software security - static analysis tools
DESCRIPTION
TRANSCRIPT
![Page 1: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/1.jpg)
Software Security
Presented byEmanuela Boroș
“Al. I. Cuza” University, Faculty of Computer ScienceMaster of Software Engineering, II
Static analysis tools
![Page 2: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/2.jpg)
1. What is Static Analysis?
2. Static Analysis Advantages
3. Static Analysis Tools for C/C++, Java
4. Samples
![Page 3: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/3.jpg)
What is Static Analysis?
![Page 4: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/4.jpg)
What is Static Analysis?
● performed without actually executing or running that software
● performed by an automated tool
![Page 5: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/5.jpg)
Static Analysis Advantages
![Page 6: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/6.jpg)
Static Analysis Advantages
● improve the quality and reliability of embedded systems software
● significant reductions in development testing and field failures
● careful when large amount of code is used in the development projects
![Page 7: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/7.jpg)
Static Analysis Advantages
● can detect
● buffer overflows, ● security vulnerabilities, ● memory leaks, ● timing anomalies (such as race conditions, deadlocks, and livelocks),
● dead or unused source code segments, ● and other common programming mistakes
![Page 8: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/8.jpg)
Static Analysis Tools
![Page 9: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/9.jpg)
Software Tool Domain Responsible Party Languages Platforms
CodeSonar Commercial Grammatech C, C++ Windows
Coverity Commercial Coverty, Inc. C, C++ Windows
CodeSurfer Commercial Grammatech C, C++ Windows
FlawFinder GPL David A. Wheeler C, C++ UNIX
ITS4 Commercial Cigital C, C++ Linux, Solaris, Windows
Java PathFinder Academic NASA Ames Java Any JVM compatible platform
JLint Academic Konstantin KnizhnikCyrille Arthro
Java Any JVM compatible platform
PREfix and PREfast
Commercial Microsoft C, C++, C# Windows
RATS Academic Secure Software C, C++ Windows, Unix
Splint Academic University of Virginia,Department of Computer Science
C Windows, Unix,Linux
![Page 10: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/10.jpg)
C/C++
![Page 11: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/11.jpg)
rats-2.3
● Rough Auditing Tool for Security
● open source tool
● C, C++, Perl, PHP and Python source code
● rough analysis of source code
● manual inspection of the code is still necessary, but greatly aided with this tool
![Page 12: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/12.jpg)
rats-2.3
● error messages controlled by XML reporting filters(requires the XML tool expat to also be installed)
● configure the level of output
● alternative vulnerability databases
● buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
![Page 13: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/13.jpg)
rats-2.3
● extremely simple
● scans through a file (lexically) looking for syntactic matches based on several simple rules that might indicate possible security vulnerabilities
● “use of strcpy() should be avoided”
![Page 14: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/14.jpg)
rats-2.3
● the use of greedy pattern matchings
● "printf" will match not only "print()" calls but also "vsnprintf()"
● authors of RATS and Flawfinder, by the way, plan to coordinate their development efforts to produce a high quality, open-source development tool
![Page 15: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/15.jpg)
Usage
rats [-d ] [-h] [-r] [-w ] [-x] [file1 file2 ... filen]
Options explained:
-d Specifies a vulnerability database to be loaded. You may have multiple -d options and each database specified will be loaded.
-h Displays a brief usage summary
-i Causes a list of function calls that were used which accept external input to be produced at the end of the vulnerability report.
-l Force the specified language to be used regardless of filename extension. Currently valid language names are "c", "perl", "php" and "python".
-r Causes references to vulnerable function calls that are not being used as calls themselves to be reported.
-w Sets the warning level. Valid levels are 1, 2 or 3. Warning level 1 includes only default and high severity Level 2 includes medium severity. Level 2 is the default warning level 3 includes low severity vulnerabilities.
-x Causes the default vulnerability databases to not be loaded.
![Page 16: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/16.jpg)
Samples
Issue: fixed size global buffer Severity: High
Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.
int main(int argc, char *argv[]){ char dir[1024]; char cmd[1200]; char buff[1024];...
Issue: sprintf Severity: High
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.
if (getenv("HOME") != NULL) {sprintf(dir, "%s", getenv("HOME"));
}...
![Page 17: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/17.jpg)
Samples
Issue: strcpy Severity: High
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.
if (argc == 2){
strcpy(dir, argv[1]);}
![Page 18: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/18.jpg)
Caveats
● the lack of any preprocessing, so no macros or definitions are expanded
#define p(x) printf ## x char *string1, *string2; /* stuff happens ... */ p((string1)); /* insecure! */ p((string2)); /* insecure! */ p(("%s", string1)); /* correct! */
● produces only one error in the definition but not in the use of the macro
● insecure calls can be made multiple times, which will go unnoticed by the code scanner
![Page 19: Software Security - Static Analysis Tools](https://reader033.vdocuments.mx/reader033/viewer/2022051818/5495b015b479595b4d8b4ded/html5/thumbnails/19.jpg)
Conclusions
● source code scanners can help improve the state of your code in development or afterwards
● these are tools help assist you in the auditing process, not automate it