www.mimos.my© 2009 mimos berhad. all rights reserved. nurul haszeli ahmad pm dr syed ahmad aljunid...
TRANSCRIPT
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Nurul Haszeli AhmadPM Dr Syed Ahmad AljunidDr. Jamalul-Lail Ab Manan
Preventing Exploitation on Software Vulnerabilities – Why Static Analysis Failed?
www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Q&A
Conclusion
Result of DiscussionDiscussion
Why Static Analysis Failed? Why not Dynamic Analysis? Can Static Analysis be improved?
Static Analysis – What? When? How?
Exploitation on Software Vulnerabilities
Flow of content
www.mimos.my © 2010 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
• Software Vulnerabilities– Exist since program/applications exist– Due to:
1. Language behaviour (Viega & McGraw ‘02, Yoran ‘05)2. Human factors (SANS Institute ‘10, Secunia ‘10)3. Complexity of system
– Unix Shell Command – sendmail, fingerd, and rsh/exec.• Exploitation
– 1988 – First exploitation• was unintended exploitation on fingerd command by
Robert Morris Jr (Aleph One ‘96)
Exploitation on Software Vulnerabilities
www.mimos.my © 2010 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Exploitation on Software Vulnerabilities... Continue..
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Exploitation using Buffer Overflow Attack
Source: http://en.wikipedia.org/wiki/Stack_buffer_overflowwww.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Exploitation on Software Vulnerabilities... Continue..
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Figure 1: Vulnerabilities disclose between 2000 – 2009
Source: IBM ’10, X-Force 2009 Trend and Risk Report
Figure 2: Number of malicious program identified from 2003 – 2009
Source: Kaspersky ’09, Kaspersky Security Buletin 2009
www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Exploitation on Software Vulnerabilities... Continue..
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Figure 3: Sample of malicious code reside in a web page exploiting visitor’s machine upon visiting the site.
Source: M86 Security.com ‘09, Closing the Vulnerability Window in Today’s Web Environment, M86 Security Lab Report
www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Exploitation on Software Vulnerabilities... Continue..
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
• EC-Council & ISC²
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Exploitation on Software Vulnerabilities... Continue..
www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Impact
Image
Economy
Privacy
Death
• Static Analysis– A branch of Program Analysis– Started in 1974 by King – Program Comprehension– Being used in security for the purpose of finding and removing vulnerabilities in
software as early as 2000 – Wagner– Binkley ‘07 – “Automation process of extracting information of a
program for debugging, comprehension, validations, etc”.– How? How does SA being apply in Security– 2000 – To date – > 10 techniques and > 40 tools– Technique:
• Lexical Analysis, Inter-procedural Analysis, Intra-Procedural Analysis, Abstract Interpretation, Data Flow Analysis, Symbolic Analysis, Integer Range Analysis, and Annotation Based
– Tools:• BOON, ITS4, RATS, UNO, ARCHER, Flaw-Finder, F-Soft, ASTREE,
SPLINT, GCC Security Analyzer, etc– The promised – A well verified & clean code
Static Analysis – What? When? How?
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
1. Lexical Analysis– Straight forward analysis mechanism– Tools – extremely fast compare to other technique– Major drawback
1. Does not consider semantics & program flow (Chess B. & McGraw G’04, Kolmonen ’07, Zitser ’04, Walden et.al ‘09)
2. Pattern Matching (Walden et. al. ‘09, Sotirov ‘05, Kolmonen ‘07)
2. Abstract Interpretation– One of the earliest and most complicated technique - establish by Naur – The technique looks into semantics of the program– Using formal method with mathematical formula; such as approximation– Most promises technique in Static Analysis (Logozzo ‘04, Ferrara ‘09)– Major drawback (Logozzo ‘04, Ferrara ’09, Lhee et. al ‘02)
1. Too complicated2. Constraint of mathematical formula used
Discussion – Why Static Analysis Failed? ... continue
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
3. Integer Range– Comparable to Lexical Analysis in term of processing speed– Mathematically analysis, find and prove existence of vulnerabilities – Looking mostly at buffer related issues.– Major drawback (Pozza & Sisto ’08, Kolmonen ’07, Kratkiewicz ‘05, Zitser ‘04,
Hugh & Bishop ‘03)
1. Ignores the program semantics2. Wrong Focus - Focus on vulnerabilities than can be mathematically
proven
4. Data Flow Analysis– Looking into the attribute of program (variables) and path taken– Nagy & Mancoridis (‘09) refer as Taint Analysis – Using Program Dependency Graph (PDG) or System Dependency Graph (SDG)– Major drawback (Nagy & Mancoridis ‘09, Pozza & Sisto ’08, Kratkiewicz ‘05,
Zitser ‘04,)
1. Require few iteration of analysis2. Implementation issues
Discussion – Why Static Analysis Failed? ... continue
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
5. Annotation Based– Introduce by Evans et. al. In 1994 (LCLINT)– Using annotation or specifications written together with source code which
specified pre and post condition of an attribute– Analysis will ensure the pre and post condition satisfied the specifications.– Larochelle expand the technique with heuristic approach (Kratkiewicz ’05) –
LCLINT later known as SPLINT– Major drawback (Mantere ‘09, Kratkiewicz ‘05, Zitser ‘04, Dor et. al ‘03)
1. Required annotation
Discussion – Why Static Analysis Failed? ... continue
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
Discussion – Why Static Analysis Failed? ... Continue
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.
Technique Detection Rate
False Positive
False Negatives
Performance
Lexical Analysis Low High High Very FastAbstract Interpretation
High Medium Medium Low
Integer Range Low Medium Medium Very FastData Flow Analysis High Medium Medium LowAnnotation-based Low High High Medium
Table 1: Summary of Analysis on Static Analysis Technique
www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
• Dynamic Analysis?– Based on true semantics or program flow– At execution time
• The advantages (Cornell ‘09 , Ernst ‘04, Haugh & Bishop ’03)– No source code required– No assumption or annotation required– Accurate result
• Drawback (Zitser et. al. ‘04, Xie et. al ‘03, Haugh & Bishop ’03)– Possibility of path covered– Possibility of DOS/DDOS– Performance
• Major Drawback - Cost ineffective (GrammaTech ‘10, Terry et. al. ‘06)
Discussion – Why Not Dynamic Analysis?
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
• Few ways of improving1. Unification - Improving the technique itself2. Multiplication - Improving the tools that implement the
technique3. Asymetrix concept – Different technique use at different time
& space for better result4. Division concept – Unity of methods
• Our Proposal1. Combination of few techniques
Discussion – Can Static Analysis be improved?
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
•Combination of method/techniques
•Improvement of the techniques
•Improvement of the tool implementing the techniques
Improving static
analysis
Future Work
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
With improvement on the method/technique, ways of implementing, and wider vulnerabilities coverage, Static Analysis will prevail.
A well verified code will ensure global stability & security
Conclusion
www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved
THANK YOU
www.mimos.my © 2010 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved