static & dynamic analysis - auckland€¦ · static analysis tools inspect programs without...
Post on 13-Oct-2020
12 Views
Preview:
TRANSCRIPT
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Muhammad Rizwan Asghar
September 1, 2020
STATIC & DYNAMIC ANALYSIS
Lecture 16a
COMPSCI 316
Cyber Security
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
FOCUS OF THIS LECTURE
Learn program analysis
Understand static and dynamic analysis
Explain concolic execution
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
PROGRAM ANALYSIS
The process of analysing the behaviour of
programs
The main goal is to find problems in code
Program analysis can be performed
– without execution (static analysis)
– during runtime (dynamic analysis)
– by combing both (concolic execution)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
STATIC ANALYSIS
Analysis without actually executing a program
Static analysis typically discover properties for
all executions
Full coverage of source or binary
Program-centric
A kind of white box testing
Scalable
Accuracy issues
Can be run before dynamic analysis
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
DYNAMIC ANALYSIS
Analysis made by running a program
Exposes vulnerabilities in the deployment
environment
Difficult to generate and test all possibilities
Limited coverage
More accurate
Input-centric
A kind of black box testing
Can be run after static analysis
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
CONTROL FLOW ANALYSIS
It is typically a static analysis technique for
determining the control flow of a program
– Note that static analysis might be insufficient if a
program loads code dynamically
The control flow is expressed as a Control Flow
Graph (CFG)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
DATA FLOW ANALYSIS
A technique for gathering information about the
possible set of values at specific points
A CFG is used to determine those values
A simple way is to set up data flow equations
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
PROGRAM SLICING
Reducing the program to the minimum form that still
produces the selected behaviour
The reduced program is called a Slice
Generally, finding a slice is an unsolvable problem
It is possible to obtain approximate slices using a data
flow algorithm
Used by developers during debugging to locate the
source of errors
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
SYMBOLIC EXECUTION
Executing the program with symbolic valued
input
A static analysis technique
A path condition covers all inputs necessary to
follow the path
Program paths form an execution tree
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
C PROGRAM WITH CFG
void test(int x, int y)
{
if (x == 10)
{
if (x < 2*y) {
return ERROR;
}
}
}
Static analysis returns path conditions
However, no information about actual behaviour
if
x≠10
y=*
x=10
y>5x=10
y≤5
if
x≠10 x=10
x ≥ 2*y x < 2*y
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
C PROGRAM WITH CFG:
ISSUE WITH DYNAMIC ANALYSIS
void test(int x, int y)
{
if (x == 10)
{
if (x < 2*y) {
return ERROR;
}
}
}
Dynamic analysis can be useful
However, there are too many options for x and y
if
x≠10
y=*
x=10
y>5x=10
y≤5
if
x≠10 x=10
x ≥ 2*y x < 2*y
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
CONCOLIC EXECUTION
Concolic = Concrete + Symbolic
Concrete execution
– A program takes one path based on input values
– A form of dynamic analysis
Also called dynamic symbolic execution
Used for analysing complex programs
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
C PROGRAM WITH CFG:
CONCOLIC EXECUTION START
void test(int x, int y)
{
if (x == 10)
{
if (x < 2*y) {
return ERROR;
}
}
}
Choose x=0 and y=0
Get the trace
if
x=0
y=0
x=10
y>5x=10
y≤5
if
x≠10 x=10
x ≥ 2*y x < 2*y
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
C PROGRAM WITH CFG:
CONCOLIC EXECUTION CONTINUE
void test(int x, int y)
{
if (x == 10)
{
if (x < 2*y) {
return ERROR;
}
}
}
Negate the last path condition
Choose x=10 and y=0
if
x=0
y=0
x=10
y>5x=10
y=0
if
x≠10 x=10
x ≥ 2*y x < 2*y
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
C PROGRAM WITH CFG:
CONCOLIC EXECUTION END
void test(int x, int y)
{
if (x == 10)
{
if (x < 2*y) {
return ERROR;
}
}
}
Negate the last path condition
Choose x=10 and y=6
if
x=0
y=0
x=10
y=6x=10
y=0
if
x≠10 x=10
x ≥ 2*y x < 2*y
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
SAMPLE QUESTION
Which one of the following best describes
Concolic Execution?
a) It is static analysis
b) It is dynamic analysis
c) Static analysis followed by dynamic analysis
d) Dynamic analysis followed by static analysis
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
SAMPLE QUESTION: ANSWER
Which one of the following best describes
Concolic Execution?
a) It is static analysis
b) It is dynamic analysis
c) Static analysis followed by dynamic analysis
d) Dynamic analysis followed by static analysis
Answer) c
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
SUMMARY
Static analysis tools inspect programs without
executing code
Dynamic analysis tools test programs on input values
Concolic execution combines static analysis followed
by dynamic analysis
In our examples, we did not consider integer overflow
for the sake of simplicity
– Integer overflow can affect the analysis!
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
RESOURCES
OWASP Source Code Analysis Tools,
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Analysis Tools, https://appsecwiki.com/#/mobilesecurity
Cadar, Cristian, and Koushik Sen, Symbolic Execution for
Software Testing: Three Decades Later, Commun. ACM 56, no.
2 (2013): 82-90, available at:
https://cacm.acm.org/magazines/2013/2/160161-symbolic-
execution-for-software-testing/fulltext or
http://people.eecs.berkeley.edu/~raluca/cs261-
f15/readings/symb.pdf
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
Questions?
Thanks for your attention!
top related