Static Analysis: The Art of Fighting without Fighting
Upcoming SlideShare
Loading in...5
×
 

Static Analysis: The Art of Fighting without Fighting

on

  • 2,830 views

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. ...

Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)

Statistics

Views

Total Views
2,830
Views on SlideShare
2,812
Embed Views
18

Actions

Likes
2
Downloads
32
Comments
1

4 Embeds 18

http://www.slideshare.net 8
http://www.linkedin.com 5
https://www.linkedin.com 4
http://www.lmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Genius thinking.

    Stulangperdana
    www.mdamin76.com/
    www.sprintringtones.org/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Static Analysis: The Art of Fighting without Fighting Static Analysis: The Art of Fighting without Fighting Presentation Transcript

  • The Art of Fighting without Fighting
    • “ You can call it the art of fighting without fighting”
    • – Bruce Lee
    • Enter the Dragon, 1973
    • Weak Access Control
    • API Misuse
    • Buffer Overflow
    • Poor Code Quality (FxCop)
    • Poor Encapsulation
    • Environment Misconfiguration
    • Poor Error Handling
    • Poor Input Validation
    • And More…
    • Dynamic Analysis involves execution (black box)
      • More common for pen testing
    • Static Analysis (white box)
      • Abstract interpretation
      • Automation tool, Developer tool
      • Semantics, Parsing
      • Compiler theory, Set theory
      • Object code, Byte code
    • Crawling can only audit what it can find
    • Cannot cover 100% of source code
    • Little knowledge of application
    • False negatives
    • Compiler optimizations
    • Framework and 3 rd party lib integration
    • Identifying validation
    • False positives
    • Precise
      • Doesn’t report plausible but false defects
    • Safe
      • Doesn’t miss defects
    • Too much of either can be useless
    • Correlation
      • – the strength of relation between two variables
    • Depends upon input detection
    • Static feeds information to Dynamic
    • Means less false negatives
    • Means less false positives
    • Hybrid Analysis
    • STEPS:
    • Fix vulnerabilities early
    • Profit
    • CHART:
    • Cross-site Scripting
      • Response.Write(Request.QueryString[“isbn"]);
    • SQL Injection
      • protected System.Web.UI.WebControls.TextBox Publisher;
      • SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn);
    • HTTP Response Splitting
      • string author = Author.Text;
      • Cookie cookie = new Cookie("author", author);
    • Path Traversal
      • sting fName = Request.Form[“fileName“];
      • File.Delete("C:sersilesamp;quot; + fName);
    • Command Injection
      • string args = “-a -o “+Request.Param[“arg”];
      • Process.Start(“program.exe“+args);
    • Source
    • Location of injected malicious data
      • Http Request
      • Post Parameters
      • Query String
    • Sink
    • Location malicious data is used to manipulate the application
      • Http Response
      • Command
      • Query
    • Cross-site Scripting
      • Response.Write ( Request.QueryString[“isbn"] );
    • SQL Injection
      • protected System.Web.UI.WebControls.TextBox Publisher;
      • SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn);
    • HTTP Response Splitting
      • string author = Author.Text ;
      • Cookie cookie = new Cookie ("author", author);
    • Path Traversal
      • sting fName = Request.Form[“fileName“] ;
      • File.Delete ("C:sersilesamp;quot; + fName);
    • Command Injection
      • string args = “-a -o “+ Request.Param[“arg”] ;
      • Process.Start (“program.exe“+args);
    • Infinite ways to write code with the same output
    • Use the lowest level human-readable language
    • Parsing (alone) fails
    • Be the compiler (and then some)
      • IPA – Intraprocedural Analysis
      • CFG – Control Flow Graph
      • DFA – Data Flow Analysis
      • Variable Tracing
    • Call graph f(g())
      • each node represents a procedure
      • each edge is a call
    • Stack trace is a dynamic call graph
    • Context sensitive – separate node for each possible procedure activation
    • Context insensitive – only one node for each procedure
    • A graph of all the paths of execution in a program
    • Generate a CFG for each function
    • Each node is a basic block
    • CFA - Compute domination
    • dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M
    • abnormal edge - edge with an unknown destination
  • if if/else do switch
    • Follow all program paths
      • Trace each branch both directions
      • May discover dead code
    • Reaching definitions
      • The assignments that produce variable values at a certain state
      • Which definitions contain tainted sources ?
      • Of those definitions, which reach sinks ?
    • B1: a=value1
    • B2: a=value2
    • B2 KILLs B1 and B2 is also a GEN
    • Use-Def chains
      • For each use of variable v in a statement s, make a list of definitions of v that reach s
    • Use-Def: backward seeking
    • Def-Use: forward seeking
    • int x;
    • if (…)
    • x = 1;
    • a = x;
    This def reaches this use … but the def might not get executed!
    • if (Page.IsValid())
    • string pwd = Request.Form[“pwd”];
    • string sql = “SELECT …” + pwd + “’”;
    • SqlCommand cmd = new SqlCommand(sql);
    If this def doesn’t dominate this use Unvalidated input causes SQL Injection
    • Formerly called Microsoft Intermediate Language
    • .NET is Stack based (LIFO)
    • Metadata for compiled classes
    • Reflection - the program in the mirror
    • Common Language Runtime
    • .method public static void Main() cil managed
    • {
    • .entrypoint
    • .maxstack 1
    • ldstr "Hello, world!"
    • call void [mscorlib]System.Console::WriteLine(string)
    • ret
    • }
  • Manual Static Analysis
    • Find every instance of an unvalidated source being used in the application
    • Find combinations that link source to sink
    • Determine validation in dominance frontier
    • Implement checks that inform users of the specific vulnerabilities found
    • Verify with dynamic analysis*
    • Apply remediation*
  • Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .