SATE 2010 Analysis

Aurélien Delaitre, NISTaurelien.delaitre@nist.govOctober 1, 2010

The SAMATE Projecthttp://samate.nist.gov/

Outline

What tools find

What people find– CVEs

– Manual analysis

Building on SATE 2009

SATE 2010

SATE 2009

SATE 2009

SATE 2010

Improving categories

True

Insignificant

SATE 2009

Security

Quality

Insignificant

SATE 2010

Improving the guidelines

45 lines → 314 lines

Considering weakness types

Better uniformity in evaluations

Decision process

Security

False

Insignificant

Unknown

Quality

Path ... Type...

Context ...

Bug...

Sampling

02468

101214161820

% analyzed

1 2 3 4 5

Severity

Warnings of each class of severity 1 - 4

Weakness categories

cmd_inj

api_abuse

sec_feat

race

buf

err_handl

num_err

quality

input_val

xss

info_leak

uncateg

time_state

encaps

1 10 100 1000 10000 100000

JavaC/C++

Quality and security related

buf

num_err

err_handl

quality

input_val

xss

encaps

JavaC/C++

Non-false overlap

CVEs

Key elements of the path for matching:

Blocks of code

Sink or upflow path elements

But not exhaustive

Example /* Dialect Index */

dialect = tvb_get_letohs(tvb, offset);

if (si->sip && si->sip->extra_info_type==SMB_EI_DIALECTS) {

dialects = si->sip->extra_info;

if (dialect <= dialects->num) {

dialect_name = dialects->name[dialect];

}

}

if (!dialect_name) {

dialect_name = "unknown";

}

Manual analysis

Dovecot for C

Pebble for Java

– Used a slightly later version

Dovecot

No remotely exploitable vulnerability found

Threatmodeling

Fuzzing

Codereview

Pebble

Several vulnerabilities found

Threatmodeling

Pen.test

Codereview

Tools ∩ humans

7

5

3

24

Pebble (10)

Tomcat (29)

Related warnings None

No human findings for Dovecot

No matches for Chrome and Wireshark

Interpretation

All weaknesses

CVEs

Tool findings

CVEs ∩ tool findings = ∅

InterpretationCVE descriptions ∩ tool findings = ∅

All weaknesses

CVEs

Tool findings

CVE descriptions

Questions