Post on 27-Jan-2021
transcript
1
Security TestingChecking for what shouldn’t happen
Azqa NadeemPhD Student @ Cyber Security Group
The Cyber Security lecture series
2
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
3
Announcements
• Assignment 2 – Security module
• Exam questions
4
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
5
Software testing
vs.
Security testing
6
Impact – Stolen chats
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
7
Impact – Stolen chats
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
8
Impact – Github down
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
9
Impact – Github down
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
Caused by misconfigured Memcached
servers
https://thehackernews.com/2018/03/biggest-ddos-attack-github.html
10
Is Java Secure?
• Secure from memory corruption
• … but not completely
• Potential targets
– Java Virtual Machine
– Libraries in native code
https://w3techs.com/technologies/details/pl-java/all/all
https://w3techs.com/technologies/details/pl-java/all/all
11
Vulnerability databases
• OWASP Top Ten project
– Awareness document
– Web application security
• NIST National Vulnerability Database
– U.S govt. repository
– General security flaws
12
JRE vulnerabilities
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
13
JRE vulnerabilities
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
https://www.cvedetails.com/product/19116/Oracle-JDK.html?vendor_id=93
14
Some Examples
15
What’s wrong?
16
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
17
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
18
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
19
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
20
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
21
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
22
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
• Top vulnerability in OWASP Top 10
23
Code Injection vulnerability
• Execute code in unauthorized applications
• Victim to Update Attack
• Top vulnerability in OWASP Top 10
• Tricky to fix
– Stop adding plugins
– Limit privileges
24
Type confusion vulnerability
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
25
Type confusion vulnerability
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
https://www.thezdi.com/blog/2018/4/25/when-java-throws-you-a-lemon-make-limenade-sandbox-escape-by-type-confusion
26
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
https://access.redhat.com/security/cve/cve-2014-3558
27
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
28
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
29
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
30
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
31
Bypassing Java Security Manager
• Exploit Type confusion vulnerability
• Escalated privileges
– Set JSM to null
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
32
Bypassing Java Security Manager
• Vulnerable: Hibernate → Reflection helper
• Exploit Type confusion vulnerability
• Escalated privileges
– Set JSM to null
https://access.redhat.com/security/cve/cve-2014-3558
Java
Security
Manager
https://access.redhat.com/security/cve/cve-2014-3558
33
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
34
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
35
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
36
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
– Via malicious input XML
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
37
Arbitrary Code Execution (ACE)
• Vulnerable: XStream → Converts XML to Object
• Deserialization vulnerability
– Via malicious input XML
https://access.redhat.com/security/cve/cve-2013-7285
https://access.redhat.com/security/cve/cve-2013-7285
38
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
39
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
40
Remote Code Execution (RCE)
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
41
Remote Code Execution (RCE)
• Spring Data Commons → DB connections
• Property binder vulnerability
– Via specially crafted request parameters
https://pivotal.io/security/cve-2018-1273
https://pivotal.io/security/cve-2018-1273
42https://www.waratek.com/alert-oracle-guidance-cpu-april-2018/
https://www.waratek.com/alert-oracle-guidance-cpu-april-2018/
43
Why test for security?
Attack surface
Exploit
• Security testing → Non-functional testing
• Who’s job is to test for security?
44https://www.dignitasdigital.com/blog/easy-way-to-understand-sdlc/
When to test for security?
Risk assessment &
Abuse cases
Threat
modelling
Design for
security
Secure
implementationSecurity testing &
Code reviews
Patching &
Updating
SECURE
https://www.dignitasdigital.com/blog/easy-way-to-understand-sdlc/
45
Classes of Security Testing
• Manual vs. Automated Testing
Manual Automated
46
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
Manual Automated
Static Dynamic
47
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
48
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
49
Manual vs. Automated Testing
• Manual
– Code reviews
– Efficient use of human expertise
– Labour intensive
50
Manual vs. Automated Testing
• Manual
– Code reviews
– Efficient use of human expertise
– Labour intensive
• Automated
– Automated code checking
– Can check MLOC in seconds
– Incomparable to human expertise
51
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
52
Static vs. Dynamic Testing
• (Automated) Static analysis
– Code review by computers
– Checks all possible code paths
– Relatively easy to extract results
– Limited capabilities
53
Static vs. Dynamic Testing
• (Automated) Static analysis
– Code review by computers
– Checks all possible code paths
– Relatively easy to extract results
– Limited capabilities
• Dynamic analysis
– Execute code and observe behaviour
– Checks functional code paths only
– Much advanced analysis
– Difficult to set up
54
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
55
Black vs. White box Testing
• Black box – Unknown internal structure
– Study Input → Output correlation
– Generic technique
– Requires end-to-end system
– May miss components
56
Black vs. White box Testing
• Black box – Unknown internal structure
– Study Input → Output correlation
– Generic technique
– Requires end-to-end system
– May miss components
• White box– Known internal structure
– Analysis of internal structure
– GUI not necessarily required
– Thorough testing and debugging
– Time consuming
57
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
58
Static Application Security Testing
• Reverse engineering (System level)
– Disassemble application to extract internal structure
– Black box to White box
– Useful for gaining information
59
Static Application Security Testing
• Reverse engineering (System level)
• Risk-based testing (Business level)
– Model worst case scenarios
– Threat modelling for test case generation
60
Static Application Security Testing
• Reverse engineering (System level)
• Risk-based testing (Business level)
• Static code checker (Unit level)
– Checks for rule violations via code structure
– Parsers, Control Flow graphs, Data flow analysis
– Identifies bad coding practices, potential security issues, etc.
