the good, the bad and the ugly static analysis · static analysis: the good, the bad and the ugly...
TRANSCRIPT
![Page 1: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/1.jpg)
Static Analysis:The Good, The Bad and The Ugly
Marwan BurelleLSE Summer Week 2014
![Page 2: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/2.jpg)
It’s all about theory, security, practice...
and the rest.
![Page 3: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/3.jpg)
Static Program Analysis ?
![Page 4: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/4.jpg)
Testing the code without running it.
![Page 5: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/5.jpg)
➢ Mostly undecidable or semi-decidable !
➢ Specific properties can be tested
➢ Often hard and complex
➢ Can’t be both sound and complete
![Page 6: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/6.jpg)
But we need it !
![Page 7: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/7.jpg)
➢ Detecting corner case errors➢ Verifying complex properties➢ Get a proven formal verification➢ compiler/optimization related stuff
![Page 8: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/8.jpg)
Toy Example
![Page 9: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/9.jpg)
Sign Analysis
➢ Decide sign of an arithmetical expression➢ Use 4-way logic:
● unknown● plus● minus● both
unknown
plus minus
both
![Page 10: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/10.jpg)
Sign Analysistype expr = | Int of int | Var of string | UMinus of expr | Add of expr * expr | Dif of expr * expr | Mul of expr * expr
type sign = UNKNOWN | PLUS | MINUS | BOTH
module Env = Map.Make(String)
![Page 11: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/11.jpg)
Sign Analysis
let rec sign env = function | Int i when i < 0 -> MINUS | Int i -> PLUS | Var x -> Env.find x env | UMinus e -> begin match sign env e with | PLUS -> MINUS | MINUS -> PLUS | _ -> BOTH end
![Page 12: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/12.jpg)
Sign Analysis
| Add (e0, e1) -> begin match (sign env e0, sign env e1) with | (PLUS, PLUS) -> PLUS | (MINUS, MINUS) -> MINUS | _ -> BOTH end
![Page 13: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/13.jpg)
Sign Analysis
| Dif (e0, e1) -> begin match (sign env e0, sign env e1) with | (PLUS, MINUS) -> PLUS | (MINUS, PLUS) -> MINUS | _ -> BOTH end
![Page 14: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/14.jpg)
Sign Analysis
| Mul (e0, e1) -> begin match (sign env e0, sign env e1) with | (PLUS, PLUS) | (MINUS, MINUS) -> PLUS | (PLUS, MINUS) | (MINUS, PLUS) -> MINUS | _ -> BOTH end
![Page 15: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/15.jpg)
Sound or Complete ?
![Page 16: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/16.jpg)
Analysis verifies a property
![Page 17: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/17.jpg)
Sound Analysis:identified cases really have the property
![Page 18: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/18.jpg)
Complete Analysis:all cases are identified
![Page 19: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/19.jpg)
Sound Analysis provides safety
Complete Analysis tracks errors
![Page 20: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/20.jpg)
Analysis
![Page 21: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/21.jpg)
➢ Model Checking➢ Data flow Analysis➢ Constraint Based Analysis➢ Abstract Interpretation➢ Type Systems➢ Handcrafted Analysis ;)➢ ...
![Page 22: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/22.jpg)
➢ Put label on code
➢ Build a flow graph
➢ Build equations and solve them
[x ← a + b]¹[y ← a * b]²while [y > a + b]³ do
[a ← a + 1]⁴[x ← a + b]⁵
done
![Page 23: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/23.jpg)
[x ← a + b]¹[y ← a * b]²while [y > a + b]³ do
[a ← a + 1]⁴[x ← a + b]⁵
done
![Page 24: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/24.jpg)
Kill Gen
1 ∅ {a+b}
2 ∅ {a*b}
3 ∅ {a+b}
4 {a+b, a*b, a+1} ∅
5 ∅ {a+b}
![Page 25: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/25.jpg)
Entry Exit
1 ∅ {a+b}
2 {a+b} {a+b, a*b}
3 {a+b} {a+b}
4 {a+b} ∅
5 ∅ {a+b}
![Page 26: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/26.jpg)
For real ?
![Page 27: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/27.jpg)
Traditional code analysis requires:
➢ some language properties
➢ well founded semantics
➢ some execution model
![Page 28: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/28.jpg)
C doesn’t fit this description !
![Page 29: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/29.jpg)
C has the following drawbacks:
➢ no formal semantics
➢ the standard is sometimes fuzzy
➢ there’s still ambiguous syntactic aspects
![Page 30: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/30.jpg)
Are we doomed ?
![Page 31: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/31.jpg)
We can still have:
➢ unsound, incomplete but useful analysis
➢ guidelines for other methods
➢ working analysis on very specific cases
![Page 32: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/32.jpg)
Buffer Overflow
![Page 33: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/33.jpg)
void ugly(char *src) { char buf[8]; strcpy(buf, src);}
int main(int argc, char *argv[]) { if (argc > 1) { ugly(argv[1]); } return 0;}
![Page 34: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/34.jpg)
➢ Write outside of buffer boundaries
➢ Most common mistake
➢ Over the last 25 years:
● 14% of security vulnerabilities
● 23% of top severity vulnerabilities
➢ Known for years (1972, 1988 ... )
![Page 35: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/35.jpg)
What can be done ?
➢ track usage of risky functions (strcpy ;)➢ check size constraints on function calls➢ when constraints doesn’t hold
→ raise a warning
➢ use code review/tests to confirm bug
![Page 36: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/36.jpg)
Statically Detecting Likely Buffer Overflow VulnerabilitiesDavid Larochelle and David Evans (Usenix 2001)
➢ Using LCLint (now splint)
➢ Annotate libc headers
➢ Verify constraints on buffer read/write
![Page 37: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/37.jpg)
void ugly(char *src) { char buf[8]; strcpy(buf, src);}
int main(int argc, char *argv[]) { if (argc > 1) { ugly(argv[1]); } return 0;}
splint detects strcpy(buf, src)
Possible out-of-bounds store: strcpy(buf, src)[...]A memory write may write to an address beyond the allocated buffer.
![Page 38: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/38.jpg)
void mystrcpy(char *dst, char *src) { for (; *src != '\0'; src += 1, dst += 1) *dst = *src;}
staticvoid ugly(char *src) { char buf[8]; mystrcpy(buf, src);}
int main(int argc, char *argv[]) { if (argc > 1) { ugly(argv[1]); } return 0;}
Detected !
![Page 39: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/39.jpg)
static void ugly2(char *src) { char *buf1 = malloc(8); char buf2[8]; strncpy(buf1, src, 8); strcpy(buf2, buf1); free(buf1);}
int main(int argc, char *argv[]) { if (argc > 1) ugly2(argv[1]); return 0;}
Detected !
![Page 40: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/40.jpg)
static void ugly2(char *src) { char *buf1 = malloc(8); char buf2[8]; strncpy(buf1, src, 8); buf1[7] = '\0'; strcpy(buf2, buf1); free(buf1);}
int main(int argc, char *argv[]) { if (argc > 1) ugly2(argv[1]); return 0;}
False Warning !
![Page 41: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/41.jpg)
static void ugly2(char *src) { char *buf1 = malloc(8); char buf2[8]; strncpy(buf1, src, 7); strcpy(buf2, buf1); free(buf1);}
int main(int argc, char *argv[]) { if (argc > 1) ugly2(argv[1]); return 0;}
No warning !
![Page 42: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/42.jpg)
Clang Analyzer
![Page 43: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/43.jpg)
clang static analyzer:
➢ analysis during semantic pass
➢ Reusable C++ library
➢ you can implement your own checker
![Page 44: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/44.jpg)
➢ Complete C/C++/ObjC parser
➢ Full AST traversal
➢ Some checkers already available
➢ Still a little bit messy
➢ Out-of-the-box install doesn’t seem to detect simple buffer overflow
![Page 45: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/45.jpg)
Errors and Vulnerabilities
![Page 46: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/46.jpg)
➢ Static analysis detects possible code errors
➢ Code errors may be triggered by attackers
➢ Code errors may be exploitable
![Page 47: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/47.jpg)
➢ Eliminating errors is important
➢ Any error may finally become a vulnerability
➢ Static analysis can help a lot
➢ Probably better during dev cycle
![Page 48: The Good, The Bad and The Ugly Static Analysis · Static Analysis: The Good, The Bad and The Ugly Marwan Burelle LSE Summer Week 2014](https://reader031.vdocument.in/reader031/viewer/2022041109/5f0d6f557e708231d43a56fe/html5/thumbnails/48.jpg)
➢ Specific analysis only identifies known flaws
➢ Too much spurious warning
➢ Quality is a matter of involvement○ People don’t review their code, so why analyzing it
○ Beta testing will be done by users
○ As long as it works ...