sate 2010 analysis aurélien delaitre, nist [email protected] october 1, 2010 the samate...
TRANSCRIPT
SATE 2010 Analysis
Aurélien Delaitre, [email protected] 1, 2010
The SAMATE Projecthttp://samate.nist.gov/
Outline
What tools find
What people find– CVEs
– Manual analysis
Building on SATE 2009
SATE 2010
SATE 2009
SATE 2009
SATE 2010
Improving categories
True
Insignificant
SATE 2009
Security
Quality
Insignificant
SATE 2010
Improving the guidelines
45 lines → 314 lines
Considering weakness types
Better uniformity in evaluations
Decision process
Security
False
Insignificant
Unknown
Quality
Path ... Type...
Context ...
Bug...
Sampling
02468
101214161820
% analyzed
1 2 3 4 5
Severity
Warnings of each class of severity 1 - 4
Weakness categories
cmd_inj
api_abuse
sec_feat
race
buf
err_handl
num_err
quality
input_val
xss
info_leak
uncateg
time_state
encaps
1 10 100 1000 10000 100000
JavaC/C++
Quality and security related
buf
num_err
err_handl
quality
input_val
xss
encaps
JavaC/C++
Non-false overlap
CVEs
Key elements of the path for matching:
Blocks of code
Sink or upflow path elements
But not exhaustive
Example /* Dialect Index */
dialect = tvb_get_letohs(tvb, offset);
if (si->sip && si->sip->extra_info_type==SMB_EI_DIALECTS) {
dialects = si->sip->extra_info;
if (dialect <= dialects->num) {
dialect_name = dialects->name[dialect];
}
}
if (!dialect_name) {
dialect_name = "unknown";
}
Manual analysis
Dovecot for C
Pebble for Java
– Used a slightly later version
Dovecot
No remotely exploitable vulnerability found
Threatmodeling
Fuzzing
Codereview
Pebble
Several vulnerabilities found
Threatmodeling
Pen.test
Codereview
Tools ∩ humans
7
5
3
24
Pebble (10)
Tomcat (29)
Related warnings None
No human findings for Dovecot
No matches for Chrome and Wireshark
Interpretation
All weaknesses
CVEs
Tool findings
CVEs ∩ tool findings = ∅
InterpretationCVE descriptions ∩ tool findings = ∅
All weaknesses
CVEs
Tool findings
CVE descriptions
Questions