Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programswith the help of code analyzersAuthor: Elena HaritonovaDate: 10.08.2008AbstractAt present there are a lot of tools intended for automating search of program vulnerabilities. This articledescribes some of them.IntroductionStatic code analysis is software analysis which deals with the source code of programs and isimplemented without real execution of the program being examined.Software often contains various vulnerabilities because of errors in program code. Errors made whiledeveloping programs cause program failure and consequently the program cannot work normally: dataalteration and contamination often occur as well as program halt or even system halt. Most of thevulnerabilities relate to incorrect processing of input data or not rather strict check of these data.To detect vulnerabilities different tools are used, for example, static analyzers of source program code,which are reviewed in this article.Classification of security vulnerabilitiesWhen a requirement of correct work of a program at all possible input data is violated, the so calledsecurity vulnerabilities may occur. Security vulnerabilities may result in that one program may be usedto overcome security limitations of the whole system.Classification of security vulnerabilities depending on program errors: 1. Buffer overflow. This vulnerability occurs because of absence of control over excess of array size in memory during program execution. When too a large data burst overflows a buffer of a limited size, the content of outside memory cells is rewritten and program halt occurs. Depending on the place of the buffers location in the processs memory, stack buffer overflow, heap buffer overflow and bss buffer overflow can be distinguished. 2. Tainted input vulnerability. Tainted input vulnerability can occur when data input by the user without sufficient control are passed to an interpreter of some outer language (usually it is Unix shell or SQL). In this case the user can define the input data in that way that the launched interpreter executes some other command than that meant by the authors of the vulnerable program. 3. Format string vulnerability. This type of security vulnerabilities is a subclass of tainted input vulnerability. It occurs because of insufficient control over parameters while using functions of format input-output printf, fprintf, scanf etc of the standard C library. These functions receive a symbol string as one of the parameters defining input or output format of following arguments
of the function. If the user can define the format type himself, this vulnerability may occur as the result of an unlucky use of string formatting functions. 4. Vulnerabilities resulting from race condition errors. Problems relating to multitasking cause situations called "race conditions": a program not intended to be executed in a multitask environment can suppose that, for example, files used by it while working cannot be changed by another program. As the result, an intruder who substitutes the content of these working files can make the program perform certain actions.Of course, there exist other types of security vulnerabilities.Review of existing analyzersTo detect security vulnerabilities in programs the following tools are used: • Dynamic debuggers - tools which allow you to perform debugging of a program during its execution. • Static analyzers (static debuggers) - tools using information collected during static analysis of a program.Static analyzers point out those sections in a program where an error may occur. These suspicioussections of the code may both contain an error and be useless at all.Some of the existing static analyzers are reviewed in this article. Lets discuss each of them in detail.1. BOONBOON tool, being based on deep semantic analysis, automates the process of scanning source C texts todetect vulnerable sections which can cause buffer overflow. It detects possible defects supposing thatsome values are part of an implicit type with a concrete buffers size.2. CQualCQual is a tool to detect errors in C programs. The program introduces additional type qualifiers definedby the user to C language. The programmer comments his program with corresponding qualifiers andcqual searches errors. Incorrect annotations indicate possible errors. Cqual can be used to detectpossible format string vulnerability.3. MOPSMOPS (MOdel checking Programs for Security) is a tool to search security vulnerabilities in C programs.It is intended for dynamic patch to make a C program correspond to a static model. MOPS uses asoftware auditing model which is meant to find out if the program observes a set of rules defined tocreate safe programs.4. ITS4, RATS, PScan, FlawfinderTo detect buffer overflow errors and format string errors the following static analyzers are used: 1. ITS4. A simple tool which scans source C/C++ code to detect potential security vulnerabilities. It records calls of potentially unsafe functions, for example, such as strcpy/memcpy and performs surface semantic analysis trying to estimate if this code is unsafe and also provides advice of improving it. 2. RATS. RATS utility (Rough Auditing Tool for Security) processes C/C++ code and Perl, PHP and Python scripts. RATS scans source code detecting potentially unsafe function calls. The aim of
