Your SlideShare is downloading. ×
Static Analysis: The Art of Fighting without Fighting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Static Analysis: The Art of Fighting without Fighting

1,640
views

Published on

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. …

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)

Published in: Technology

1 Comment
2 Likes
Statistics
Notes
  • Genius thinking.

    Stulangperdana
    www.mdamin76.com/
    www.sprintringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,640
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. The Art of Fighting without Fighting
    • 2.
      • “ You can call it the art of fighting without fighting”
      • – Bruce Lee
      • Enter the Dragon, 1973
    • 3.
      • Weak Access Control
      • API Misuse
      • Buffer Overflow
      • Poor Code Quality (FxCop)
      • Poor Encapsulation
      • Environment Misconfiguration
      • Poor Error Handling
      • Poor Input Validation
      • And More…
    • 4.
      • Dynamic Analysis involves execution (black box)
        • More common for pen testing
      • Static Analysis (white box)
        • Abstract interpretation
        • Automation tool, Developer tool
        • Semantics, Parsing
        • Compiler theory, Set theory
        • Object code, Byte code
    • 5.
      • Crawling can only audit what it can find
      • Cannot cover 100% of source code
      • Little knowledge of application
      • False negatives
    • 6.
      • Compiler optimizations
      • Framework and 3 rd party lib integration
      • Identifying validation
      • False positives
    • 7.
      • Precise
        • Doesn’t report plausible but false defects
      • Safe
        • Doesn’t miss defects
      • Too much of either can be useless
    • 8.
      • Correlation
        • – the strength of relation between two variables
      • Depends upon input detection
      • Static feeds information to Dynamic
      • Means less false negatives
      • Means less false positives
      • Hybrid Analysis
    • 9.
      • STEPS:
      • Fix vulnerabilities early
      • Profit
      • CHART:
    • 10.
      • Cross-site Scripting
        • Response.Write(Request.QueryString[“isbn"]);
      • SQL Injection
        • protected System.Web.UI.WebControls.TextBox Publisher;
        • SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn);
      • HTTP Response Splitting
        • string author = Author.Text;
        • Cookie cookie = new Cookie("author", author);
      • Path Traversal
        • sting fName = Request.Form[“fileName“];
        • File.Delete("C:sersilesamp;quot; + fName);
      • Command Injection
        • string args = “-a -o “+Request.Param[“arg”];
        • Process.Start(“program.exe“+args);
    • 11.
      • Source
      • Location of injected malicious data
        • Http Request
        • Post Parameters
        • Query String
      • Sink
      • Location malicious data is used to manipulate the application
        • Http Response
        • Command
        • Query
    • 12.
      • Cross-site Scripting
        • Response.Write ( Request.QueryString[“isbn"] );
      • SQL Injection
        • protected System.Web.UI.WebControls.TextBox Publisher;
        • SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn);
      • HTTP Response Splitting
        • string author = Author.Text ;
        • Cookie cookie = new Cookie ("author", author);
      • Path Traversal
        • sting fName = Request.Form[“fileName“] ;
        • File.Delete ("C:sersilesamp;quot; + fName);
      • Command Injection
        • string args = “-a -o “+ Request.Param[“arg”] ;
        • Process.Start (“program.exe“+args);
    • 13.
      • Infinite ways to write code with the same output
      • Use the lowest level human-readable language
      • Parsing (alone) fails
      • Be the compiler (and then some)
        • IPA – Intraprocedural Analysis
        • CFG – Control Flow Graph
        • DFA – Data Flow Analysis
        • Variable Tracing
    • 14.
      • Call graph f(g())
        • each node represents a procedure
        • each edge is a call
      • Stack trace is a dynamic call graph
      • Context sensitive – separate node for each possible procedure activation
      • Context insensitive – only one node for each procedure
    • 15.
      • A graph of all the paths of execution in a program
      • Generate a CFG for each function
      • Each node is a basic block
      • CFA - Compute domination
      • dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M
      • abnormal edge - edge with an unknown destination
    • 16. if if/else do switch
    • 17.
      • Follow all program paths
        • Trace each branch both directions
        • May discover dead code
      • Reaching definitions
        • The assignments that produce variable values at a certain state
        • Which definitions contain tainted sources ?
        • Of those definitions, which reach sinks ?
    • 18.
      • B1: a=value1
      • B2: a=value2
      • B2 KILLs B1 and B2 is also a GEN
      • Use-Def chains
        • For each use of variable v in a statement s, make a list of definitions of v that reach s
      • Use-Def: backward seeking
      • Def-Use: forward seeking
    • 19.
      • int x;
      • if (…)
      • x = 1;
      • a = x;
      This def reaches this use … but the def might not get executed!
    • 20.
      • if (Page.IsValid())
      • string pwd = Request.Form[“pwd”];
      • string sql = “SELECT …” + pwd + “’”;
      • SqlCommand cmd = new SqlCommand(sql);
      If this def doesn’t dominate this use Unvalidated input causes SQL Injection
    • 21.
      • Formerly called Microsoft Intermediate Language
      • .NET is Stack based (LIFO)
      • Metadata for compiled classes
      • Reflection - the program in the mirror
      • Common Language Runtime
      • .method public static void Main() cil managed
      • {
      • .entrypoint
      • .maxstack 1
      • ldstr "Hello, world!"
      • call void [mscorlib]System.Console::WriteLine(string)
      • ret
      • }
    • 22. Manual Static Analysis
    • 23.
      • Find every instance of an unvalidated source being used in the application
      • Find combinations that link source to sink
      • Determine validation in dominance frontier
      • Implement checks that inform users of the specific vulnerabilities found
      • Verify with dynamic analysis*
      • Apply remediation*
    • 24. Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .