security testinghomepage.tudelft.nl/j9y2d/sast-website.pdf · 4 agenda for today • part i –...
Post on 27-Jan-2021
3 Views
Preview:
TRANSCRIPT
-
1
Security TestingChecking for what shouldn’t happen
Azqa NadeemPhD Student @ Cyber Security Group
The Cyber Security lecture series
-
2
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
-
3
Announcements
• Assignment 2 – Security module
• Exam questions
-
4
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
-
5
Software testing
vs.
Security testing
-
6
Impact – Stolen chats
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
-
7
Impact – Stolen chats
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
-
8
Impact – Github down
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
-
9
Impact – Github down
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
Caused by misconfigured Memcached
servers
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
-
10
Is Java Secure?
• Secure from memory corruption
• … but not completely
• Potential targets
– Java Virtual Machine
– Libraries in native code
https://w3techs.com/technologies/details/pl-java/all/all
https://w3techs.com/technologies/details/pl-java/all/all
-
11
Vulnerability databases
• OWASP Top Ten project
– Awareness document
– Web application security
• NIST National Vulnerability Database
– U.S govt. repository
– General security flaws
-
12
JRE vulnerabilities
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
-
13
JRE vulnerabilities
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
-
14
Some Examples
-
15
What’s wrong?
-
16
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
17
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
18
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
19
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
20
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
21
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
-
22
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
• Top vulnerability in OWASP Top 10
-
23
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
• Top vulnerability in OWASP Top 10
• Tricky to fix
– Stop adding plugins
– Limit privileges
-
24
Type confusion vulnerability
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
-
25
Type confusion vulnerability
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
-
26
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
https://access.redhat.com/security/cve/cve-2014-3558
-
27
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
28
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
29
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
30
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
31
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
– Set JSM to null
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
32
Bypassing Java Security Manager
• Vulnerable: Hibernate → Reflection helper
• Exploit Type confusion vulnerability
• Escalated privileges
– Set JSM to null
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
-
33
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
-
34
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
-
35
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
-
36
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
– Via malicious input XML
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
-
37
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
– Via malicious input XML
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
-
38
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
-
39
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
-
40
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
-
41
Remote Code Execution (RCE)
• Spring Data Commons → DB connections
• Property binder vulnerability
– Via specially crafted request parameters
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
-
42https://www.waratek.com/alert-oracle-guidance-cpu-april-2018/
https://www.waratek.com/alert-oracle-guidance-cpu-april-2018/
-
43
Why test for security?
Attack surface
Exploit
• Security testing → Non-functional testing
• Who’s job is to test for security?
-
44https://www.dignitasdigital.com/blog/easy-way-to-understand-sdlc/
When to test for security?
Risk assessment &
Abuse cases
Threat
modelling
Design for
security
Secure
implementationSecurity testing &
Code reviews
Patching &
Updating
SECURE
https://www.dignitasdigital.com/blog/easy-way-to-understand-sdlc/
-
45
Classes of Security Testing
• Manual vs. Automated Testing
Manual Automated
-
46
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
Manual Automated
Static Dynamic
-
47
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
-
48
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
-
49
Manual vs. Automated Testing
• Manual
– Code reviews
– Efficient use of human expertise
– Labour intensive
-
50
Manual vs. Automated Testing
• Manual
– Code reviews
– Efficient use of human expertise
– Labour intensive
• Automated
– Automated code checking
– Can check MLOC in seconds
– Incomparable to human expertise
-
51
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
-
52
Static vs. Dynamic Testing
• (Automated) Static analysis
– Code review by computers
– Checks all possible code paths
– Relatively easy to extract results
– Limited capabilities
-
53
Static vs. Dynamic Testing
• (Automated) Static analysis
– Code review by computers
– Checks all possible code paths
– Relatively easy to extract results
– Limited capabilities
• Dynamic analysis
– Execute code and observe behaviour
– Checks functional code paths only
– Much advanced analysis
– Difficult to set up
-
54
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
-
55
Black vs. White box Testing
• Black box – Unknown internal structure
– Study Input → Output correlation
– Generic technique
– Requires end-to-end system
– May miss components
-
56
Black vs. White box Testing
• Black box – Unknown internal structure
– Study Input → Output correlation
– Generic technique
– Requires end-to-end system
– May miss components
• White box– Known internal structure
– Analysis of internal structure
– GUI not necessarily required
– Thorough testing and debugging
– Time consuming
-
57
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
-
58
Static Application Security Testing
• Reverse engineering (System level)
– Disassemble application to extract internal structure
– Black box to White box
– Useful for gaining information
-
59
Static Application Security Testing
• Reverse engineering (System level)
• Risk-based testing (Business level)
– Model worst case scenarios
– Threat modelling for test case generation
-
60
Static Application Security Testing
• Reverse engineering (System level)
• Risk-based testing (Business level)
• Static code checker (Unit level)
– Checks for rule violations via code structure
– Parsers, Control Flow graphs, Data flow analysis
– Identifies bad coding practices, potential security issues, etc.
-
61
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
-
62
Dynamic Application Security Testing
• Taint analysis
– Tracking variable values controlled by user
• Fuzzing
– Bombard with garbage data to cause crashes
• Dynamic validation
– Functional testing based on requirements
• Penetration testing
– End-to-end black box testing
Topic for next lecture
-
63
Summary Part I
• Java vulnerabilities have large attack surfaces
• Crucial to adapt Secure SDLC
• Threat modelling can drive test case generation
• Static analysis checks code without executing it
• Dynamic analysis executes code and observes behavior
-
64
Quiz Time!
Which type of testing aims to convert a black box system to
white box?
Reverse Engineering
-
65
Quiz Time!
Which vulnerability allows a remote attacker to change which
instruction will be executed next?
Remote Code Execution
-
66
Quiz Time!
Why is Java safe from buffer overflows?
It’s not!
-
67
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
-
68
Why doesn’t the perfect static analysis tool exist?
-
69
Static Analysis
• Soundness
• Completeness
-
70
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
-
71
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
– No false alarms (0 FPs)
– Raises an alarm → vulnerability found
-
72
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
– No false alarms (0 FPs)
– Raises an alarm → vulnerability found
• Ideally: ↑Soundness + ↑Completeness
• Reality: Compromise on FPs or FNs
-
73
Usable SAST Tools
• ↓ FPs vs. ↓ FNs
• ↑ Interpretability
• ↑ Scalability
-
74
SAST under the hood
Pattern matching
Regular
expressions
-
75
SAST under the hood
Pattern matching Syntax analysis
Abstract Syntax
Tree
Control flow
graph
Data flow
analysis
Regular
expressions
-
76
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
-
77
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
-
78
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
-
79
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
-
80
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
-
81
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
-
82
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
-
83
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bugMatch!
-
84
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
-
85
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
-
86
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
-
87
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
-
88
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
No Match!
bag
-
89
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug”
b u g
!u!g
!b
-
90
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug”
b u g
!u!g
!b
-
91
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug.*”
b u g
!u!g
!b
anything
-
92
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
-
93
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
-
94
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
-
95
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
-
96
Syntactic Analysis
• Performed via Parsers
• Tokens → Hierarchal data structures
– Parse Tree – Concrete representation
– Abstract Syntax Tree – Abstract representation
Lexer ParserStream Tokens Parse Tree
-
97
Abstract Syntax Tree (AST)
-
98
Abstract Syntax Tree (AST)
-
99
Abstract Syntax Tree (AST)
5 1
SUB
-
100
Abstract Syntax Tree (AST)
5 1
MUL
4SUB
-
101
Abstract Syntax Tree (AST)
5 1
MUL
4
SUM
2
SUB
-
102
Abstract Syntax Tree (AST)
-
103
Abstract Syntax Tree (AST)
-
104
Abstract Syntax Tree (AST)
=
DEBUG false
-
105
Abstract Syntax Tree (AST)
if=
DEBUG false
-
106
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
-
107
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
body
Println() Debug line 1
Println() Debug line 2
Println() Debug line 3
-
108
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
body
Println() Debug line 1
Println() Debug line 2
Println() Debug line 3
-
109
Syntactic Analysis via AST
SAST ToolErrors
AST
Ruleset
-
110
Syntactic Analysis via AST
SAST ToolErrors
Rule # 1: Allow 3 methods
AST
Ruleset
-
111
Syntactic Analysis via AST
SAST ToolErrors
Rule # 1: Allow 3 methods
AST
Ruleset
-
112
Syntactic Analysis via AST
SAST ToolErrors
xyz()abc() akw()blah()
class
methods members
Rule # 1: Allow 3 methods
AST
Ruleset
-
113
Syntactic Analysis via AST
SAST ToolErrors
xyz()abc() akw()blah()
class
methods members
Rule # 1: Allow 3 methods
Error: Too many methods!
