Static Analysis of the VoteHere

VHTi Reference

Implementation

Using Flawfinder and RATS

Markus Dale

December 2005

Outline

Results

New and Significant

Static Analysis and Limitations

Previous Work

Flawfinder/RATS

VoteHere Sentinel and VHTi Reference Implementation

Static Analysis Results

Future Work

References

Results Static analysis with Flawfinder and RATS found only

19 potential security problems in over 10,000 lines of

source code.

The security problems must be mitigated from within

the system that uses the VHTi Reference

Implementation API.

Different static analysis tools have different trade-

offs. Use as many tools as possible.

False positives can consume a large amount of time.

New and Significant

Applies Flawfinder and RATS open source

static analysis tools to the VoteHere VHTi

Reference Implementation.

Compares performance of Flawfinder and

RATS against VHTi Reference Implementation.

Static Analysis

Compiled from Michael/Lavenhar paper:

Potentially Insecure Library Functions

– Database of vulnerabilities

Type confusion between references and pointers

Detect memory allocation errors

– Double free, write to freed memory, buffer overflow

Temporal Safety constraints (ordered steps)

Data Flow Analysis – tainted variables

Pointer Aliasing Analysis – two pointers to same memory loc

Limitations of Static Analysis

Problem bounded by Rice’s Theorem:

– there exists no automatic method that decides with

generality non-trivial questions on the black-box

behavior of computer programs (Wikipedia)

False positives vs. false negatives trade-offs

Local, module, program analysis

Previous Work

Static Analysis Best Practice by DHS Build In

Security Site (also overview of tools)

Microsoft SLAM project: Static Driver Verifier

uses Specification Language for Interface

Checking to encode temporal safety constraints

(Ball/Rajamani)

MOPS – Model Checking Programs for

Security Properties (Chen/Wagner)

More Previous Work

Flanagan et al. ESC/Java

– Automated theorem prover: null references, array

error bounds, type cast errors, race conditions

Livshits DynaMine

– Add revision history information

Blanchet et al. Static Analyzer for Large Safety-

Critical Software – refinements and

parameterization

Flawfinder

David Wheeler, author of Secure Programming

for Linux and Unix HOWTO, latest 2004

Use lexical analysis and database for C/C++ buffer overflow risks

– e.g., strcpy(), strcat(), gets(), sprintf(), scanf()

format string problems

– [v][f]printf(), [v]snprintf(), and syslog()

Time Of Check to Time of Use (TOCTOU) race conditions

poor random number acquisition

Rough Auditing Tool for

Security (RATS) Secure Software, latest 2002

Commercial offering CodeAssure

Lexical analysis and database for

– C/C++

– Perl, PHP, Python

Buffer overflow problems

TOCTOU race conditions

VoteHere Sentinel

Add on to Diebold AccuVote-TS to

independently verify election results

Based on Neff’s E-Voting secure shuffle

implemented as VHTi Reference

Implementation

Reference Implementation freely downloadable

VHTi Reference

Implementation Docs API Developer’s Guide

– How to build, third-party libs, usage, security

concerns, DTDs for XML data structures

Known Issues doc

– Results from reviews

VHTi Threat Analysis Doc

– Attack tree and mitigation techniques

VHTi Reference Implemenation

RATS: getenv warning

./util/result.cpp:625: High: getenv

./util/vh_cout.cpp:123: High: getenv

Environment variables are highly untrustable input.

They may be of any length, and contain any data.

Do not make any assumptions regarding content or

length. If at all possible avoid using them, and if it is

necessary, sanitize them and truncate them to a

reasonable length.

Flawfinder: Warning about

memcpy

./pki/crypt.cpp:244: [2] (buffer) memcpy:

Does not check for buffer overflows when copying to destination.

Make sure destination can always hold the source data.

Memcpy Mitigation

if (sizeof (iv) != initialization_vector.size ())

{

...

throw VHUtil::Exception (...)

}

memcpy (iv,

initialization_vector.data (),

initialization_vector.size ());

0 1 2 3 4 5

0

5

10

15

20

25

30

35

40

45

50

Flawfinder Vulnerabilities

Potential Vulnerability CountActual Problem Count

Level of Vulnerability (0 least risk, 5 highest risk)

Vu

lnera

bilit

y C

ou

nt

Low Medium High0

5

10

15

20

25

30

35

RATS Vulnerabilities

Potential Vulnerability CountActual Vulnerability Count

Level of Vulnerability

Vu

lnera

bili

ty C

ou

nt

Results from Static Analysis

Flawfinder: 64 total/9 actual (~7:1)

RATS: 41 total/14 actual (~3:1)

Overlapping problems found: 4

Unique problems: 19

Statically declared arrays

– 36 unique declaration

– Flawfinder: 32; RATS: 20

Findings

The 19 potential problems are not problems by

themselves

– Defensive Programming

– Library code – greatest reusability

– Must implement mitigation techniques and correct

usage of API in implemented system

Future Work

Use commercial static analysis tool such as

Klocwork K7, Ounce Labs Prexis or Secure

Software CodeAssure

Analyze complete source code for VoteHere

Sentinel system

Selected References

Chess, B. & McGraw, G. (2004), 'Static analysis for security', Security &

Privacy Magazine, IEEE 2(6), 76—79.

Flanagan, C.; Leino, K.R.M.; Lillibridge, M.; Nelson, G.; Saxe, J.B. &

Stata, R. (2002),Extended static checking for Java, in 'PLDI '02:

Proceedings of the ACM SIGPLAN 2002 Conference on Programming

language design and implementation', ACM Press, New York, NY, USA,

pp. 234—245.

Martin, M.; Livshits, B. & Lam, M.S. (2005),Finding application errors

and security flaws using PQL: a program query language, in 'OOPSLA

'05: Proceedings of the 20th annual ACM SIGPLAN conference on

Object oriented programming systems languages and applications', ACM

Press, New York, NY, USA, pp. 365--383.

More Selected References

Neff, C.A. (2001),A verifiable secret shuffle and its application to e-

voting, in 'CCS '01: Proceedings of the 8th ACM conference on

Computer and Communications Security', ACM Press, New York, NY,

USA, pp. 116—125.

RABA (2004),'Trusted Agent Report Diebold AccuVote-TS Voting

System', http://www.raba.com/press/TA_Report_AccuVote.pdf.

Michael, C. & Lavenhar, S.R. (2005),'Source Code Analysis Tools --

Overview',

https://buildsecurityin.us-cert.gov/portal/article/tools/code_analysis/

overview.xml, Published via the U.S. Department of Homeland Security

Build Security In website.