputs as slicing criterion– Find the set S of all statements that are
(control-) and data-flow dependent on the slicing criterion
– For each s in S such that s is a security-sensitive operation, report all flows from statements in the slicing criterion to s
Taint Analysis Based on Program Slicing [4,5]
![Page 18: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/18.jpg)
Taint Analysis Based on a Storeless Abstraction
X x = req.getParameter();
Y y = new Y();
y.f = x;
Z z = y.f;
resp.getWriter().write(z);
{ x }{ x }
{ x, y.f }{ x, y.f, z }
![Page 19: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/19.jpg)
Challenges• The infamous precision-scalability
tradeoff• External resources
– Configuration files– Framework-specific configurations
• Beyond graph reachability…• SDLC-induced use cases
![Page 20: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/20.jpg)
Precision versus Scalability• Modular analysis• Demand-driven strategies
![Page 21: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/21.jpg)
External Resources• Synthetic models• Sometimes ignorance is a bliss…
![Page 22: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/22.jpg)
Beyond Graph Reachability• PQL [6]
• String analysis [7]
![Page 23: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/23.jpg)
SDLC-induced Use Cases• Incremental analysis• Parallelization on multi-core build
servers
![Page 24: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/24.jpg)
DEMO
![Page 25: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/25.jpg)
The Remaining 8 Yards• Instead of killing n birds with 1 stone,
use n stones to kill 1 bird (like humans)
• How do we catch up with changes in technology?
• How to tailor the analysis to the needs of different users?
• Useful heuristics often resilient to formal definition
![Page 26: Static Analysis for Security A Case Study in the Automation of Code Auditing](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815be6550346895dc9d98f/html5/thumbnails/26.jpg)
[1] S. McConnell. Code Complete: A Practical Handbook of Software Construction
[2] W. S. Humphrey. Acquiring Quality Software in CrossTalk,18-12[3] Code Review at Cisco Systems[4] O. Tripp et al.. TAJ: Effective Taint Analysis of Web Applications[5] C. Hammer and G. Snelting. Flow-sensitive, Context-sensitive, and Object-
sensitive Information-flow Control Based on Program Dependence Graphs [6] B. Livshits and M. Lam. Finding Application Errors and Security Flaws Using
PQL: a Program Query Language [7] M. Christodorescu et al..String Analysis for X86 Binaries
References