static analysis: the art of fighting without fighting

The Art of Fighting without Fighting

“You can call it the art of fighting without fighting” –Bruce LeeEnter the Dragon, 1973

Weak Access ControlAPI MisuseBuffer OverflowPoor Code Quality (FxCop)Poor EncapsulationEnvironment MisconfigurationPoor Error HandlingPoor Input ValidationAnd More…

Dynamic Analysis involves execution (black box) More common for pen testing

Static Analysis (white box) Abstract interpretation Automation tool, Developer tool Semantics, Parsing Compiler theory, Set theory Object code, Byte code

Crawling can only audit what it can find

Cannot cover 100% of source codeLittle knowledge of applicationFalse negatives

Compiler optimizationsFramework and 3rd party lib

integration Identifying validationFalse positives

Precise Doesn’t report plausible but false

defectsSafe

Doesn’t miss defectsToo much of either can be useless

Correlation – the strength of relation between two

variablesDepends upon input detectionStatic feeds information to DynamicMeans less false negativesMeans less false positivesHybrid Analysis

STEPS:

1. Fix vulnerabilities early

2. …3. Profit

CHART:

Cross-site ScriptingResponse.Write(Request.QueryString[“isbn"]);

SQL Injectionprotected System.Web.UI.WebControls.TextBox Publisher;SqlCommand cmd = new SqlCommand(“SELECT * FROM

Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting

string author = Author.Text; Cookie cookie = new Cookie("author", author);

Path Traversalsting fName = Request.Form[“fileName“];File.Delete("C:\\users\\files\\" + fName);

Command Injectionstring args = “-a -o “+Request.Param[“arg”];Process.Start(“program.exe“+args);

Source Location of

injected malicious data

Http Request Post Parameters Query String

Sink Location malicious

data is used to manipulate the application

Http Response Command Query

Cross-site ScriptingResponse.Write(Request.QueryString[“isbn"]);

SQL Injectionprotected System.Web.UI.WebControls.TextBox Publisher;SqlCommand cmd = new SqlCommand(“SELECT * FROM

Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting

string author = Author.Text; Cookie cookie = new Cookie("author", author);

Path Traversalsting fName = Request.Form[“fileName“];File.Delete("C:\\users\\files\\" + fName);

Command Injectionstring args = “-a -o “+Request.Param[“arg”];Process.Start(“program.exe“+args);

Infinite ways to write code with the same output

Use the lowest level human-readable language

Parsing (alone) fails Be the compiler (and then some)

IPA – Intraprocedural AnalysisCFG – Control Flow GraphDFA – Data Flow AnalysisVariable Tracing

Call graph f(g()) each node represents a procedure each edge is a call

Stack trace is a dynamic call graphContext sensitive – separate node for

each possible procedure activation Context insensitive – only one node

for each procedure

A graph of all the paths of execution in a program

Generate a CFG for each function Each node is a basic block CFA - Compute domination dominator - block M dominates block N

if every path from the entry that reaches block N has to pass through block M

abnormal edge - edge with an unknown destination

if if/else do

switch

Follow all program paths Trace each branch both directions May discover dead code

Reaching definitions The assignments that produce variable

values at a certain state Which definitions contain tainted

sources? Of those definitions, which reach sinks?

B1: a=value1B2: a=value2B2 KILLs B1 and B2 is also a GENUse-Def chains

For each use of variable v in a statement s, make a list of definitions of v that reach s

Use-Def: backward seekingDef-Use: forward seeking

…int x;if (…)x = 1;

…a = x;…

This def reaches this use

… but the def might not get executed!

…if (Page.IsValid())

string pwd = Request.Form[“pwd”];…string sql = “SELECT …” + pwd + “’”;SqlCommand cmd = new SqlCommand(sql);…

If this defdoesn’t dominate this use

Unvalidated input causes SQL Injection

Formerly called Microsoft Intermediate Language

.NET is Stack based (LIFO) Metadata for compiled classes Reflection - the program in the mirror Common Language Runtime

.method public static void Main() cil managed {

.entrypoint

.maxstack 1 ldstr "Hello, world!" call void [mscorlib]System.Console::WriteLine(string) ret

}

Manual Static Analysis

Find every instance of an unvalidated source being used in the application

Find combinations that link source to sink

Determine validation in dominance frontier

Implement checks that inform users of the specific vulnerabilities found

Verify with dynamic analysis* Apply remediation*

Great way to find vulnerabilities?

Or greatest way to find vulnerabilities?

You decide.