The document discusses various vulnerabilities in software development, focusing on concepts like static and dynamic analysis, code quality issues, and methods for identifying and mitigating vulnerabilities such as SQL injection and cross-site scripting. It emphasizes the importance of both static and dynamic analysis for early detection of potential security risks and outlines techniques such as control flow graphs and data flow analysis for deeper inspection of code. Additionally, it highlights the significance of validating inputs to prevent various types of attacks and the need for tool automation in the development process.

1. The Art of Fighting without Fighting

2. “ You can call it the art of fighting without fighting” – Bruce Lee Enter the Dragon, 1973

3. Weak Access Control API Misuse Buffer Overflow Poor Code Quality (FxCop) Poor Encapsulation Environment Misconfiguration Poor Error Handling Poor Input Validation And More…

4. Dynamic Analysis involves execution (black box) More common for pen testing Static Analysis (white box) Abstract interpretation Automation tool, Developer tool Semantics, Parsing Compiler theory, Set theory Object code, Byte code

5. Crawling can only audit what it can find Cannot cover 100% of source code Little knowledge of application False negatives

6. Compiler optimizations Framework and 3 rd party lib integration Identifying validation False positives

7. Precise Doesn’t report plausible but false defects Safe Doesn’t miss defects Too much of either can be useless

8. Correlation – the strength of relation between two variables Depends upon input detection Static feeds information to Dynamic Means less false negatives Means less false positives Hybrid Analysis

9. STEPS: Fix vulnerabilities early … Profit CHART:

10. Cross-site Scripting Response.Write(Request.QueryString[“isbn"]); SQL Injection protected System.Web.UI.WebControls.TextBox Publisher; SqlCommand cmd = new SqlCommand(“SELECT * FROM Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting string author = Author.Text; Cookie cookie = new Cookie("author", author); Path Traversal sting fName = Request.Form[“fileName“]; File.Delete("C:\\users\\files\\" + fName); Command Injection string args = “-a -o “+Request.Param[“arg”]; Process.Start(“program.exe“+args);

11. Source Location of injected malicious data Http Request Post Parameters Query String Sink Location malicious data is used to manipulate the application Http Response Command Query

12. Cross-site Scripting Response.Write ( Request.QueryString[“isbn"] ); SQL Injection protected System.Web.UI.WebControls.TextBox Publisher; SqlCommand cmd = new SqlCommand (“SELECT * FROM Books WHERE Publisher = ‘”+ Publisher.Text +“’”, conn); HTTP Response Splitting string author = Author.Text ; Cookie cookie = new Cookie ("author", author); Path Traversal sting fName = Request.Form[“fileName“] ; File.Delete ("C:\\users\\files\\" + fName); Command Injection string args = “-a -o “+ Request.Param[“arg”] ; Process.Start (“program.exe“+args);

13. Infinite ways to write code with the same output Use the lowest level human-readable language Parsing (alone) fails Be the compiler (and then some) IPA – Intraprocedural Analysis CFG – Control Flow Graph DFA – Data Flow Analysis Variable Tracing

14. Call graph f(g()) each node represents a procedure each edge is a call Stack trace is a dynamic call graph Context sensitive – separate node for each possible procedure activation Context insensitive – only one node for each procedure

15. A graph of all the paths of execution in a program Generate a CFG for each function Each node is a basic block CFA - Compute domination dominator - block M dominates block N if every path from the entry that reaches block N has to pass through block M abnormal edge - edge with an unknown destination

16. if if/else do switch

17. Follow all program paths Trace each branch both directions May discover dead code Reaching definitions The assignments that produce variable values at a certain state Which definitions contain tainted sources ? Of those definitions, which reach sinks ?

18. B1: a=value1 B2: a=value2 B2 KILLs B1 and B2 is also a GEN Use-Def chains For each use of variable v in a statement s, make a list of definitions of v that reach s Use-Def: backward seeking Def-Use: forward seeking

19. … int x; if (…) x = 1; … a = x; … This def reaches this use … but the def might not get executed!

20. … if (Page.IsValid()) string pwd = Request.Form[“pwd”]; … string sql = “SELECT …” + pwd + “’”; SqlCommand cmd = new SqlCommand(sql); … If this def doesn’t dominate this use Unvalidated input causes SQL Injection

21. Formerly called Microsoft Intermediate Language .NET is Stack based (LIFO) Metadata for compiled classes Reflection - the program in the mirror Common Language Runtime .method public static void Main() cil managed { .entrypoint .maxstack 1 ldstr "Hello, world!" call void [mscorlib]System.Console::WriteLine(string) ret }

22. Manual Static Analysis

23. Find every instance of an unvalidated source being used in the application Find combinations that link source to sink Determine validation in dominance frontier Implement checks that inform users of the specific vulnerabilities found Verify with dynamic analysis* Apply remediation*

24. Great way to find vulnerabilities? Or greatest way to find vulnerabilities? You decide .