Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Source Code Analysis with SAST

1,902 views

Published on

This preso covers SAST and Source Code Analysis techniques in detail.

Published in: Technology
  • Be the first to comment

Source Code Analysis with SAST

  1. 1. Source Code Analysis with SAST
  2. 2. Source Code Analytics
  3. 3. SCAs: How do they work? Open source example
  4. 4. By methodology employed • Style-checking • Semantic Analysis • Deep flow analysis
  5. 5. Methodology: Semantic Analysis • Semantic Analysis – looks for violations that represent a statically detectable fault – discovers basic structure and relation of each function within the application – Build abstract syntax tree to run simulations of each function to calculate how the application will execute after a build – this additional information is then validated against a set of rules
  6. 6. Methodology: Deep-flow Analysis • Deep flow analysis – extends semantic analysis to include control flow graph generation and data flow analysis. – can capture faults related to race conditions and deadlocks, pointer misuses. – employs meta compilation and abstract interpretation to further improve analysis capabilities
  7. 7. SCA Techniques • Simplest tools – search source code for text pattern matches – calculate basic program metrics (Cyclomatic complexity, Halstead complexity) • Advanced tools – act as advanced compiler for source code – deeply analyze execution, data flow for faults – include link information to determine higher-level problems
  8. 8. Traditional checks void temp( char *pszIn ) { char szBuff[10]; strcpy(szBuff, pszIn); . . . }
  9. 9. Analyzing Source File • It is possible to analyze source itself • Source is in clear text • Source is having methods, variables and calls • One functionality or parameter may be touching many files • Code is on back burner or embedded • Presentation is simple but code is complex at the back
  10. 10. Simple presentation ASP.NET <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Cmdexec.aspx.cs" Inherits="Cmdexec" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>Untitled Page</title> </head> <body style="font-size: 12pt"> <form id="form1" runat="server"> <div> Enter the filename to view your contract: <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> <asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br /> <br /> <asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div> </form> </body> </html>
  11. 11. Code behind calls using System; … … using System.IO; public partial class Cmdexec : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { Label1.Visible = false; } protected void Calendar1_SelectionChanged(object sender, EventArgs e) { } protected void Button1_Click1(object sender, EventArgs e) { Label1.Visible = true; Label1.Text = ""; System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo(); psi.FileName = @"C:WINDOWSsystem32cmd.exe"; psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" > c:contractscontract.txt"; psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; System.Diagnostics.Process.Start(psi); System.Threading.Thread.Sleep(3000); TextReader textRead = new StreamReader("c:contractscontract.txt"); Label1.Text = textRead.ReadToEnd(); textRead.Close(); } }
  12. 12. Running on Object Code D:cmddeploy>dir /S Volume in drive D has no label. Volume Serial Number is 0859-A6D9 Directory of D:cmddeploy 12/09/2008 01:58 PM <DIR> . 12/09/2008 01:58 PM <DIR> .. 12/09/2008 01:58 PM <DIR> bin 12/09/2008 01:58 PM 86 Cmdexec.aspx 12/09/2008 01:58 PM 50 PrecompiledApp.config 2 File(s) 136 bytes Directory of D:cmddeploybin 12/09/2008 01:58 PM <DIR> . 12/09/2008 01:58 PM <DIR> .. 12/09/2008 01:58 PM 7,680 App_Web_t_pyp492.dll 12/09/2008 01:58 PM 341 cmdexec.aspx.cdcab7d2.compiled 2 File(s) 8,021 bytes Total Files Listed: 4 File(s) 8,157 bytes 5 Dir(s) 282,451,968 bytes free
  13. 13. Vulnerable and Exploit
  14. 14. Running on reverse engineering D:cmddeploybin>ildasm /TEXT App_Web_t_pyp492.dll | grep System.Diagnostics.Pro cess .locals init (class [System]System.Diagnostics.ProcessStartInfo V_0, IL_001c: newobj instance void [System]System.Diagnostics.ProcessStartIn fo::.ctor() IL_0028: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_FileName(string) IL_0048: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_Arguments(string) IL_004f: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_WindowStyle(valuetype [System]System.Diagnostics.ProcessWindowStyle) IL_0055: call class [System]System.Diagnostics.Process [System]System .Diagnostics.Process::Start(class [System]System.Diagnostics.ProcessStartInfo)
  15. 15. Attack Surface
  16. 16. Attack Surface • Source Code is having probable attack surface • Attack surface is defined by entry points • Entry points are exploited by attackers • Attacker passes payload from these points and try to exploit the system • Attack surface determination and entry point identification are very critical
  17. 17. Attack & Entry
  18. 18. GET/POST GET /login.aspx?username=shah HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 search=searchtext
  19. 19. XML-RPC POST /trade-rpc/getquote.rem HTTP/1.0 TE: deflate,gzip;q=0.3 Connection: TE, close Host: xmlrpc.example.com Content-Type: text/xml Content-Length: 161 <?xml version="1.0"?> <methodCall> <methodName>stocks.getquote</methodName> <params> <param><value><string>MSFT</string></value></param> </params> </methodCall>
  20. 20. SOAP <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getQuotes xmlns="http://tempuri.org/"> <compid>MSFT</compid> </getQuotes> </soap:Body> </soap:Envelope>
  21. 21. REST <?xml version="1.0"?> <p:Laptops xmlns:p="http://laptops.example.com" xmlns:xl="http://www.w3.org/1999/xlink"> <Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/> < Laptop id="0348" xl:href="http://www.parts-depot.com laptops /0348"/> < Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/> … … </p:Laptops>
  22. 22. JSON message = { from : "john@example.com", to : "jerry@example.com", subject : "I am fine", body : "Long message here", showsubject : function(){document.write(this.subject)} };
  23. 23. File calls <form name="Form1" method="post" action="ContractUpload.aspx" id="Form1" enctype="multipart/form-data"> It is taking input as file as below, <input name="uplTheFile" type="file" id="uplTheFile" />
  24. 24. RSS - Feed <rss version="2.0"> <channel> <title>Example News</title> <link>http://example.com/</link> <description>News feed</description> <language>en-us</language> <pubDate>Tue, 10 Jun 2006 04:00:00 GMT</pubDate> <lastBuildDate>Tue, 10 Jun 2006 09:41:01 GMT</lastBuildDate> <docs>http://example.com/rss</docs> <generator>Weblog Editor 2.0</generator> <item> <title>Today's title</title> <link>http://example.com/10thjune.asp</link> <description>News goes here</description> <pubDate>Tue, 03 Jun 2006 09:39:21 GMT</pubDate> <guid>http://example.com/news.html#item300</guid> </item> ... </item> App Walk
  25. 25. Entry Points – Client Side • HTTP response – All headers as well as HTML content • JavaScripts coming from server • Ajax/RIA calls consuming different structures which we have discussed like JSON, XML, JS-Object etc. • Callbacks – Modern days applications are using callback mechanism so data coming from browser can be injected into DOM using script functions. • Browser making API calls across domains
  26. 26. HTTP processing Request IIS aspnet_isapi.dll HttpApplication HttpHandler HttpModule HttpModule HttpModule Response Web Application Resource Web Application Client
  27. 27. Request / Response
  28. 28. HTTP to Source http://192.168.1.50/Searchresult.aspx?ReferenceId=microsoft GET /Searchresult.aspx?ReferenceId=microsoft HTTP/1.1 Host: 192.168.1.50 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cache-Control: max-age=0 protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { bindresult(Request.QueryString["ReferenceId"].ToString()); } }
  29. 29. Interesting… • Request.Cookie – To access cookie values • Request.Form – Form parameters • Request.File – File parameter • Request.ServerVariables – Access to server variables
  30. 30. In compiled code IL_0007: callvirt instance class [System]System.Collections.Specialized.Name ValueCollection [System.Web]System.Web.HttpRequest::get_ QueryString() IL_000c: ldstr "id"
  31. 31. Scanning for Entry Points
  32. 32. Simple scan… import sys import os import re def scan4request(file): infile = open(file,"r") s = infile.readlines() linenum = 0 print 'Request Object Entry:' for line in s: linenum += 1 p = re.compile(".*.[Rr]equest.*[^n]n") m = p.match(line) if m: print linenum,":",m.group() file = sys.argv[1] scan4request(file)
  33. 33. Rules… # Rules file for AppCodeScan # This file is specific for ASP/ASP.NET applications (Just a sample rules) - all regex patterns #Scanning for Request Object Entry Points .*.Request.* #Scanning for ASP.NET app entry points .*.<asp:FileUpload.*?> .*.<asp:TextBox.*?> .*.<asp:HiddenField.*?> .*.<asp:Login.*?> .*.<asp:PasswordRecovery.*?> .*.<asp:ChangePassword.*?>
  34. 34. Java • <% if ( request.getParameter("username") != null ) {%> • HttpServletRequest • doGet • doPost • Request • Struts – public class NameAction extends Action {
  35. 35. PHP/Coldfusion • PHP – $_GET[“var”] – $_POST[“var”] – $_REQUEST[“var”] • Coldfusion – #URL.name# - Getting from querystring “name” – Similarly we can identify entry points for other aspects like POST or such by following list of key words – FORM/form – SERVER/server – CLIENT/client – SESSION/session
  36. 36. Web 2.0 • Web Services and SOA entry points
  37. 37. Making POST POST /ws/dvds4less.asmx HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/getProductInfo" Host: 192.168.1.50 Content-Length: 317 Expect: 100-continue Connection: Keep-Alive <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope>
