Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. As of January 2013, PHP was installed on more than 240 million websites (39% of those sampled) and 2.1 million web servers. Originally created by Rasmus Lerdorf in 1994, the reference implementation of PHP (powered by the Zend Engine) is now produced by The PHP Group. While PHP originally stood for Personal Home Page, it now stands for PHP: Hypertext Preprocessor, which is a recursive acronym.
When developing compilers and interpreters, their source code and its testing procedure are demanded to comply with especially strict quality and reliability requirements. However, there are still some suspicious fragments found in the PHP interpreter's source code.
In this article, we are going to discuss the results of the check of the PHP interpreter by PVS-Studio 5.18.
An Experiment with Checking the glibc LibraryAndrey Karpov
We have recently carried out an experiment with checking the glibc library by PVS-Studio. Its purpose was to study how good our analyzer is at checking Linux-projects. The basic conclusion is, not much good yet. Non-standard extensions used in such projects make the analyzer generate a huge pile of false positives. However, we have found some interesting bugs.
Checking the Source Code of FlashDevelop with PVS-StudioPVS-Studio
To assess the quality of our static analyzer's diagnostics and to advertise it, we regularly analyze various open-source projects. The developers of FlashDevelop project contacted us on their own initiative and asked us to check their product, which we have gladly done.
The document discusses various static code analysis features available in IntelliJ IDEA, including code inspections, JSR annotations, duplicate detection, stack trace analysis, dataflow analysis, dependency analysis, and more. It provides examples of how to use annotations like @Nullable, @Pattern, and @Language. It also covers dependency structure matrix, UML generation, and how different features can be used at different stages of the software development lifecycle.
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
Static analysis tools can analyze code without executing it to find bugs and issues. The document discusses several static analysis tools for PHP like PHPMD, Phan, PHPCS, PHPLOC, Deptrac. It explains what they do, like PHPLOC gathering complexity metrics and Deptrac checking for violations of defined layer dependencies. In the end, it recommends using static analysis in CI and not trusting results blindly without understanding the underlying errors.
This document discusses refactoring code to improve its structure and design without changing its external behavior. Refactoring involves applying small, incremental changes through techniques like extracting methods, replacing conditionals, and parameterizing methods. It improves code quality by making it more readable, reusable, maintainable and less error-prone. The key is to refactor in small steps through practices like testing and code reviews to pay off technical debt over time.
Writing more complex models (continued)Mohamed Samy
Modeling more complicated logic using sequential statements
Skills gained:
1- Model simple sequential logic using loops
2- Control the process execution using wait statements
This is part of VHDL 360 course
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. As of January 2013, PHP was installed on more than 240 million websites (39% of those sampled) and 2.1 million web servers. Originally created by Rasmus Lerdorf in 1994, the reference implementation of PHP (powered by the Zend Engine) is now produced by The PHP Group. While PHP originally stood for Personal Home Page, it now stands for PHP: Hypertext Preprocessor, which is a recursive acronym.
When developing compilers and interpreters, their source code and its testing procedure are demanded to comply with especially strict quality and reliability requirements. However, there are still some suspicious fragments found in the PHP interpreter's source code.
In this article, we are going to discuss the results of the check of the PHP interpreter by PVS-Studio 5.18.
An Experiment with Checking the glibc LibraryAndrey Karpov
We have recently carried out an experiment with checking the glibc library by PVS-Studio. Its purpose was to study how good our analyzer is at checking Linux-projects. The basic conclusion is, not much good yet. Non-standard extensions used in such projects make the analyzer generate a huge pile of false positives. However, we have found some interesting bugs.
Checking the Source Code of FlashDevelop with PVS-StudioPVS-Studio
To assess the quality of our static analyzer's diagnostics and to advertise it, we regularly analyze various open-source projects. The developers of FlashDevelop project contacted us on their own initiative and asked us to check their product, which we have gladly done.
The document discusses various static code analysis features available in IntelliJ IDEA, including code inspections, JSR annotations, duplicate detection, stack trace analysis, dataflow analysis, dependency analysis, and more. It provides examples of how to use annotations like @Nullable, @Pattern, and @Language. It also covers dependency structure matrix, UML generation, and how different features can be used at different stages of the software development lifecycle.
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
Static analysis tools can analyze code without executing it to find bugs and issues. The document discusses several static analysis tools for PHP like PHPMD, Phan, PHPCS, PHPLOC, Deptrac. It explains what they do, like PHPLOC gathering complexity metrics and Deptrac checking for violations of defined layer dependencies. In the end, it recommends using static analysis in CI and not trusting results blindly without understanding the underlying errors.
This document discusses refactoring code to improve its structure and design without changing its external behavior. Refactoring involves applying small, incremental changes through techniques like extracting methods, replacing conditionals, and parameterizing methods. It improves code quality by making it more readable, reusable, maintainable and less error-prone. The key is to refactor in small steps through practices like testing and code reviews to pay off technical debt over time.
Writing more complex models (continued)Mohamed Samy
Modeling more complicated logic using sequential statements
Skills gained:
1- Model simple sequential logic using loops
2- Control the process execution using wait statements
This is part of VHDL 360 course
C++ Code as Seen by a Hypercritical ReviewerAndrey Karpov
We all do code reviews. Who doesn't admit this – does it twice as often. C++ code reviewers look like a sapper. .. except that they can make a mistake more than once. But sometimes the consequences are painful . Brave code review world.
Антон Бикинеев, Writing good std::future< C++ >Sergey Platonov
В докладе Антон расскажет о грядущих мажорных изменениях языка, которые, не войдя в Стандарт 17-го года и оставшись в Technical Specifications, будут ждать своего мержа в 20-м, а также быть уже реализованными в некоторых компиляторах. Осветятся также минорные, уже одобренные фичи следующего Стандарта, как языковые, так и библиотечные. Антон расскажет об их целях, покажет методы использования, а также осветит некоторые гайдлайны и трики.
A new version of Firebird DBMS was released not so long ago. This release was one of the most significant in the project's history, as it marked substantial revision of the architecture, addition of multithreading support, and performance improvements. Such a significant update was a good occasion for us to scan Firebird one more time with PVS-Studio static code analyzer.
Exceptions and Exception Handling in C++IRJET Journal
This document discusses exceptions and exception handling in C++. It begins with an introduction explaining that exceptions are errors that occur during runtime due to unexpected conditions like dividing by zero. It then explains the key concepts of exceptions handling in C++ using try, catch, and throw keywords. Try blocks contain code that may throw exceptions. Catch blocks contain code to handle exceptions. Exceptions are thrown using throw. The document provides examples to demonstrate exception handling mechanisms like catching multiple exception types, and re-throwing exceptions. It also discusses specifying the types of exceptions a function can throw.
This is targeted to be a short tutorial for familiarising the new programming concepts introduced in Java 1.7 or Java 7.0 I contains working code snippets to familiarise with new syntax as well.... Hope you will like it !!!!
h
The document discusses extracting patterns from bug fix changes in software projects to build a "bug fix memory". The memory captures abstracted bug and fix code patterns by parsing code, normalizing variables, filtering common elements, and storing unique components. The memory can then detect bugs and suggest fixes by matching new code. An evaluation on 5 projects found the memory captured 19.3-40.3% of actual bug fixes but also non-bug changes. Bugs detected differed from a static analysis tool, suggesting memories complement other approaches.
PVS-Studio is ready to improve the code of Tizen operating systemAndrey Karpov
Objective. Contract agreement with PVS-Studio team concerning the error fixing and regular code audit.
Currently, PVS-Studio detects more than 10% of errors that are present in the code of the Tizen project.
In the case of regular use of PVS-Studio on the new code, about 20% of errors can be prevented.
I predict that PVS-Studio team can detect and fix about 27 000 errors in the Tizen project.
One of the Microsoft development teams already uses PVS-Studio analyzer in their work. It's great, but it's not enough. That's why I keep demonstrating how static code analysis could benefit developers, using Microsoft projects as examples. We scanned Casablanca project three years ago and found nothing. As a tribute to its high quality, the project was awarded with a "bugless code" medal. As time went by, Casablanca developed and grew. PVS-Studio's capabilities, too, have significantly improved, and now I've finally got the opportunity to write an article about errors found by the analyzer in Casablanca project (C++ REST SDK). These errors are few, but the fact that their number is still big enough for me to make this article, does speak a lot in favor of PVS-Studio's effectiveness.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
The PVS-Studio developers' team has carried out comparison of the own static code analyzer PVS-Studio with the open-source Cppcheck static code analyzer. As a material for comparison, the source codes of the three open-source projects by id Software were chosen: Doom 3, Quake 3: Arena, Wolfenstein: Enemy Territory. The article describes the comparison methodology and lists of detected errors. The conclusions section at the end of the article contains "non-conclusions" actually, as we consciously avoid drawing any conclusions: you can reproduce our comparison and draw your own ones.
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
As is already known to our readers, PVS-Studio static analyzer is exploring a new development direction - the Linux platform; as you may have noticed from the previous articles, it is doing well. This article shows how easily you can check a project with the help of the Linux version of the analyzer, because the simpler PVS-Studio for Linux is, the more supporters it will have. This time our choice was the CodeLite project. CodeLite was compiled and tested in Linux. Let's see what results we got.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Python and Ruby implementations compared by the error densityPVS-Studio
Which programming language to start learning? Python or Ruby? Which one is better? Django or Ruby on Rails? Such questions can often be found on IT forums around the world. I suggest comparing not the languages themselves, but their reference implementations: CPython and MRI. In this article, we are going to cover the errors that were found by PVS-Studio in these projects.
Best Bugs from Games: Fellow Programmers' MistakesAndrey Karpov
George Gribkov will present on errors found in the code of popular games like System Shock, Doom 3, and osu!. He will discuss how his tool searches for code errors, provide examples of bugs detected, and conclude his presentation. The examples will showcase issues like unused variables, incorrect increment variables in for loops, null pointer dereferences, and misunderstandings of operators like ??. Corrections will be proposed to address the bugs.
Testing RESTful Webservices using the REST-assured frameworkMicha Kops
The REST-assured framework and its features explained by example.
For detailed information please take a look at my full tutorial including the sources at http://www.hascode.com/2011/10/testing-restful-web-services-made-easy-using-the-rest-assured-framework/
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio
Geant4 project continues developing, so it's really interesting to recheck it with PVS-Studio static code analyzer. This time we'll do a check of version 10.2 (previously, we checked 10.0 beta-version)
The document summarizes the results of re-analyzing the Umbraco codebase with the PVS-Studio static code analyzer one year after its initial analysis. The re-analysis found several new bugs and issues not present in the previous year, indicating that the Umbraco developers addressed the prior year's findings but new errors were introduced with ongoing development. Several interesting new bugs are described involving potential null reference exceptions, off-by-one errors with substring indexing, and incorrect format string usage. Overall the analysis found the code quality to be improved compared to the previous year.
Presented at the droidcon NYC 2015:
http://droidcon.nyc/2015/dcnyc/25/
Nearly every Android developer has heard of the Lint and Checkstyle tools - however few use either to its full power, if at all. In addition to maintaining a consistent code style, we will see how to enforce architecture conventions and even prevent wrong usage of both internal and your own APIs.
For example, you have a fancy BaseFragment which should be extended by all your Fragments, or you have a custom logger which should be used instead of android.util.Log. Both of these are perfect use cases for custom Lint checks. This session will show you how to configure Checkstyle and Lint to your liking, and how to use their APIs to create custom checks, as well as how to include both in your Gradle-based project.
Modeling more complicated logic using sequential statements
Skills gained:
1- Identify sequential environment in VHDL
2- Model simple sequential logic
This is part of VHDL 360 course
Analysis of the Trans-Proteomic Pipeline (TPP) projectPVS-Studio
To be honest, I don't know what the TPP project is intended for. As far as I understand, this is a set of tools to assist in research of proteins and their interaction in living organisms. However, that's not so much important. What is important is that their source codes are open. It means that I can check them with the PVS-Studio static analyzer. Which I'm very much fond of.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
Endpoint protection solutions rely on detecting malicious activity, but this can be bypassed using a technique called MALPROXY. MALPROXY works by proxying malicious code's system API calls over the network instead of running the code directly on the target system. This avoids detection as the target system only sees innocent code making valid API calls. The attacker system contains the real malicious code and stubs that hook API calls, serialize them for transport, and emulate the calls on the target system. This allows the malicious logic and intent to be separated from its actual interaction with the operating system.
C++ Code as Seen by a Hypercritical ReviewerAndrey Karpov
We all do code reviews. Who doesn't admit this – does it twice as often. C++ code reviewers look like a sapper. .. except that they can make a mistake more than once. But sometimes the consequences are painful . Brave code review world.
Антон Бикинеев, Writing good std::future< C++ >Sergey Platonov
В докладе Антон расскажет о грядущих мажорных изменениях языка, которые, не войдя в Стандарт 17-го года и оставшись в Technical Specifications, будут ждать своего мержа в 20-м, а также быть уже реализованными в некоторых компиляторах. Осветятся также минорные, уже одобренные фичи следующего Стандарта, как языковые, так и библиотечные. Антон расскажет об их целях, покажет методы использования, а также осветит некоторые гайдлайны и трики.
A new version of Firebird DBMS was released not so long ago. This release was one of the most significant in the project's history, as it marked substantial revision of the architecture, addition of multithreading support, and performance improvements. Such a significant update was a good occasion for us to scan Firebird one more time with PVS-Studio static code analyzer.
Exceptions and Exception Handling in C++IRJET Journal
This document discusses exceptions and exception handling in C++. It begins with an introduction explaining that exceptions are errors that occur during runtime due to unexpected conditions like dividing by zero. It then explains the key concepts of exceptions handling in C++ using try, catch, and throw keywords. Try blocks contain code that may throw exceptions. Catch blocks contain code to handle exceptions. Exceptions are thrown using throw. The document provides examples to demonstrate exception handling mechanisms like catching multiple exception types, and re-throwing exceptions. It also discusses specifying the types of exceptions a function can throw.
This is targeted to be a short tutorial for familiarising the new programming concepts introduced in Java 1.7 or Java 7.0 I contains working code snippets to familiarise with new syntax as well.... Hope you will like it !!!!
h
The document discusses extracting patterns from bug fix changes in software projects to build a "bug fix memory". The memory captures abstracted bug and fix code patterns by parsing code, normalizing variables, filtering common elements, and storing unique components. The memory can then detect bugs and suggest fixes by matching new code. An evaluation on 5 projects found the memory captured 19.3-40.3% of actual bug fixes but also non-bug changes. Bugs detected differed from a static analysis tool, suggesting memories complement other approaches.
PVS-Studio is ready to improve the code of Tizen operating systemAndrey Karpov
Objective. Contract agreement with PVS-Studio team concerning the error fixing and regular code audit.
Currently, PVS-Studio detects more than 10% of errors that are present in the code of the Tizen project.
In the case of regular use of PVS-Studio on the new code, about 20% of errors can be prevented.
I predict that PVS-Studio team can detect and fix about 27 000 errors in the Tizen project.
One of the Microsoft development teams already uses PVS-Studio analyzer in their work. It's great, but it's not enough. That's why I keep demonstrating how static code analysis could benefit developers, using Microsoft projects as examples. We scanned Casablanca project three years ago and found nothing. As a tribute to its high quality, the project was awarded with a "bugless code" medal. As time went by, Casablanca developed and grew. PVS-Studio's capabilities, too, have significantly improved, and now I've finally got the opportunity to write an article about errors found by the analyzer in Casablanca project (C++ REST SDK). These errors are few, but the fact that their number is still big enough for me to make this article, does speak a lot in favor of PVS-Studio's effectiveness.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
The PVS-Studio developers' team has carried out comparison of the own static code analyzer PVS-Studio with the open-source Cppcheck static code analyzer. As a material for comparison, the source codes of the three open-source projects by id Software were chosen: Doom 3, Quake 3: Arena, Wolfenstein: Enemy Territory. The article describes the comparison methodology and lists of detected errors. The conclusions section at the end of the article contains "non-conclusions" actually, as we consciously avoid drawing any conclusions: you can reproduce our comparison and draw your own ones.
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
As is already known to our readers, PVS-Studio static analyzer is exploring a new development direction - the Linux platform; as you may have noticed from the previous articles, it is doing well. This article shows how easily you can check a project with the help of the Linux version of the analyzer, because the simpler PVS-Studio for Linux is, the more supporters it will have. This time our choice was the CodeLite project. CodeLite was compiled and tested in Linux. Let's see what results we got.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Python and Ruby implementations compared by the error densityPVS-Studio
Which programming language to start learning? Python or Ruby? Which one is better? Django or Ruby on Rails? Such questions can often be found on IT forums around the world. I suggest comparing not the languages themselves, but their reference implementations: CPython and MRI. In this article, we are going to cover the errors that were found by PVS-Studio in these projects.
Best Bugs from Games: Fellow Programmers' MistakesAndrey Karpov
George Gribkov will present on errors found in the code of popular games like System Shock, Doom 3, and osu!. He will discuss how his tool searches for code errors, provide examples of bugs detected, and conclude his presentation. The examples will showcase issues like unused variables, incorrect increment variables in for loops, null pointer dereferences, and misunderstandings of operators like ??. Corrections will be proposed to address the bugs.
Testing RESTful Webservices using the REST-assured frameworkMicha Kops
The REST-assured framework and its features explained by example.
For detailed information please take a look at my full tutorial including the sources at http://www.hascode.com/2011/10/testing-restful-web-services-made-easy-using-the-rest-assured-framework/
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio
Geant4 project continues developing, so it's really interesting to recheck it with PVS-Studio static code analyzer. This time we'll do a check of version 10.2 (previously, we checked 10.0 beta-version)
The document summarizes the results of re-analyzing the Umbraco codebase with the PVS-Studio static code analyzer one year after its initial analysis. The re-analysis found several new bugs and issues not present in the previous year, indicating that the Umbraco developers addressed the prior year's findings but new errors were introduced with ongoing development. Several interesting new bugs are described involving potential null reference exceptions, off-by-one errors with substring indexing, and incorrect format string usage. Overall the analysis found the code quality to be improved compared to the previous year.
Presented at the droidcon NYC 2015:
http://droidcon.nyc/2015/dcnyc/25/
Nearly every Android developer has heard of the Lint and Checkstyle tools - however few use either to its full power, if at all. In addition to maintaining a consistent code style, we will see how to enforce architecture conventions and even prevent wrong usage of both internal and your own APIs.
For example, you have a fancy BaseFragment which should be extended by all your Fragments, or you have a custom logger which should be used instead of android.util.Log. Both of these are perfect use cases for custom Lint checks. This session will show you how to configure Checkstyle and Lint to your liking, and how to use their APIs to create custom checks, as well as how to include both in your Gradle-based project.
Modeling more complicated logic using sequential statements
Skills gained:
1- Identify sequential environment in VHDL
2- Model simple sequential logic
This is part of VHDL 360 course
Analysis of the Trans-Proteomic Pipeline (TPP) projectPVS-Studio
To be honest, I don't know what the TPP project is intended for. As far as I understand, this is a set of tools to assist in research of proteins and their interaction in living organisms. However, that's not so much important. What is important is that their source codes are open. It means that I can check them with the PVS-Studio static analyzer. Which I'm very much fond of.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
Endpoint protection solutions rely on detecting malicious activity, but this can be bypassed using a technique called MALPROXY. MALPROXY works by proxying malicious code's system API calls over the network instead of running the code directly on the target system. This avoids detection as the target system only sees innocent code making valid API calls. The attacker system contains the real malicious code and stubs that hook API calls, serialize them for transport, and emulate the calls on the target system. This allows the malicious logic and intent to be separated from its actual interaction with the operating system.
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...GeeksLab Odessa
5.12.15 QA Lab: тестирование программного обеспечения.
Upcoming events: goo.gl/I2gJ4H
Доклад о Play-Swagger, проекте с открытым исходным кодом, разрабатываемом в Zalando с использованием Scala и Play Framework. О том, как использование API First и Swagger позволяет ускорить процесс разработки, упростить взаимодействие команд и повысить качество продукта.
Static Analysis: The Art of Fighting without FightingRob Ragan
Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)
API first with Swagger and Scala by Slava SchmidtJavaDayUA
How does one scale the development of a service landscape in a corporate enterprise environment utilizing Typesafe's Play and Akka software stack? How does one achieve API uniformity and coherence accross dozens of development teams, getting them and their subsequently developed subsystems to play together nicely? At Zalando we believe firmly in an API first approach, founded an API guild that ratifies and supports the development of APIs, and define them in a formal manner employing the Swagger API representation language.
Async library is an asynchronous programming facility for Scala that offers a direct API for working with Futures.
It was added in Scala version 2.10 and is implemented using macros. Its main constructs, async and await, are inspired by similar constructs introduced in C# 5.0.
An important event has taken place in the PVS-Studio analyzer's life: support of C#-code analysis was added in the latest version. As one of its developers, I couldn't but try it on some project. Reading about scanning small and little-known projects is not much interesting of course, so it had to be something popular, and I picked MonoDevelop.
In May 2016, German game-development company Crytek made a decision to upload the source code of their game engine CryEngine V to Github. The engine is written in C++ and has immediately attracted attention of both the open-source developer community and the team of developers of PVS-Studio static analyzer who regularly scan the code of open-source projects to estimate its quality. A lot of great games were created by a number of video-game development studios using various versions of CryEngine, and now the engine has become available to even more developers. This article gives an overview of errors found in the project by PVS-Studio static analyzer.
Beyond the Perimeter discusses how security has evolved from a perimeter-based approach to one focused on the application layer. Traditional network and endpoint controls are less effective as the perimeter has changed and many attacks target applications directly. Over 90% of applications have critical bugs, and it takes an average of 138 days to fix an SQL injection vulnerability. The OWASP Top 10 highlights common web app vulnerabilities like SQL injection and cross-site scripting that account for the majority of attacks. New approaches like micro-segmentation, micro-virtualization, and runtime application self-protection are needed to assume compromise and protect applications directly. Language-theoretic security provides a way to formally model expected application inputs and behaviors to precisely detect attacks without false positives
- The document outlines the goals, outcomes, prerequisites, topics covered, and grading for a compiler design course.
- The major goals are to provide an understanding of compiler phases like scanning, parsing, semantic analysis and code generation, and have students implement parts of a compiler for a small language.
- By the end of the course students will be familiar with compiler phases and be able to define the semantic rules of a programming language.
- Prerequisites include knowledge of programming languages, algorithms, and grammar theories.
- The course covers topics like scanning, parsing, semantic analysis, code generation and optimization.
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...Lionel Briand
This document proposes using static and dynamic code attributes together with machine learning techniques to predict SQL injection and cross-site scripting vulnerabilities in web applications. It describes extracting attributes like the number of validation/sanitization functions and input sources from data dependence graphs. These attributes are used to train supervised classifiers like logistic regression and neural networks, as well as unsupervised K-means clustering, to distinguish vulnerable from non-vulnerable code sinks. The approach aims to provide an automated and scalable alternative to manual vulnerability auditing.
It happens that we have to develop several services and deploy them in Azure. They are small, repetitive but different, often not very different. Why not use code generation techniques to simplify the development and implementation of these services? Let's see with .NET comes to meet us and helps us to deploy in Azure.
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
Для традиционных WAF защищаемое приложение — черный ящик: HTTP-запросы на входе, HTTP-ответы на выходе — вот и все, что доступно для детектирования атак. Очевидно, что этой информации недостаточно для формального доказательства результатов детектирования, и WAF довольствуется эвристическими методами. Даже если обеспечить возможность перехвата всех обращений приложения к его окружению (файловой системе, сокетам, БД и т. п.), это позволит лишь улучшить качество эвристик, но никак не поможет в переходе к формальным методам. Но что, если построить такой WAF, который рассматривал бы защищаемое приложение в качестве белого ящика? Что, если бы он работал с моделью приложения, получаемой в результате статического анализа кода? Что, если бы появилась возможность решать, является ли атакой тот или иной HTTP-запрос, — с помощью выполнения фрагментов кода самого приложения?
This document proposes improvements to traditional virtual patching techniques used by web application firewalls (WAFs). It introduces the concepts of Inspected Application Modules (IAM) which use formal methods to evaluate vulnerability formulas generated by static application security testing (SAST). This aims to address issues where traditional approaches only block a single attack vector. The document further proposes Advanced Runtime Application Self-Protection (A-RASP) which instruments application code to provide values for computations and allow blocking attacks with unknown vectors. Finally, Ultimate Runtime Application Self-Protection (U-RASP) is proposed which leverages its own internal SAST to derive formulas and further improve performance and coverage of vulnerabilities compared to traditional and previous approaches.
Real-World WebAppSec Flaws - Examples and Countermeasuesvolvent
A presentation at the Sydney WebApp meeting for the security stream. Covers some easy to follow examples of more common things found and general recommendations for development teams.
Александр Куцан: "Static Code Analysis in C++" Anna Shymchenko
Static code analysis is the analysis of computer software without executing programs to detect bugs. It was proposed to analyze an open source C++ project with about 20 developers to save money, improve team relations, and boost developer skills. Cppcheck, a free, open source static analysis tool, was used to analyze the project and detected various issues like memory leaks, resource leaks, errors, and inefficiencies. Coverity Scan and Clang static analyzer were also proposed as alternative static analysis tools. However, static code analysis is only one step, and other practices like code formatting, reviews, testing, and continuous integration are also important.
Beyond the Perimeter discusses how traditional security defenses like firewalls and endpoint protection have not scaled effectively as applications have evolved. 84% of attacks now target applications, yet 90% of apps have critical bugs and it takes an average of 138 days to fix an SQL injection vulnerability. New attacks are found frequently. Encoding untrusted input is complicated and does not provide visibility into attacks or support commercial applications. Regular expressions used in web application firewalls are difficult to maintain and prone to evasion. Language-theoretic security (LANGSEC) treats code and data as formal languages that can be parsed to accurately identify valid and malicious inputs at runtime without false positives or vulnerability to obfuscation. Prevoty provides content and database protection products
This document provides an overview of JavaScript, including its history, uses, syntax, variables, data types, operators, conditional statements, loops, functions, and ways to display output. Some key points:
- JavaScript is a scripting language used to add interactivity to HTML pages. It was originally developed by Brendan Eich at Netscape under the names Mocha and LiveScript.
- JavaScript code can be embedded within HTML using <script> tags or linked externally via the src attribute. Common uses include form validation, dynamic updating of content, and interactive effects.
- The language supports variables, arrays, objects, numbers, strings, booleans, and other data types. Conditional statements like if
Similar to Automated Patching for Vulnerable Source Code (20)
Hacking an ASP.NET website is possible, though difficult. The document discusses vulnerabilities in ASP.NET applications that could allow an attacker to bypass restrictions or execute code. It notes that interacting with native libraries and using mixed assemblies could enable arbitrary code execution if vulnerabilities are present. Insecure managed code, integer overflows, and hash collisions are also discussed as potential attack vectors. The document advocates testing restrictions bypassing, file inclusion vulnerabilities, and other methods of exploiting ASP.NET applications.
Слайды вебинара http://www.ptsecurity.ru/lab/webinars/#42235 :
"Каковы формальные признаки уязвимого и защищенного кода? Что такое уязвимость? Как разглядеть в коде уязвимость для атак, принадлежащих неизвестному классу? Чем уязвимости бизнес-логики отличаются от «традиционных» уязвимостей? Мы ответим на эти вопросы на вебинаре, посвященном теоретическому минимуму предметной области Application Security и практическому применению этих знаний в задачах анализа защищенности и при разработке защищенного кода"
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)Vladimir Kochetkov
The document discusses developing secure web applications and changing developer mindsets. It recommends focusing on eliminating vulnerabilities at the cause rather than just addressing consequences. Developers should take a weakness-centric approach and understand how functional weaknesses can lead to vulnerabilities. The document provides examples of secure and insecure code snippets and explains how proper input validation and parameterized queries can fix vulnerabilities. It also includes summaries of threat modeling and the basics of developing securely.
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Automated Patching for Vulnerable Source Code
1.
2. Automated Patching for
Vulnerable Source Code
Vladimir Kochetkov
Application Inspector/Compiling Applications Analysis/Team Lead
Positive Technologies
Positive Hack Days V
6. Application Inspector
― Strong dogfooding
― Analysis is performed on
the limit of ?AST approaches
― Generation of attack vectors
― The Big Red Button Concept
― A proprietary solution
10. How to catch the vulnerability?
― Know "how it shouldn't be": necessary and sufficient formal
symptoms of vulnerabilities
― Know "how it is": prove the existence of these symptoms in
the analyzed code
― Build an attack vector
based on the revealed
set of symptoms
11. Formal symptoms of injection
― Potentially vulnerable operation PVO(text): operation of
direct or indirect "text" interpretation in a formal language
― text = transform(argument), where argument – number of
arguments passed to the EP entry point, and transform –
the function of intermediate transformations
― There is at least one set of such values of EP elements that
can be reached. At these values the syntax tree structure of
the "text" value, that reaches PVO, changes.
15. Disclaimer
There is just a review. Further details will be presented at
SIBECRYPT’15
Novosibirsk, September 7-12, 2015
16. Symbolic Execution Context Graph!
SECG is a graph, an isomorphic CFG,
each of its vertices contains
information on the context of
symbolic execution
The context of symbolic execution - a
condition for accessing the current
point of execution + a set of
conditional states of all objects and
variables that can be reached within
the current scope
29. Vulnerability formula
Request.Params["cond1"] != "true"
&&
Request.Params["cond2"] == "true" ⇒
Response.Write(
"<a href="" + Request.Params["parm2"] + "">"
)
What value of Request.Params["parm2"] will result in
exceeding the limits of the token?
30. The one that is defined
by the type of the
injection point!
31. <a href=" ">
The type of the injection point is figured out by syntactic
heuristics applied to the vulnerable expression on either side
of the point.
Finding the type of the injection point
33. Vulnerability formula
Request.Params["cond1"] != "true"
&&
Request.Params["cond2"] == "true"
&&
(Request.Params["parm2"] == ""><script>alert(0)</script>"
||
Request.Params["parm2"] == ""onmouseover="alert(0)") ⇒
Response.Write(
"<a href="" + Request.Params["parm2"] + "">"
)
As a result of finding the values unknown in the context of the
vulnerability formula you can get...
-
-
37. SECG gives us anything
we need!*
* it also gives us anything we don't need yet
38. The proper patch
― Makes a minimum of changes
― Keeps the semantics of the code
― Solves the problem
― Never makes more
problems
39. ― Know "how it shouldn't be": necessary and sufficient formal
symptoms of vulnerabilities
― Know "how it is": prove the existence of these symptoms in
the analyzed code
― eliminate at least one of the
required symptoms by
changing the code
How to generate a patch?
40. Symptoms of injection that can be
eliminated
― Potentially vulnerable operation PVO(text): operation of
direct or indirect "text" interpretation in a formal language
― text = transform(argument), where argument – number of
arguments passed to the EPentry point, and transform – the
function of intermediate transformations
― At least one set of such values of the EP elements exists
and is likely to be achieved. At these values the syntax tree
structure of the "text" value, that reaches PVO, changes.
41. Ways to eliminate the injection
http://www.slideshare.net/kochetkov.vladimir/how-to-develop-
a-secure-web-application-and-stay-in-mind-phdays-3/87
• Typing
• Validation
• Sanitization
42. Attack vector vs patch
Attack vector Patch
It suffices to find a single
path from the entry point to
the PVO and a single set of
values of vector variables
It is necessary to find all
paths from the entry point to
the PVO and all sets of values
of vector variables
The type of the injection
point can be figured out by
using heuristics
The type of the injection
point must be figured out
strictly along with its
semantics
The availability of the
application may be
compromised
The application should stay
available
43. Strong finding the type of the injection
point
Step #1: replace each taint source in the vulnerable expression by an unique special
character:
<a href='∅'>
Step #2: parse the string with the modified parser of an island language that allows
using special characters in the arbitrary token.
Step #3: find in the parsing tree the vertex containing a special character and define
the type of the injection point on the basis of the vertex type.
Step #4: According to the type injection point define its semantics.
44. Opening bracket: <
Tag name: a
Attribute definition
Attribute name: href
Assignment sign
2-quoted attr. value:Closing bracket: >
Strong finding the type of the injection
point
2-quoted attribute (semantic: URL) value
45. Keeps the semantics of the code
- The priority of countermeasures:
1) Typing
2) Sanitizing
3) Validation
- Consideration of all conditions for executing the PVO as
well as values of its arguments during typing and sanitizing
- Applying countermeasures exactly at the source of the
vulnerability