Static Analysis: The Art of Fighting without Fighting

The Art of Fighting without Fighting

“ You can call it the art of fighting without fighting”
– Bruce Lee
Enter the Dragon, 1973

Weak Access Control
API Misuse
Buffer Overflow
Poor Code Quality (FxCop)
Poor Encapsulation
Environment Misconfiguration
Poor Error Handling
Poor Input Validation
And More…

Dynamic Analysis involves execution (black box)
More common for pen testing
Static Analysis (white box)
Abstract interpretation
Automation tool, Developer tool
Semantics, Parsing
Compiler theory, Set theory
Object code, Byte code

Crawling can only audit what it can find
Cannot cover 100% of source code
Little knowledge of application
False negatives

Compiler optimizations
Framework and 3 rd party lib integration
Identifying validation
False positives

Precise
Doesn’t report plausible but false defects
Safe
Doesn’t miss defects
Too much of either can be useless

Correlation
– the strength of relation between two variables
Depends upon input detection
Static feeds information to Dynamic
Means less false negatives
Means less false positives
Hybrid Analysis

STEPS:
Fix vulnerabilities early
…
Profit
CHART:

Cross-site Scripting
Response.Write(Request.QueryString[“isbn"]);
SQL Injection
protected System.Web.UI.WebControls.TextBox Publisher;
SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn);
HTTP Response Splitting
string author = Author.Text;
Cookie cookie = new Cookie("author", author);
Path Traversal
sting fName = Request.Form[“fileName“];
File.Delete("C:sersilesamp;quot; + fName);
Command Injection
string args = “-a -o “+Request.Param[“arg”];
Process.Start(“program.exe“+args);

Source
Location of injected malicious data
Http Request
Post Parameters
Query String
Sink
Location malicious data is used to manipulate the application
Http Response
Command
Query

Cross-site Scripting
Response.Write ( Request.QueryString[“isbn"] );
SQL Injection
protected System.Web.UI.WebControls.TextBox Publisher;
SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn);
HTTP Response Splitting
string author = Author.Text ;
Cookie cookie = new Cookie ("author", author);
Path Traversal
sting fName = Request.Form[“fileName“] ;
File.Delete ("C:sersilesamp;quot; + fName);
Command Injection
string args = “-a -o “+ Request.Param[“arg”] ;
Process.Start (“program.exe“+args);

Infinite ways to write code with the same output
Use the lowest level human-readable language
Parsing (alone) fails
Be the compiler (and then some)
IPA – Intraprocedural Analysis
CFG – Control Flow Graph
DFA – Data Flow Analysis
Variable Tracing

Call graph f(g())
each node represents a procedure
each edge is a call
Stack trace is a dynamic call graph
Context sensitive – separate node for each possible procedure activation
Context insensitive – only one node for each procedure

A graph of all the paths of execution in a program
Generate a CFG for each function
Each node is a basic block
CFA - Compute domination
dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M
abnormal edge - edge with an unknown destination

if if/else do switch

Follow all program paths
Trace each branch both directions
May discover dead code
Reaching definitions
The assignments that produce variable values at a certain state
Which definitions contain tainted sources ?
Of those definitions, which reach sinks ?

B1: a=value1
B2: a=value2
B2 KILLs B1 and B2 is also a GEN
Use-Def chains
For each use of variable v in a statement s, make a list of definitions of v that reach s
Use-Def: backward seeking
Def-Use: forward seeking

…
int x;
if (…)
x = 1;
…
a = x;
…
This def reaches this use … but the def might not get executed!

…
if (Page.IsValid())
string pwd = Request.Form[“pwd”];
…
string sql = “SELECT …” + pwd + “’”;
SqlCommand cmd = new SqlCommand(sql);
…
If this def doesn’t dominate this use Unvalidated input causes SQL Injection

Formerly called Microsoft Intermediate Language
.NET is Stack based (LIFO)
Metadata for compiled classes
Reflection - the program in the mirror
Common Language Runtime
.method public static void Main() cil managed
{
.entrypoint
.maxstack 1
ldstr "Hello, world!"
call void [mscorlib]System.Console::WriteLine(string)
ret
}

Manual Static Analysis

Find every instance of an unvalidated source being used in the application
Find combinations that link source to sink
Determine validation in dominance frontier
Implement checks that inform users of the specific vulnerabilities found
Verify with dynamic analysis*
Apply remediation*

Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .

Static Analysis: The Art of Fighting without Fighting

by rob.ragan on Mar 10, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 9

Statistics

Static Analysis: The Art of Fighting without Fighting — Presentation Transcript

http://www.slideshare.net	8
http://www.lmodules.com	1