Your SlideShare is downloading. ×
0
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Static Analysis: The Art of Fighting without Fighting

1,756

Published on

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. …

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Genius thinking.

    Stulangperdana
    www.mdamin76.com/
    www.sprintringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,756
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
42
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. The Art of Fighting without Fighting
    • 2. <ul><li>“ You can call it the art of fighting without fighting” </li></ul><ul><li>– Bruce Lee </li></ul><ul><li>Enter the Dragon, 1973 </li></ul>
    • 3. <ul><li>Weak Access Control </li></ul><ul><li>API Misuse </li></ul><ul><li>Buffer Overflow </li></ul><ul><li>Poor Code Quality (FxCop) </li></ul><ul><li>Poor Encapsulation </li></ul><ul><li>Environment Misconfiguration </li></ul><ul><li>Poor Error Handling </li></ul><ul><li>Poor Input Validation </li></ul><ul><li>And More… </li></ul>
    • 4. <ul><li>Dynamic Analysis involves execution (black box) </li></ul><ul><ul><li>More common for pen testing </li></ul></ul><ul><li>Static Analysis (white box) </li></ul><ul><ul><li>Abstract interpretation </li></ul></ul><ul><ul><li>Automation tool, Developer tool </li></ul></ul><ul><ul><li>Semantics, Parsing </li></ul></ul><ul><ul><li>Compiler theory, Set theory </li></ul></ul><ul><ul><li>Object code, Byte code </li></ul></ul>
    • 5. <ul><li>Crawling can only audit what it can find </li></ul><ul><li>Cannot cover 100% of source code </li></ul><ul><li>Little knowledge of application </li></ul><ul><li>False negatives </li></ul>
    • 6. <ul><li>Compiler optimizations </li></ul><ul><li>Framework and 3 rd party lib integration </li></ul><ul><li>Identifying validation </li></ul><ul><li>False positives </li></ul>
    • 7. <ul><li>Precise </li></ul><ul><ul><li>Doesn’t report plausible but false defects </li></ul></ul><ul><li>Safe </li></ul><ul><ul><li>Doesn’t miss defects </li></ul></ul><ul><li>Too much of either can be useless </li></ul>
    • 8. <ul><li>Correlation </li></ul><ul><ul><li>– the strength of relation between two variables </li></ul></ul><ul><li>Depends upon input detection </li></ul><ul><li>Static feeds information to Dynamic </li></ul><ul><li>Means less false negatives </li></ul><ul><li>Means less false positives </li></ul><ul><li>Hybrid Analysis </li></ul>
    • 9. <ul><li>STEPS: </li></ul><ul><li>Fix vulnerabilities early </li></ul><ul><li>… </li></ul><ul><li>Profit </li></ul><ul><li>CHART: </li></ul>
    • 10. <ul><li>Cross-site Scripting </li></ul><ul><ul><li>Response.Write(Request.QueryString[“isbn&amp;quot;]); </li></ul></ul><ul><li>SQL Injection </li></ul><ul><ul><li>protected System.Web.UI.WebControls.TextBox Publisher; </li></ul></ul><ul><ul><li>SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); </li></ul></ul><ul><li>HTTP Response Splitting </li></ul><ul><ul><li>string author = Author.Text; </li></ul></ul><ul><ul><li>Cookie cookie = new Cookie(&amp;quot;author&amp;quot;, author); </li></ul></ul><ul><li>Path Traversal </li></ul><ul><ul><li>sting fName = Request.Form[“fileName“]; </li></ul></ul><ul><ul><li>File.Delete(&amp;quot;C:sersilesamp;quot; + fName); </li></ul></ul><ul><li>Command Injection </li></ul><ul><ul><li>string args = “-a -o “+Request.Param[“arg”]; </li></ul></ul><ul><ul><li>Process.Start(“program.exe“+args); </li></ul></ul>
    • 11. <ul><li>Source </li></ul><ul><li>Location of injected malicious data </li></ul><ul><ul><li>Http Request </li></ul></ul><ul><ul><li>Post Parameters </li></ul></ul><ul><ul><li>Query String </li></ul></ul><ul><li>Sink </li></ul><ul><li>Location malicious data is used to manipulate the application </li></ul><ul><ul><li>Http Response </li></ul></ul><ul><ul><li>Command </li></ul></ul><ul><ul><li>Query </li></ul></ul>