61
Classes of Security Testing
• Manual vs. Automated Testing
• Static vs. Dynamic Testing
• Black vs. White box Testing
Manual Automated
Static Dynamic Blackbox Whitebox
Reverse
Engineering
Risk
Analysis
Code
checking
Tainting FuzzingDynamic
validation
Penetration
testing
62
Dynamic Application Security Testing
• Taint analysis
– Tracking variable values controlled by user
• Fuzzing
– Bombard with garbage data to cause crashes
• Dynamic validation
– Functional testing based on requirements
• Penetration testing
– End-to-end black box testing
Topic for next lecture
63
Summary Part I
• Java vulnerabilities have large attack surfaces
• Crucial to adapt Secure SDLC
• Threat modelling can drive test case generation
• Static analysis checks code without executing it
• Dynamic analysis executes code and observes behavior
64
Quiz Time!
Which type of testing aims to convert a black box system to
white box?
Reverse Engineering
65
Quiz Time!
Which vulnerability allows a remote attacker to change which
instruction will be executed next?
Remote Code Execution
66
Quiz Time!
Why is Java safe from buffer overflows?
It’s not!
67
Agenda for today
• Part I
– Latest security news
– Security vulnerabilities in Java
– Types of Security testing
• SAST vs. DAST
• Part II
– SAST under the hood
• Pattern Matching
• Control Flow Analysis
• Data Flow Analysis
– SAST Tools performance
68
Why doesn’t the perfect static analysis tool exist?
69
Static Analysis
• Soundness
• Completeness
70
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
71
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
– No false alarms (0 FPs)
– Raises an alarm → vulnerability found
72
Static Analysis
• Soundness
– No missed vulnerability (0 FNs)
– No alarm → no vulnerability exists
• Completeness
– No false alarms (0 FPs)
– Raises an alarm → vulnerability found
• Ideally: ↑Soundness + ↑Completeness
• Reality: Compromise on FPs or FNs
73
Usable SAST Tools
• ↓ FPs vs. ↓ FNs
• ↑ Interpretability
• ↑ Scalability
74
SAST under the hood
Pattern matching
Regular
expressions
75
SAST under the hood
Pattern matching Syntax analysis
Abstract Syntax
Tree
Control flow
graph
Data flow
analysis
Regular
expressions
76
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
77
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
78
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
79
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
80
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
81
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
82
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bug
83
Pattern Matching
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bugMatch!
84
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
85
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
86
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
87
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
bag
88
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “bug”
b u g
!b
!u!g
No Match!
bag
89
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug”
b u g
!u!g
!b
90
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug”
b u g
!u!g
!b
91
Pattern Matching via Regex
• Look for predefined patterns in code
– Regular Expressions
– Finite State Automata
• Find all instances of “.*bug.*”
b u g
!u!g
!b
anything
92
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
93
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
94
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
95
Pattern Matching via Regex
• Finds low hanging fruit
– Misconfigurations (port 22 open for everyone)
– Bad imports (System.io.*)
– Call to dangerous functions (strcpy, memcpy)
• Shortcomings
– Lots of FPs
– Limited support
96
Syntactic Analysis
• Performed via Parsers
• Tokens → Hierarchal data structures
– Parse Tree – Concrete representation
– Abstract Syntax Tree – Abstract representation
Lexer ParserStream Tokens Parse Tree
97
Abstract Syntax Tree (AST)
98
Abstract Syntax Tree (AST)
99
Abstract Syntax Tree (AST)
5 1
SUB
100
Abstract Syntax Tree (AST)
5 1
MUL
4SUB
101
Abstract Syntax Tree (AST)
5 1
MUL
4
SUM
2
SUB
102
Abstract Syntax Tree (AST)
103
Abstract Syntax Tree (AST)
104
Abstract Syntax Tree (AST)
=
DEBUG false
105
Abstract Syntax Tree (AST)
if=
DEBUG false
106
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
107
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
body
Println() Debug line 1
Println() Debug line 2
Println() Debug line 3
108
Abstract Syntax Tree (AST)
if=
DEBUG false cond
EQ
trueDEBUG
body
Println() Debug line 1
Println() Debug line 2
Println() Debug line 3
109
Syntactic Analysis via AST
SAST ToolErrors
AST
Ruleset
110
Syntactic Analysis via AST
SAST ToolErrors
Rule # 1: Allow 3 methods
AST
Ruleset
111
Syntactic Analysis via AST
SAST ToolErrors
Rule # 1: Allow 3 methods
AST
Ruleset
112
Syntactic Analysis via AST
SAST ToolErrors
xyz()abc() akw()blah()
class
methods members
Rule # 1: Allow 3 methods
AST
Ruleset
113
Syntactic Analysis via AST
SAST ToolErrors
xyz()abc() akw()blah()
class
methods members
Rule # 1: Allow 3 methods
Error: Too many methods!
AST
Ruleset
114
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
SAST ToolErrors
AST
Ruleset
115
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
SAST ToolErrors
AST
Ruleset
116
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
func
x
printf=
Hello World!x
SAST ToolErrors
AST
Ruleset
117
Syntactic Analysis via AST
Rule # 2: printf(format_string, args_to_print)
Error: Missing param!
func
x
printf=
Hello World!x
SAST ToolErrors
AST
Ruleset
118
Control Flow Graphs
• Shows all execution paths a program might take
• Trace execution without executing program
• Nodes → Basic blocks
• Transitions → Control transfers
https://dzone.com/articles/how-draw-control-flow-graph
https://dzone.com/articles/how-draw-control-flow-graph
119
Control Flow Graphs
• Shows all execution paths a program might take
• Trace execution without executing program
• Nodes → Basic blocks
• Transitions → Control transfers
If-then-else while case
https://dzone.com/articles/how-draw-control-flow-graph
https://dzone.com/articles/how-draw-control-flow-graph
120
Control Flow Graphs
121
Control Flow Graphs
122
Control Flow Graphs
123
Control Flow Graphs
T
124
Control Flow Graphs
T
125
Control Flow Graphs
TF
126
Control Flow Graphs
TF
n=?
Only traces control
127
Control Flow Graphs
TF
n=?
Only traces control
128
Control Flow Graphs
TF
n=?
Only traces control
129
Control Flow Graphs
TF
n=?
Only traces control
130
Control Flow Graphs
TF
n=?
Only traces control
131
Control Flow Graphs
TF
n=?
Only traces control
132
Control Flow Graphs
TF
n=?
Only traces control
133
Control Flow Graphs
TF
n=?
Only traces control
134
Data Flow Analysis
• Tracks data values throughout program
• Shows all values variables might have
• User controlled variable (Source) → Tainted
• Rest (Sink) → Untainted
135
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
136
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
SQL st.Sink:
Database
Source:
Contact
137
Data Flow Analysis
• Prove that
– No untainted data is expected
– No tainted data is used
SQL st.Sink:
Database
Source:
Contact
‘ or 1=1#
138
Source/Sink Clash
data is tainted
println() expects
untainted
139
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
140
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
141
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
142
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
143
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
144
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
145
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
146
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
147
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
148
Data Flow Analysis
• Reaching definitions
– Top-down approach
– Possible values of a variable
149
150
b1
b2
b3
b4 b5
b6
151
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
152
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
153
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
154
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
155
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
156
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
157
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
158
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
159
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
160
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
161
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
162
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
163
a b c
b1 - 0 1
b2 0, a++ - -
b3 - - -
b4 - 10 -
b5 - - b
b6 - - -
b1
b2
b3
b4 b5
b6
a = {0, 1, 2, 3, …}b = {0, 10}c = {1, b} → {0, 1, 10}
Data Flow Analysis
Sound but
imprecise
164
Data Flow Analysis in Security
• Source/Sink clash
165
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
166
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
167
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
– Type confusion vulnerability
– Use-after-free vulnerability
168
Data Flow Analysis in Security
• Source/Sink clash
– Sanitization problems
– Code injection (Update attack)
– Deserialization vulnerability
• Control and Data flow analysis
– Type confusion vulnerability
– Use-after-free vulnerability
• Denial of Service??
• Crashes??
169
• Open source–
–
– SpotBugs
– FindSecBugs
• Proprietary– Coverity
– CheckMarx
Static Analysis Tools
170
• Open source–
• Ruleset based code checker
–
• Checks coding standards
– SpotBugs
• Checks Java bytecode for bad practices, code style, and injections
– FindSecBugs
• Checks for OWASP Top 10 vulnerabilities
• Proprietary– Coverity
• SAST platform for defects and security vulnerabilities
– CheckMarx
• Full fledge platform for static analysis and exposure management
Static Analysis Tools
171
• Open source–
• Ruleset based code checker
–
• Checks coding standards
– SpotBugs
• Checks Java bytecode for bad practices, code style, and injections
– FindSecBugs
• Checks for OWASP Top 10 vulnerabilities
• Proprietary– Coverity
• SAST platform for defects and security vulnerabilities
– CheckMarx
• Full fledge platform for static analysis and exposure management
Static Analysis Tools
172
SAST Tools Performance
• Telenor Digital wants to incorporate security into SDLC
• Investigate developer perceptions of SAST tools
173
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
174
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
• Recall – Ability to find flaws
175
SAST Tools Performance
• Using Juliet Test Suite – 24,000 test cases
• Precision – Ability to guess correct type of flaw
• Recall – Ability to find flaws
176
SAST Dev Perceptions
• “. . . Making the things actually work, that usually is the worst thing. The hassle-factor is not to be underestimated. . . ”
• “. . . At least from my experience with the Sonar tool is that it sometimes complains about issues that are not really issues...”
• “. . . And of course in itself is not productive, nobody gives you a hug after fixing SonarQube reports...”
177
SAST Dev Perceptions
• “. . . Making the things actually work, that usually is the worst thing. The hassle-factor is not to be underestimated. . . ”
• “. . . At least from my experience with the Sonar tool is that it sometimes complains about issues that are not really issues...”
• “. . . And of course in itself is not productive, nobody gives you a hug after fixing SonarQube reports...”
• Using one SAST tool is not enough
• Low capability of SAST tools in general.
• Commercial tool not an exception
178
Summary Part II
• Perfect static analysis is not possible
• Pattern matching can find limited but easy to find
problems
• ASTs make code structure analysis easy
• Control and Data FGs are better at finding security
vulnerabilities
• Current SAST Tools are
– Useful
– Difficult to integrate
– Limited in capabilities
179
Additional Material
• https://www.theserverside.com/feature/Stay-ahead-of-Java-security-issues-like-
SQL-and-LDAP-injections
• https://www.upguard.com/articles/top-10-java-vulnerabilities-and-how-to-fix-
them
• https://en.wikipedia.org/wiki/Static_program_analysis
• https://youtu.be/Heor8BVa4A0
• https://youtu.be/7KCMK-LY-WM
• Aktas, Kursat, and Sevil Sen. "UpDroid: Updated Android Malware and Its
Familial Classification." Nordic Conference on Secure IT Systems. Springer,
Cham, 2018.
Icons courtesy: www.flaticons.com by FlatIcons, FreePik, SmashIcons, Eucalyp, Monkik
https://www.theserverside.com/feature/Stay-ahead-of-Java-security-issues-like-SQL-and-LDAP-injectionshttps://www.upguard.com/articles/top-10-java-vulnerabilities-and-how-to-fix-themhttps://en.wikipedia.org/wiki/Static_program_analysishttps://youtu.be/Heor8BVa4A0https://youtu.be/7KCMK-LY-WMhttp://www.flaticons.com/
180
Time for questions
181
Data Flow Analysis
Control
182
Data Flow Analysis
ControlData
183
Data Flow Analysis
ControlData
a ← {0}
a ← {7}
a ← {0, 7}
184
Overflow vulnerability
• This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Oracle Java. The user must
visit a malicious page or open a malicious file to exploit this
vulnerability.
• The flaw exists within the handling of image data. The issue lies
in insufficient validation of supplied image data inside the native
function readImage(). An attacker can leverage this vulnerability
to execute arbitrary code under the context of the current
process.
https://www.zerodayinitiative.com/advisories/ZDI-16-032/
https://www.zerodayinitiative.com/advisories/ZDI-16-032/