this tool is not the final detection of errors but making valid conclusions for a specialist to perform manual check of the code. RATS combines different kinds of security check from semantic check in ITS4 to deep semantic analysis to find defects received from MOPS which can cause buffer overflow. 3. PScan. It scans source C texts to detect potentially incorrect functions similar to printf and format string vulnerabilities. 4. Flawfinder. Like RATS this is a static scanner of source C/C++ program texts. It searches functions which are very often used incorrectly, assigns risk coefficients to them (relying on such information as parameters passed) and composes a list of potential vulnerabilities arranging them according to the risk level.All these tools are similar and use only lexical analysis and simple syntax analysis. Thats why the resultsprovided by these programs may contain even 100% of false messages.5. BunchBunch is a tool of analysis and visualization of C programs building a graph of dependencies which helpthe auditor to examine the modular structure of the program.6. UNOUNO is a simple analyzer of source code. It was developed to detect such errors as unassigned variables,zero pointers and excess of array limits. UNO allows you to perform simple analysis of execution threadand data threads, both intra- and interprocedure analysis, specify the user properties. But this toolcannot be used for analysis of real applications, doesnt support many standard libraries and doesntallow you to analyze however serious programs at the present stage of development.7. FlexeLint (PC-Lint)FlexeLint (PC-Lint) - this analyzer is intended for analyzing source code to detect different type errors.The program performs semantic analysis of source code, analysis of data and execution threads.When the work is done, messages of several types are shown: • A zero pointer is possible; • Problems of memory allocation (for example free() after malloc() is absent); • Problem of execution thread (for example, the code is inaccessible); • Buffer overflow or arithmetic overflow are possible; • Warning messages about bad and potentially unsafe code style.8. Viva64Viva64 tool which helps a specialist to detect in the source code of C/C++ programs potentially unsafesections relating to porting from 32-bit systems on 64-bit ones. Viva64 integrates into Microsoft VisualStudio 2005/2008 what provides convenient work with this tool. The analyzer helps to write correct andoptimized code for 64-bit systems.9. Parasoft C++testParasoft C++test is a specialized tool for Windows allowing you to automate analysis of C++ code quality.C++test package analyzes the project and generates the code intended for checking items of the project.C++test package performs very important work of analyzing C++ classes. When the project is loaded it isnecessary to set testing methods. The software analyzes each argument of a method and returns typesof corresponding values. Argument values are assigned by default in case of data of simple types; you
can define testing data for types and classes defined by the user. You can redefine C++test argumentsused by default and assign values received as the result of the test. We should mention also that C++testcan test incomplete code. The software generates stub-code for any method and function which doesntexist yet. It supports imitation of external devices and input data defined by the user. The both functionsallow you to perform retesting. When testing parameters are defined for all the methods, C++testpackage is ready to launch the executed code. The package generates test-code calling Visual C++compiler to create it. You can implement tests on method, class, file and project levels.10. CoverityCoverity tools are used to detect and correct security and quality defects in applications of criticalpurpose. Coverity companys technology removes barriers in writing and introducing complex softwareby automating the process of searching and correcting critical program errors and securityvulnerabilities during development. Coverity companys tool can process tens of millions of code stringswith a minimum positive error providing full trace coverage.11. KlocWork K7Klocwork companys products are intended for automatic static code analysis, detection and preventionof software defects and security problems. Tools of this company are used to detect basic reasons ofsoftware quality and security vulnerabilities, to control and prevent these defects during the wholedevelopment process.12. Frama-CFrama-C is an open, integrated set of tools for analyzing C source code. The set includes ACSL (ANSI/ISOC Specification Language) - a special language allowing you to describe specifications of C functions indetail, for example, define the range of acceptable input values of a function and the range of normaloutput values.This toolkit helps to: • Perform formal code test; • Search potential execution errors; • Perform code auditing or reviewing; • Perform reverse-engineering of the code to understand the structure better; • Generate formal documentation.13. CodeSurferCodeSurfer is a tool for program analysis, the main aim of which is not to search security vulnerabilityerrors. Its main advantages are: • Pointer analysis; • Different analyses of the data thread (use and definition of variables, data dependency, building of the call graph); • Scripting language.CodeSurfer can be used to detect errors in source code, to make source code clearer, and to reengineerprograms. Within the framework of CodeSurfer a prototype of a tool to detect security vulnerabilitieshas been developed, but the developed tool is used only by the developers of the organization.
can be included into the building process to receive warning messages and stop the process if somecode sections are repeated.ConclusionSo, in this article weve discussed source code static analyzers which serve as auxiliary tools for aprogrammer. All the tools are different and help to detect various types of security vulnerabilities inprograms. We could conclude that static analyzers must be precise and sensitive. But unfortunately,static debugging means cannot guarantee 100% safety.References 1. Alexey Kolosov. Using Static Analysis in Program Development. 2. http://www.viva64.com/art-2-2-681473622.html 3. Brian Goetz. Kill bugs dead. http://www.viva64.com/go.php?url=159 4. Crispin Cowan. Security of open code systems. http://www.viva64.com/go.php?url=160 5. Pavel Zuev. About computer security. http://www.viva64.com/go.php?url=161 6. S.S. Gaysaryan, A.V. Chernov, A.A. Belevantsev, O.R. Malikov, D.M. Melnik, A.V. Menshikova. About some tasks of program analysis and transofrmation. http://www.viva64.com/go.php?url=162