The Art of Fighting without Fighting

“ You can call it the art of fighting without fighting” – Bruce Lee Enter the Dragon, 1973

“ You can call it the art of fighting without fighting”

– Bruce Lee

Enter the Dragon, 1973

Weak Access Control API Misuse Buffer Overflow Poor Code Quality (FxCop) Poor Encapsulation Environment Misconfiguration Poor Error Handling Poor Input Validation And More…

Weak Access Control

API Misuse

Buffer Overflow

Poor Code Quality (FxCop)

Poor Encapsulation

Environment Misconfiguration

Poor Error Handling

Poor Input Validation

And More…

Dynamic Analysis involves execution (black box) More common for pen testing Static Analysis (white box) Abstract interpretation Automation tool, Developer tool Semantics, Parsing Compiler theory, Set theory Object code, Byte code

Dynamic Analysis involves execution (black box)

More common for pen testing

Static Analysis (white box)

Abstract interpretation

Automation tool, Developer tool

Semantics, Parsing

Compiler theory, Set theory

Object code, Byte code

Crawling can only audit what it can find Cannot cover 100% of source code Little knowledge of application False negatives

Crawling can only audit what it can find

Cannot cover 100% of source code

Little knowledge of application

False negatives

Compiler optimizations Framework and 3 rd party lib integration Identifying validation False positives

Compiler optimizations

Framework and 3 rd party lib integration

Identifying validation

False positives

Precise Doesn’t report plausible but false defects Safe Doesn’t miss defects Too much of either can be useless

Precise

Doesn’t report plausible but false defects

Safe

Doesn’t miss defects

Too much of either can be useless

Correlation – the strength of relation between two variables Depends upon input detection Static feeds information to Dynamic Means less false negatives Means less false positives Hybrid Analysis

Correlation

– the strength of relation between two variables

Depends upon input detection

Static feeds information to Dynamic

Means less false negatives

Means less false positives

Hybrid Analysis

STEPS: Fix vulnerabilities early … Profit CHART:

STEPS:

Fix vulnerabilities early

…

Profit

CHART:

Cross-site Scripting Response.Write(Request.QueryString[“isbn"]); SQL Injection protected System.Web.UI.WebControls.TextBox Publisher; SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting string author = Author.Text; Cookie cookie = new Cookie("author", author); Path Traversal sting fName = Request.Form[“fileName“]; File.Delete("C:\users\files\" + fName); Command Injection string args = “-a -o “+Request.Param[“arg”]; Process.Start(“program.exe“+args);

Cross-site Scripting

Response.Write(Request.QueryString[“isbn"]);

SQL Injection

protected System.Web.UI.WebControls.TextBox Publisher;

SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn);

HTTP Response Splitting

string author = Author.Text;

Cookie cookie = new Cookie("author", author);

Path Traversal

sting fName = Request.Form[“fileName“];

File.Delete("C:\users\files\" + fName);

Command Injection

string args = “-a -o “+Request.Param[“arg”];

Process.Start(“program.exe“+args);

Source Location of injected malicious data Http Request Post Parameters Query String Sink Location malicious data is used to manipulate the application Http Response Command Query

Source

Location of injected malicious data

Http Request

Post Parameters

Query String

Sink

Location malicious data is used to manipulate the application

Http Response

Command

Query

Cross-site Scripting Response.Write ( Request.QueryString[“isbn"] ); SQL Injection protected System.Web.UI.WebControls.TextBox Publisher; SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn); HTTP Response Splitting string author = Author.Text ; Cookie cookie = new Cookie ("author", author); Path Traversal sting fName = Request.Form[“fileName“] ; File.Delete ("C:\users\files\" + fName); Command Injection string args = “-a -o “+ Request.Param[“arg”] ; Process.Start (“program.exe“+args);

Cross-site Scripting

Response.Write ( Request.QueryString[“isbn"] );

SQL Injection

protected System.Web.UI.WebControls.TextBox Publisher;

SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn);

HTTP Response Splitting

string author = Author.Text ;

Cookie cookie = new Cookie ("author", author);

Path Traversal

sting fName = Request.Form[“fileName“] ;

File.Delete ("C:\users\files\" + fName);

Command Injection

string args = “-a -o “+ Request.Param[“arg”] ;

Process.Start (“program.exe“+args);

Infinite ways to write code with the same output Use the lowest level human-readable language Parsing (alone) fails Be the compiler (and then some) IPA – Intraprocedural Analysis CFG – Control Flow Graph DFA – Data Flow Analysis Variable Tracing

Infinite ways to write code with the same output

Use the lowest level human-readable language

Parsing (alone) fails

Be the compiler (and then some)

IPA – Intraprocedural Analysis

CFG – Control Flow Graph

DFA – Data Flow Analysis

Variable Tracing

Call graph f(g()) each node represents a procedure each edge is a call Stack trace is a dynamic call graph Context sensitive – separate node for each possible procedure activation Context insensitive – only one node for each procedure

Call graph f(g())

each node represents a procedure

each edge is a call

Stack trace is a dynamic call graph

Context sensitive – separate node for each possible procedure activation

Context insensitive – only one node for each procedure

A graph of all the paths of execution in a program Generate a CFG for each function Each node is a basic block CFA - Compute domination dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M abnormal edge - edge with an unknown destination

A graph of all the paths of execution in a program

Generate a CFG for each function

Each node is a basic block

CFA - Compute domination

dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M

abnormal edge - edge with an unknown destination

if if/else do switch

Follow all program paths Trace each branch both directions May discover dead code Reaching definitions The assignments that produce variable values at a certain state Which definitions contain tainted sources ? Of those definitions, which reach sinks ?

Follow all program paths

Trace each branch both directions

May discover dead code

Reaching definitions

The assignments that produce variable values at a certain state

Which definitions contain tainted sources ?

Of those definitions, which reach sinks ?

B1: a=value1 B2: a=value2 B2 KILLs B1 and B2 is also a GEN Use-Def chains For each use of variable v in a statement s, make a list of definitions of v that reach s Use-Def: backward seeking Def-Use: forward seeking

B1: a=value1

B2: a=value2

B2 KILLs B1 and B2 is also a GEN

Use-Def chains

For each use of variable v in a statement s, make a list of definitions of v that reach s

Use-Def: backward seeking

Def-Use: forward seeking

… int x; if (…) x = 1; … a = x; … This def reaches this use … but the def might not get executed!

…

int x;

if (…)

x = 1;

…

a = x;

…

… if (Page.IsValid()) string pwd = Request.Form[“pwd”]; … string sql = “SELECT …” + pwd + “’”; SqlCommand cmd = new SqlCommand(sql); … If this def doesn’t dominate this use Unvalidated input causes SQL Injection

…

if (Page.IsValid())

string pwd = Request.Form[“pwd”];

…

string sql = “SELECT …” + pwd + “’”;

SqlCommand cmd = new SqlCommand(sql);

…

Formerly called Microsoft Intermediate Language .NET is Stack based (LIFO) Metadata for compiled classes Reflection - the program in the mirror Common Language Runtime .method public static void Main() cil managed { .entrypoint .maxstack 1 ldstr "Hello, world!" call void [mscorlib]System.Console::WriteLine(string) ret }

Formerly called Microsoft Intermediate Language

.NET is Stack based (LIFO)

Metadata for compiled classes

Reflection - the program in the mirror

Common Language Runtime

.method public static void Main() cil managed

{

.entrypoint

.maxstack 1

ldstr "Hello, world!"

call void [mscorlib]System.Console::WriteLine(string)

ret

}

Manual Static Analysis

Find every instance of an unvalidated source being used in the application Find combinations that link source to sink Determine validation in dominance frontier Implement checks that inform users of the specific vulnerabilities found Verify with dynamic analysis* Apply remediation*

Find every instance of an unvalidated source being used in the application

Find combinations that link source to sink

Determine validation in dominance frontier

Implement checks that inform users of the specific vulnerabilities found

Verify with dynamic analysis*

Apply remediation*

Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .