static analysis for code - f-secure labs...•static analysis catches some classes of bugs cheaply...
TRANSCRIPT
![Page 1: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/1.jpg)
Join the conversation #devseccon
By Nick Jones
Static Analysis for Code
and Infrastructure
![Page 2: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/2.jpg)
The Problem
• Software developers make mistakes
• Mistakes = bugs = vulnerabilities
• Our goal is fewer bugs
![Page 3: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/3.jpg)
Who Am I?
Nick Jones
• Security Consultant at MWR InfoSecurity
• Web application & infrastructure security
• Previous experience as a software developer
![Page 4: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/4.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control flow graphs
• Taint analysis
• Pointer tracking
• DevSecOps and static analysis
![Page 5: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/5.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control flow graphs
• Taint analysis
• Pointer tracking
• DevSecOps and static analysis
![Page 6: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/6.jpg)
How Do We Find Bugs?
Static Analysis (SAST)
• Analysing an application without executing it
• Code review, binary analysis, reverse engineering
Dynamic Analysis (DAST)
• Analysing by monitoring and interacting with the application as it executes
• Fuzzing, tampering, functional testing
![Page 7: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/7.jpg)
How Do We Find Bugs?
Static Analysis (SAST)
• Analysing an application without executing it
• Code review, binary analysis, reverse engineering
Dynamic Analysis (DAST)
• Analysing by monitoring and interacting with the application as it executes
• Fuzzing, tampering, functional testing
![Page 8: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/8.jpg)
How Do We Find Bugs?
Static Analysis (SAST)
• Analysing an application without executing it
• Code review, binary analysis, reverse engineering
Dynamic Analysis (DAST)
• Analysing by monitoring and interacting with the application as it executes
• Fuzzing, tampering, functional testing
![Page 9: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/9.jpg)
How Do We Code Review?
Manual
• Give code to smart security experts
• They read, understand and spot bugs
Automated
• Pass code to a tool
• Tool parses code, hunts for known issues
![Page 10: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/10.jpg)
Code Review - Examples
void echo ()
{
char buf[8];
gets(buf);
printf("%s\n", buf);
}
![Page 11: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/11.jpg)
Code Review - Examples
webView.getSettings().setJavaScriptEnabled(true);
![Page 12: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/12.jpg)
Manual Code Review – The Downsides
• Manual code review is expensive
~45 Million LOC ~86 Million LOC ~24 Million LOC
![Page 13: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/13.jpg)
Manual Code Review – The Downsides
• Steve McConnell (Code Complete) says 10-20 defects per 1000 lines of code…
![Page 14: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/14.jpg)
Manual Code Review – The Downsides
• Steve McConnell (Code Complete) says 10-20 defects per 1000 lines of code…
~675,000 bugs ~1,290,000 bugs ~360,000 bugs
![Page 15: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/15.jpg)
Static Code Analysis
• Automated searching of source code for issues
• Higher up front costs
• ‘Free’ security once built and configured
• Catch low hanging fruit automatically
![Page 16: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/16.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control Flow Graphs
• Taint Analysis
• Pointer Tracking
• DevSecOps and Static Analysis
![Page 17: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/17.jpg)
Computer Science Theory Ahead
To best use tools, you need to understand them.
• Languages
• Automata / State Machines
• Parsers
![Page 18: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/18.jpg)
Languages
• Language - A set of strings of symbols constrained by a grammar
• Grammar – A set of rules defining the correct formation of a language
• Different grammars for different types of language
![Page 19: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/19.jpg)
Chomsky’s Language Hierarchy
![Page 20: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/20.jpg)
Chomsky’s Language Hierarchy
![Page 21: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/21.jpg)
Context-Free Languages
• Anything that can be parsed by a context free grammar
• Most programming languages are mostly context free*• This is why parsing programming languages with regular expressions isn’t
great
* Templates, macros etc complicate this
![Page 22: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/22.jpg)
Pushdown Automata
• Implementation of a context-free grammar
• Finite State Machines with stacks
• Decide transition based on both input and top of stack
• Can push/pop to stack as needed
![Page 23: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/23.jpg)
Parsers
• Use a grammar to understand a language, convert it into a hierarchical data structure
• Several different types, depending on what you’re parsing
• TL;DR: Construct a Parse Tree or Abstract Syntax Tree (AST) from the source code
![Page 24: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/24.jpg)
Parsers
Two separate stages
• Lexer splits input text into tokens (strings with an understood meaning)
• Parser constructs AST or similar from list of tokens
Can combine both – scannerless parsing
![Page 25: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/25.jpg)
Lexer Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
![Page 26: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/26.jpg)
Lexer Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
Lexed Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
![Page 27: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/27.jpg)
Parser Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
If()
![Page 28: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/28.jpg)
Parser Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
If()
Code Block
![Page 29: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/29.jpg)
Parser Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
If()
Code Block
printf()
![Page 30: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/30.jpg)
Parser Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
If()
Code Block
printf() printf()
![Page 31: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/31.jpg)
Parser Example
Code:
if (DEBUG)
{
printf(…);
printf(…);
printf(…);
}
If()
Code Block
printf() printf()printf()
![Page 32: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/32.jpg)
We’ve got an AST, now what?
Basic:
• Search AST for dodgy function calls, check for debug guards etc
• Check for questionable imports
• Can be done with regexes, but understanding of code structure -> fewer false positives
Advanced:
• Control Flow Graphs (CFGs)
• Taint Analysis
![Page 33: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/33.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control Flow Graphs
• Taint Analysis
• Pointer Tracking
• DevSecOps and Static Analysis
![Page 34: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/34.jpg)
Control Flow Graphs
“a representation, using graph notation, of all paths that might be traversed through a program”
• Each basic block represented as a graph node
• Jump targets start block, jumps end block
• Jumps represented as directed edges
![Page 35: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/35.jpg)
Control Flow Graphs
Commonly used for compiler optimisation
• Unreachable/dead code
• Detection of infinite loops
• Arithmetic optimisation
• Jump threading
![Page 36: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/36.jpg)
Control Flow Graphs
![Page 37: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/37.jpg)
Why Should I Care About Control Flow Graphs?
• Allows tracing of execution dependant on given inputs without running the application
• Allows a number of different analysis types
• We’re going to focus on:• Taint Analysis
• Pointer Tracking
![Page 38: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/38.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control Flow Graphs
• Taint Analysis
• Pointer Tracking
• DevSecOps and Static Analysis
![Page 39: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/39.jpg)
Taint Analysis
• Analyse data sinks to understand where the data has come from
• If it’s from external input, it’s tainted unless sanitised
• Trace data sinks back to original source
• Data sanitized several function calls ago? Trace the graph back and find it
![Page 40: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/40.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 41: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/41.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 42: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/42.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 43: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/43.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 44: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/44.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 45: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/45.jpg)
Taint Analysis
$result = login($_POST[‘user’], $_POST[‘password’]);
function login(user, password) {
return login_query(user, password);
}
function login_query(user, password) {
return mysqli_query(‘select * from user where user=‘ + $user + ‘ and password=‘ + $password + ‘;’);
}
![Page 46: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/46.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control Flow Graphs
• Taint Analysis
• Pointer Tracking
• DevSecOps and Static Analysis
![Page 47: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/47.jpg)
Pointer Tracking
• When walking the graph, track:• Pointer creation/destruction
• Memory allocation/deallocation
• Spot code paths leading to memory errors
![Page 48: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/48.jpg)
Pointer Tracking
char* ptr = (char*)malloc (SIZE);
...
if (err) {
free(ptr);
}
...
if (DEBUG_MODE && err) {
logError("operation aborted before commit", ptr);
}
![Page 49: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/49.jpg)
Pointer Tracking
char* ptr = (char*)malloc (SIZE);
...
if (err) {
free(ptr);
}
...
if (DEBUG_MODE && err) {
logError("operation aborted before commit", ptr);
}
![Page 50: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/50.jpg)
Pointer Tracking
char* ptr = (char*)malloc (SIZE);
...
if (err) {
free(ptr);
}
...
if (DEBUG_MODE && err) {
logError("operation aborted before commit", ptr);
}
![Page 51: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/51.jpg)
Pointer Tracking
char* ptr = (char*)malloc (SIZE);
...
if (err) {
free(ptr);
}
...
if (DEBUG_MODE && err) {
logError("operation aborted before commit", ptr);
}
![Page 52: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/52.jpg)
Pointer Tracking
Can be used to find:
• Null pointers
• Use after frees
• Dangling pointers
![Page 53: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/53.jpg)
What Will We Be Covering?
• Why do we need static code analysis?
• How does an analyser work?
• Control Flow Graphs
• Taint Analysis
• Pointer Tracking
• DevSecOps and Static Analysis
![Page 54: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/54.jpg)
Static Analysis in an SDLC
• Catch security issues before penetration tests
• One developer builds it, everyone can use it
• Can be built into existing toolchain, used with continuous integration systems etc.
• Catch issues as they are introduced to the codebase
• Catch regressions in code before it hits production
![Page 55: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/55.jpg)
Static Analysis for Infrastructure
• Source code static analysis is known to work well
• Can we statically analyse infrastructure?
![Page 56: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/56.jpg)
Infrastructure as Code
• Defining your infrastructure in software
• System definitions stored in configuration files, pushed/pulled to/from servers by agents or control nodes
• Common systems:• Chef
• Puppet
• Ansible
• Salt
![Page 57: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/57.jpg)
Infrastructure as Code
• Usually tested with unit and integration testing• Often as part of a CI toolchain
• Common tools:• BDD-Security
• Cucumber
• Rspec
• Selenium
![Page 58: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/58.jpg)
Static Analysis for Infrastructure
• Can we statically analyse infrastructure?
• Already common for syntax/style checks• Ansible -> ansible-lint
• Chef -> FoodCritic, rubocop
• Puppet -> puppet-lint, erb syntax checking
• Can be used to catch security issues too
![Page 59: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/59.jpg)
What Security Issues Can We Find?
• Hardcoded passwords• Ansible -> ansible_become_pass without using ansible_vault or similar
• Presence of unnecessary tooling• gcc left on production servers
• Failure to apply hardening• SSH – password authentication/root login enabled
• Overly permissive firewall rules
• No SELinux/AppArmor/grsec
![Page 60: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/60.jpg)
What Do We Need To Do This?
• Parser for CM tool’s Domain Specific Language (DSL)• Most DSLs are variants on existing languages
• Leverage existing parsers
• A rules engine• Define what “good” or “not good” looks like
• To analyse, walk the AST, compare tree nodes against rules DB
• Infrastructure static analysis simpler to implement yourself than code analysis
![Page 61: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/61.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 62: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/62.jpg)
Example
Rules:
Case lineinfile:
if regexp.contains(“PasswordAuthentication”):
if line.matches(“PasswordAuthentication yes”):
raise_flag(“PasswordAuthentication enabled on SSH”)
Case ufw:
if policy == “allow”:
raise_flag(“UFW default incoming set to allow”)
![Page 63: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/63.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 64: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/64.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 65: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/65.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 66: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/66.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 67: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/67.jpg)
Example
Tasks:
- name: Setup ufw
ufw: state=enabled policy=deny
- name: allow password authentication
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication yes"
state=present
notify: Restart ssh
![Page 68: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/68.jpg)
Why Does This Help?
• Enforce common good practices in an environment agnostic manner
• Complements integration/unit testing
• Can be run locally on a developer’s machine• Instant feedback
• No VMs required
• Complements automated integration testing as part of CI
![Page 69: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/69.jpg)
Conclusion
• Static analysis catches some classes of bugs cheaply
• Build it into your continuous integration for automated security
• Static analysis can be used on IaC• Complements integration and unit testing
![Page 70: Static Analysis for Code - F-Secure Labs...•Static analysis catches some classes of bugs cheaply •Build it into your continuous integration for automated security •Static analysis](https://reader030.vdocument.in/reader030/viewer/2022040614/5f0ac5aa7e708231d42d43e3/html5/thumbnails/70.jpg)
Join the conversation #devseccon
Thank you all for listening!
Any questions?