  38. 38. Code for Web Services <%@ WebService Language="c#" Class="dvds4less" %> <%@ Assembly name="Microsoft.Data.SqlXml" %> using Microsoft.Data.SqlXml; using System.Xml; using System; using System.Web.Services; using System.Data.SqlClient; using System.IO; public class dvds4less { [WebMethod] public string Intro() { return "DVDs4LESS - Information APIs for web application usage and other business usage"; } [WebMethod] public string getProductInfo(string id) { …. Code for this function }
  39. 39. JSON-RPC <%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %> namespace JayrockWeb { using System; using System.Configuration; using System.Data; using System.Data.SqlClient; using System.Collections; using System.Collections.Specialized; using System.Web; using System.Web.SessionState; using System.Web.UI; using System.Web.UI.WebControls; using System.Drawing; using Jayrock.Json; using Jayrock.JsonRpc; using Jayrock.JsonRpc.Web; [ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ] public class DemoService : JsonRpcHandler, IRequiresSessionState { [JsonRpcMethod("getProduct", Idempotent = true)] [ JsonRpcHelp("Returns Product Info") ] public DataSet GetProductSet(string id) { …. Code goes here… }
  40. 40. Java based import org.apache.axis.AxisFault; import org.apache.axis.MessageContext; import org.apache.axis.transport.http.HTTPConstants; public class echo { public String echowebservices(String echo) { return echo; } }
  41. 41. PHP <?php require_once('nusoap/nusoap.php'); // ------ Implemention of method // ---- getLang(langTo) ------------------------------------------------------ function getLang($langTo) { $trText = array( "bonjour" => "french", "ciao" => "italian", "hallo" => "german", "namaste" => "hindi" ); $greeting = ""; $key = array_search($langTo, $trText); $greeting = array_keys($trText[$langTo]); return $greeting; } Entry Scans
  42. 42. Entry Points & Sinks
  43. 43. Entry Points… • Entry points are source to the application • Each source hits at some sink or end point in the source code • It traverses across the source code • Entry point can be traced to its sink • This tracing is very important aspect for code analytics
  44. 44. Tainted variables • If variable or entry point is injected with payload then it can have significant impact • Impact analysis needs to be done • Impact is dependent on the hit points across application • Interesting for vulnerability scanning perspective
  45. 45. Impact Analysis
  46. 46. End points / Sinks • Language Calls – Application language say for example C# or Java provides various classes and interfaces to access resources from the system. • These resources are outside application boundary. Application may be passing value to SQL interface or system level command. • File system calls (Read/Write) • Operating system calls • Network/Socket calls • SQL interfaces • LDAP/Authentication interfaces
  47. 47. End points / Sinks • Third party/Vendor interfaces – Application is using some third party components and these are in binary form. • Applications to application – In recent time’s applications are doing lot of intercommunication across cross domains. In this case sink or end point can be another application. • Middleware call – Applications like banking or trading uses middle ware extensively and several end points are terminating into these middle ware calls.
  48. 48. End points / Sinks • Response call back – In some cases entry point or information coming through it is going back to the client as response. • Audit and Logs – In some cases application information is going to logs or audit resources. • Exception/Error message – This end point is special and lot of application are taking value of entry point and putting into exception or error message block.
  49. 49. End points / Sinks • Business logic – Certain entry points are not going out side application boundary but staying in business logic space and get processed inside application. • Reflection level calls – Applications are running in virtual machines and there are certain reflection APIs which are responsible for virtual machine processing. Sink Scans
  50. 50. Impact & Tracing
  51. 51. Types - Impact • Three important aspects of entry points and process towards end point, – Data point – entry points are bringing simple new data to the application and based on that it is going to database or file system. – Logic point – It has information which get consumed in the business logic and it makes business decisions – Event points – Certain information coming from user can trigger an event inside the application. These are event points, like calling LDAP server or such.
  52. 52. State Analysis • Expected/Desired state – This is expected state by developer and application’s behavior is absolutely legitimate. • Unexpected legitimate state – In this state application goes to unexpected state but it is legitimate and no objection with it. • Exception/Error state – In this application ends with error or exception and state may end up doing information leakage. • Vulnerable state – In this state application goes into vulnerable position where successful exploitation is possible. Vulnerable state is our major concern. Impact = Entry Point + End Point + State
  53. 53. Impact
  54. 54. Impact
  55. 55. Tracing
  56. 56. Simple tracing… import sys import os import re def scan4trace(file,var): infile = open(file,"r") s = infile.readlines() print 'Tracing variable:'+var linenum=0 for line in s: linenum += 1 p = re.compile(".*."+var+".*") m = p.match(line) if m: print "[",linenum,"]",line file = sys.argv[1] var = sys.argv[2] scan4trace(file,var)
  57. 57. Running… D:sca-rb>trace.py d:cmdCmdexec.aspx.cs TextBox1 Tracing variable:TextBox1 [ 33 ] psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" > c:contractscontract.txt"; D:sca-rb>trace.py d:cmdCmdexec.aspx.cs psi Tracing variable:psi [ 31 ] System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics. ProcessStartInfo(); [ 32 ] psi.FileName = @"C:WINDOWSsystem32cmd.exe"; [ 33 ] psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" > c:contractscontract.txt"; [ 34 ] psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; [ 35 ] System.Diagnostics.Process.Start(psi);
  58. 58. Security Domains/Controls • Authentication • Authorization • Error Handling • Input Validations • Data Validation • Crypto and Secret Handling • Business Logic Handling • Session and Identity Handling • Client Side Controls • Auditing and Logging
  59. 59. Authentication • Authentication disclosing sensitive information • Not having auditing on the authentication • No user lockdown policy in place • Authentication bypass (SQL / LDAP interface) • Password strength is poor • No deployment of CAPTCHA or similar identification product • Credential are not securely transmitted • Credential are stored on client side which can be retrieved • Authentication token or cookies are not well crafted • Single Sign On (SSO) can be abused • Deliberated backdoors are created • Hidden fields and information exposure
  60. 60. Authorization • Session tokens are insecure • Weak authorization mechanism • Client side tampering and manipulation possible • Possible data and SQL injections • Access to system level bypass • Single place authorization bypass • URL forcing and manipulation • Guessable resources and access • Role-based bypass exploitation and weakness
  61. 61. Error Handling • Information leakage • Logic bypass • Internal logic and routine disclosure • Stack trace enumeration
  62. 62. Input Validations • Various injection vectors (SQL, LDAP, XPATH etc.) • Cross Site Scripting (XSS) • Cross Site Request Forgery (CSRF) • Buffer overflows • Denial of Services (DoS) • Integer and logical boundary overrun • Canonicalization issues • Validation bypass (Client side) • Serialization attacks • Information leakage
  63. 63. Data Validations • Proxy injections from third party stream • XSS injection with RSS feeds • Client side logic bypass • Upload/download stream injections • Remote command/code injection and execution • Callback manipulation in JavaScript
  64. 64. Crypto & Secrets • Poor key generation • Database fields are not well encrypted (password, social security number etc.) • Poor encryption (customized) • Checksum spoofing • Some secrets in source code itself • Configuration file containing secrets • Secret getting revealed in error message or some other means
  65. 65. Business Logic • Data type bypass • ACLs manipulation • Read/Write access • Privilege escalation on application layer • API abuse • Cross Domain Call and API manipulation • Client Side Logic reverse engineering
  66. 66. Session and Identity • Session hijacking by eavesdropping • Man in the middle attack • Poor session identifier generation • Browser hacks like XSS to gain cookies • Predictable session identifier • Session bypass and access • Cookie scope and time abuse • Abusing URL rewriting • Local session storing access
  67. 67. Client Side Controls • Client side validation bypass • Reverse engineering of client side components • Decompilation and knowledge gathering • Cross Site Injections • Abusing streams like JSON or RSS • Local memory access and manipulation • Desktop based offline module exploitation • Browser exploits and hacking • Information and identity theft • Cross Site Request Forgery • Exploiting callbacks and JavaScripts
  68. 68. Auditing and Logging • Hacker’s attacks go without notice • Successful hacks in the application • No tracing of events • Application layer bruteforcing • Error message abuse
  69. 69. Conclusion

×