static analysis: the art of fighting without fighting
DESCRIPTION
Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)TRANSCRIPT
The Art of Fighting without Fighting
“You can call it the art of fighting without fighting” –Bruce LeeEnter the Dragon, 1973
Weak Access ControlAPI MisuseBuffer OverflowPoor Code Quality (FxCop)Poor EncapsulationEnvironment MisconfigurationPoor Error HandlingPoor Input ValidationAnd More…
Dynamic Analysis involves execution (black box) More common for pen testing
Static Analysis (white box) Abstract interpretation Automation tool, Developer tool Semantics, Parsing Compiler theory, Set theory Object code, Byte code
Crawling can only audit what it can find
Cannot cover 100% of source codeLittle knowledge of applicationFalse negatives
Compiler optimizationsFramework and 3rd party lib
integration Identifying validationFalse positives
Precise Doesn’t report plausible but false
defectsSafe
Doesn’t miss defectsToo much of either can be useless
Correlation – the strength of relation between two
variablesDepends upon input detectionStatic feeds information to DynamicMeans less false negativesMeans less false positivesHybrid Analysis
STEPS:
1. Fix vulnerabilities early
2. …3. Profit
CHART:
Cross-site ScriptingResponse.Write(Request.QueryString[“isbn"]);
SQL Injectionprotected System.Web.UI.WebControls.TextBox Publisher;SqlCommand cmd = new SqlCommand(“SELECT * FROM
Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting
string author = Author.Text; Cookie cookie = new Cookie("author", author);
Path Traversalsting fName = Request.Form[“fileName“];File.Delete("C:\\users\\files\\" + fName);
Command Injectionstring args = “-a -o “+Request.Param[“arg”];Process.Start(“program.exe“+args);
Source Location of
injected malicious data
Http Request Post Parameters Query String
Sink Location malicious
data is used to manipulate the application
Http Response Command Query
Cross-site ScriptingResponse.Write(Request.QueryString[“isbn"]);
SQL Injectionprotected System.Web.UI.WebControls.TextBox Publisher;SqlCommand cmd = new SqlCommand(“SELECT * FROM
Books WHERE Publisher = ‘”+Publisher.Text+“’”, conn); HTTP Response Splitting
string author = Author.Text; Cookie cookie = new Cookie("author", author);
Path Traversalsting fName = Request.Form[“fileName“];File.Delete("C:\\users\\files\\" + fName);
Command Injectionstring args = “-a -o “+Request.Param[“arg”];Process.Start(“program.exe“+args);
Infinite ways to write code with the same output
Use the lowest level human-readable language
Parsing (alone) fails Be the compiler (and then some)
IPA – Intraprocedural AnalysisCFG – Control Flow GraphDFA – Data Flow AnalysisVariable Tracing
Call graph f(g()) each node represents a procedure each edge is a call
Stack trace is a dynamic call graphContext sensitive – separate node for
each possible procedure activation Context insensitive – only one node
for each procedure
A graph of all the paths of execution in a program
Generate a CFG for each function Each node is a basic block CFA - Compute domination dominator - block M dominates block N
if every path from the entry that reaches block N has to pass through block M
abnormal edge - edge with an unknown destination
if if/else do
switch
Follow all program paths Trace each branch both directions May discover dead code
Reaching definitions The assignments that produce variable
values at a certain state Which definitions contain tainted
sources? Of those definitions, which reach sinks?
B1: a=value1B2: a=value2B2 KILLs B1 and B2 is also a GENUse-Def chains
For each use of variable v in a statement s, make a list of definitions of v that reach s
Use-Def: backward seekingDef-Use: forward seeking
…int x;if (…)x = 1;
…a = x;…
This def reaches this use
… but the def might not get executed!
…if (Page.IsValid())
string pwd = Request.Form[“pwd”];…string sql = “SELECT …” + pwd + “’”;SqlCommand cmd = new SqlCommand(sql);…
If this defdoesn’t dominate this use
Unvalidated input causes SQL Injection
Formerly called Microsoft Intermediate Language
.NET is Stack based (LIFO) Metadata for compiled classes Reflection - the program in the mirror Common Language Runtime
.method public static void Main() cil managed {
.entrypoint
.maxstack 1 ldstr "Hello, world!" call void [mscorlib]System.Console::WriteLine(string) ret
}
Manual Static Analysis
Find every instance of an unvalidated source being used in the application
Find combinations that link source to sink
Determine validation in dominance frontier
Implement checks that inform users of the specific vulnerabilities found
Verify with dynamic analysis* Apply remediation*
Great way to find vulnerabilities?
Or greatest way to find vulnerabilities?
You decide.