copyright © coverity, inc. 2006. all rights reserved. this publication, in whole or in part, may...
TRANSCRIPT
Copyright © Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other retrieval system or transmitted in any form, or by any means whatsoever without the prior written permission of Coverity, Inc.
Methods of increasing source code security
automatically
Ben ChelfBen ChelfCTOCTO
10,000 foot view10,000 foot view
PHP Code
C Code
Java Code
C++ Code
SecuritySecurityVulnerabilitiesVulnerabilities
MAGIC STATIC ANALYSIS BOX
dataflow analysis, pointer alias analysis, abstract interpretation,
model checking, flow-sensitive, flow-insensitive, context-sensitive,
context-insensitive, interprocedural, intraprocedural, solving constraints
What to look for?What to look for?
{{
char src[100];char src[100];
char dest[50];char dest[50];
strcpy(dest, src);strcpy(dest, src);
}}
What to look for?What to look for?
{{
char src[50];char src[50];
char dest[50];char dest[50];
strcpy(dest, src);strcpy(dest, src);
}}
What to look for?What to look for?
{{
char src[50];char src[50];
char dest[50];char dest[50];
src[sizeof(dest) – 1] = 0;src[sizeof(dest) – 1] = 0;
strcpy(dest, src);strcpy(dest, src);
}}
The Promise of Static Analysis ToolsThe Promise of Static Analysis Tools
Design ReleaseQACode Integrate
Software Development Software Development ProcessProcess
SecuritySecurityVulnerabilitiesVulnerabilities
BENEFITS
Detects problems early in SDLC
No test cases required
Points to specific LOC
Systematic
StaticAnalysis
BugsBugs
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)• Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)• Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)• Livshits and Lam (2005)Livshits and Lam (2005)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)• Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)• Livshits and Lam (2005)Livshits and Lam (2005)• Xie and Aiken (2006)Xie and Aiken (2006)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)• Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)• Livshits and Lam (2005)Livshits and Lam (2005)• Xie and Aiken (2006)Xie and Aiken (2006)• Jovanovic, Kuregel, Kirda (2006)Jovanovic, Kuregel, Kirda (2006)
Research techniques (not exhaustive)Research techniques (not exhaustive)
• Shankar, Talwar, Foster, Wagner (2001)Shankar, Talwar, Foster, Wagner (2001)• Ashcraft, Engler (2002)Ashcraft, Engler (2002)• Yang, Kremenek, Xie, Engler (2003)Yang, Kremenek, Xie, Engler (2003)• Huang, Yu, Hang, Tsai, Lee (2004)Huang, Yu, Hang, Tsai, Lee (2004)• Livshits and Lam (2005)Livshits and Lam (2005)• Xie and Aiken (2006)Xie and Aiken (2006)• Jovanovic, Kuregel, Kirda (2006)Jovanovic, Kuregel, Kirda (2006)• ……many othersmany others
Making it work in the real worldMaking it work in the real world
PHP Code
C Code
Java Code
C++ Code
Build SystemsParsing CodeAnalysis time
Configuration for the codeNoise versus False Positives
What to reportReviewing the results
Evil TetrisEvil Tetris
/*/* * Set times to 0 except for * Set times to 0 except for * high score on each level. * high score on each level. */ */
for (i = MINLEVEL; for (i = MINLEVEL; i < NLEVELS; i < NLEVELS; i++) i++)
levelfound[i] = 0; levelfound[i] = 0;
for (i = 0, sp = scores; for (i = 0, sp = scores; i < nscores; i < nscores; i++, sp++) { i++, sp++) {
if (levelfound[sp->hs_level]) if (levelfound[sp->hs_level]) sp->hs_time = 0; sp->hs_time = 0; else { else { sp->hs_time = 1; sp->hs_time = 1; levelfound[sp->hs_level] = 1; levelfound[sp->hs_level] = 1; } } }}
Do you use X?Do you use X?
if (getuid() != 0 &&if (getuid() != 0 &&
geteuidgeteuid == 0) { == 0) { ErrorF(“only root”); ErrorF(“only root”); exit(1); exit(1); } }
Since without the parentheses, the code is simply checking to Since without the parentheses, the code is simply checking to see if the geteuid function in libc was loaded somewhere other see if the geteuid function in libc was loaded somewhere other than address 0 (which is pretty much guaranteed to be true), it than address 0 (which is pretty much guaranteed to be true), it was reporting it was safe to allow risky options for all users, and was reporting it was safe to allow risky options for all users, and
thus a security hole was born.thus a security hole was born. - Alan Coopersmith, Sun Developer