    • 12. <ul><li>Cross-site Scripting </li></ul><ul><ul><li>Response.Write ( Request.QueryString[“isbn&amp;quot;] ); </li></ul></ul><ul><li>SQL Injection </li></ul><ul><ul><li>protected System.Web.UI.WebControls.TextBox Publisher; </li></ul></ul><ul><ul><li>SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn); </li></ul></ul><ul><li>HTTP Response Splitting </li></ul><ul><ul><li>string author = Author.Text ; </li></ul></ul><ul><ul><li>Cookie cookie = new Cookie (&amp;quot;author&amp;quot;, author); </li></ul></ul><ul><li>Path Traversal </li></ul><ul><ul><li>sting fName = Request.Form[“fileName“] ; </li></ul></ul><ul><ul><li>File.Delete (&amp;quot;C:sersilesamp;quot; + fName); </li></ul></ul><ul><li>Command Injection </li></ul><ul><ul><li>string args = “-a -o “+ Request.Param[“arg”] ; </li></ul></ul><ul><ul><li>Process.Start (“program.exe“+args); </li></ul></ul>
    • 13. <ul><li>Infinite ways to write code with the same output </li></ul><ul><li>Use the lowest level human-readable language </li></ul><ul><li>Parsing (alone) fails </li></ul><ul><li>Be the compiler (and then some) </li></ul><ul><ul><li>IPA – Intraprocedural Analysis </li></ul></ul><ul><ul><li>CFG – Control Flow Graph </li></ul></ul><ul><ul><li>DFA – Data Flow Analysis </li></ul></ul><ul><ul><li>Variable Tracing </li></ul></ul>
    • 14. <ul><li>Call graph f(g()) </li></ul><ul><ul><li>each node represents a procedure </li></ul></ul><ul><ul><li>each edge is a call </li></ul></ul><ul><li>Stack trace is a dynamic call graph </li></ul><ul><li>Context sensitive – separate node for each possible procedure activation </li></ul><ul><li>Context insensitive – only one node for each procedure </li></ul>
    • 15. <ul><li>A graph of all the paths of execution in a program </li></ul><ul><li>Generate a CFG for each function </li></ul><ul><li>Each node is a basic block </li></ul><ul><li>CFA - Compute domination </li></ul><ul><li>dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M </li></ul><ul><li>abnormal edge - edge with an unknown destination </li></ul>
    • 16. if if/else do switch
    • 17. <ul><li>Follow all program paths </li></ul><ul><ul><li>Trace each branch both directions </li></ul></ul><ul><ul><li>May discover dead code </li></ul></ul><ul><li>Reaching definitions </li></ul><ul><ul><li>The assignments that produce variable values at a certain state </li></ul></ul><ul><ul><li>Which definitions contain tainted sources ? </li></ul></ul><ul><ul><li>Of those definitions, which reach sinks ? </li></ul></ul>
    • 18. <ul><li>B1: a=value1 </li></ul><ul><li>B2: a=value2 </li></ul><ul><li>B2 KILLs B1 and B2 is also a GEN </li></ul><ul><li>Use-Def chains </li></ul><ul><ul><li>For each use of variable v in a statement s, make a list of definitions of v that reach s </li></ul></ul><ul><li>Use-Def: backward seeking </li></ul><ul><li>Def-Use: forward seeking </li></ul>
    • 19. <ul><li>… </li></ul><ul><li>int x; </li></ul><ul><li>if (…) </li></ul><ul><li>x = 1; </li></ul><ul><li>… </li></ul><ul><li>a = x; </li></ul><ul><li>… </li></ul>This def reaches this use … but the def might not get executed!
    • 20. <ul><li>… </li></ul><ul><li>if (Page.IsValid()) </li></ul><ul><li>string pwd = Request.Form[“pwd”]; </li></ul><ul><li>… </li></ul><ul><li>string sql = “SELECT …” + pwd + “’”; </li></ul><ul><li>SqlCommand cmd = new SqlCommand(sql); </li></ul><ul><li>… </li></ul>If this def doesn’t dominate this use Unvalidated input causes SQL Injection
    • 21. <ul><li>Formerly called Microsoft Intermediate Language </li></ul><ul><li>.NET is Stack based (LIFO) </li></ul><ul><li>Metadata for compiled classes </li></ul><ul><li>Reflection - the program in the mirror </li></ul><ul><li>Common Language Runtime </li></ul><ul><li>.method public static void Main() cil managed </li></ul><ul><li>{ </li></ul><ul><li>.entrypoint </li></ul><ul><li>.maxstack 1 </li></ul><ul><li>ldstr &amp;quot;Hello, world!&amp;quot; </li></ul><ul><li>call void [mscorlib]System.Console::WriteLine(string) </li></ul><ul><li>ret </li></ul><ul><li>} </li></ul>
    • 22. Manual Static Analysis
    • 23. <ul><li>Find every instance of an unvalidated source being used in the application </li></ul><ul><li>Find combinations that link source to sink </li></ul><ul><li>Determine validation in dominance frontier </li></ul><ul><li>Implement checks that inform users of the specific vulnerabilities found </li></ul><ul><li>Verify with dynamic analysis* </li></ul><ul><li>Apply remediation* </li></ul>
    • 24. Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .

    ×