AST
Ruleset
-
114
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
SAST ToolErrors
AST
Ruleset
-
115
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
SAST ToolErrors
AST
Ruleset
-
116
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
func
x
printf=
Hello World!x
SAST ToolErrors
AST
Ruleset
-
117
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
Error: Missing param!
func
x
printf=
Hello World!x
SAST ToolErrors
AST
Ruleset
-
118
Control Flow Graphs
• Shows all execution paths a program might take
• Trace execution without executing program
• Nodes → Basic blocks
• Transitions → Control transfers
https://dzone.com/articles/how-draw-control-flow-graph
https://dzone.com/articles/how-draw-control-flow-graph
-
119
Control Flow Graphs
• Shows all execution paths a program might take
• Trace execution without executing program
• Nodes → Basic blocks
• Transitions → Control transfers
If-then-else while case
https://dzone.com/articles/how-draw-control-flow-graph
https://dzone.com/articles/how-draw-control-flow-graph
-
120
Control Flow Graphs
-
121
Control Flow Graphs
-
122
Control Flow Graphs
-
123
Control Flow Graphs
T
-
124
Control Flow Graphs
T
-
125
Control Flow Graphs
TF
-
126
Control Flow Graphs
TF
n=?
Only traces control
-
127
Control Flow Graphs
TF
n=?
Only traces control
-
128
Control Flow Graphs
TF
n=?
Only traces control
-
129
Control Flow Graphs
TF
n=?
Only traces control
-
130
Control Flow Graphs
TF
n=?
Only traces control
-
131
Control Flow Graphs
TF
n=?
Only traces control
-
132
Control Flow Graphs
TF
n=?
Only traces control
-
133
Control Flow Graphs
TF
n=?
Only traces control
-
134
Data Flow Analysis
• Tracks data values throughout program
• Shows all values variables might have
• User controlled variable (Source) → Tainted
• Rest (Sink) → Untainted
-
135
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
-
136
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
SQL st.Sink:
Database
Source:
Contact
-
137
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
SQL st.Sink:
Database
Source:
Contact
‘ or 1=1#
-
138
Source/Sink Clash
data is tainted
println() expects
untainted
-
139
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
140
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
141
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
142
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
143
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
144
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
145
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
146
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
147
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
148
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
-
149
-
150
b1
b2
b3
b4 b5
b6
-
151
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
152
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
153
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
154
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
155
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
156
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
157
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
-
158
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
-
159
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
-
160
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
-
161
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
-
162
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
-
163
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
Sound but
imprecise
-
164
Data Flow Analysis in Security
• Source/Sink clash
-
165
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
-
166
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
-
167
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
– Type confusion vulnerability
– Use-after-free vulnerability
-
168
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
– Type confusion vulnerability
– Use-after-free vulnerability
• Denial of Service??
• Crashes??
-
169
• Open source–
–
– SpotBugs
– FindSecBugs
• Proprietary– Coverity
– CheckMarx
Static Analysis Tools
-
170
• Open source–
• Ruleset based code checker
–
• Checks coding standards
– SpotBugs
• Checks Java bytecode for bad practices, code style, and injections
– FindSecBugs
• Checks for OWASP Top 10 vulnerabilities
• Proprietary– Coverity
• SAST platform for defects and security vulnerabilities
– CheckMarx
• Full fledge platform for static analysis and exposure management
Static Analysis Tools
-
171
• Open source–
• Ruleset based code checker
–
• Checks coding standards
– SpotBugs
• Checks Java bytecode for bad practices, code style, and injections
– FindSecBugs
• Checks for OWASP Top 10 vulnerabilities
• Proprietary– Coverity
• SAST platform for defects and security vulnerabilities
– CheckMarx
• Full fledge platform for static analysis and exposure management
Static Analysis Tools
-
172
SAST Tools Performance
• Telenor Digital wants to incorporate security into SDLC
• Investigate developer perceptions of SAST tools
-
173
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
-
174
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
• Recall – Ability to find flaws
-
175
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
• Recall – Ability to find flaws
-
176
SAST Dev Perceptions
• “. . . Making the things actually work, that usually is the worst thing. The hassle-factor is not to be underestimated. . . ”
• “. . . At least from my experience with the Sonar tool is that it sometimes complains about issues that are not really issues...”
• “. . . And of course in itself is not productive, nobody gives you a hug after fixing SonarQube reports...”
-
177
SAST Dev Perceptions
• “. . . Making the things actually work, that usually is the worst thing. The hassle-factor is not to be underestimated. . . ”
• “. . . At least from my experience with the Sonar tool is that it sometimes complains about issues that are not really issues...”
• “. . . And of course in itself is not productive, nobody gives you a hug after fixing SonarQube reports...”
• Using one SAST tool is not enough
• Low capability of SAST tools in general.
• Commercial tool not an exception
-
178
Summary Part II
• Perfect static analysis is not possible
• Pattern matching can find limited but easy to find
problems
• ASTs make code structure analysis easy
• Control and Data FGs are better at finding security
vulnerabilities
• Current SAST Tools are
– Useful
– Difficult to integrate
– Limited in capabilities
-
179
Additional Material
• https://www.theserverside.com/feature/Stay-ahead-of-Java-security-issues-like-
SQL-and-LDAP-injections
• https://www.upguard.com/articles/top-10-java-vulnerabilities-and-how-to-fix-
them
• https://en.wikipedia.org/wiki/Static_program_analysis
• https://youtu.be/Heor8BVa4A0
• https://youtu.be/7KCMK-LY-WM
• Aktas, Kursat, and Sevil Sen. "UpDroid: Updated Android Malware and Its
Familial Classification." Nordic Conference on Secure IT Systems. Springer,
Cham, 2018.
Icons courtesy: www.flaticons.com by FlatIcons, FreePik, SmashIcons, Eucalyp, Monkik
https://www.theserverside.com/feature/Stay-ahead-of-Java-security-issues-like-SQL-and-LDAP-injectionshttps://www.upguard.com/articles/top-10-java-vulnerabilities-and-how-to-fix-themhttps://en.wikipedia.org/wiki/Static_program_analysishttps://youtu.be/Heor8BVa4A0https://youtu.be/7KCMK-LY-WMhttp://www.flaticons.com/
-
180
Time for questions
-
181
Data Flow Analysis
Control
-
182
Data Flow Analysis
ControlData
-
183
Data Flow Analysis
ControlData
a ← {0}
a ← {7}
a ← {0, 7}
-
184
Overflow vulnerability
• This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Oracle Java. The user must
visit a malicious page or open a malicious file to exploit this
vulnerability.
• The flaw exists within the handling of image data. The issue lies
in insufficient validation of supplied image data inside the native
function readImage(). An attacker can leverage this vulnerability
to execute arbitrary code under the context of the current
process.
https://www.zerodayinitiative.com/advisories/ZDI-16-032/
https://www.zerodayinitiative.com/advisories/ZDI-16-032/
top related