Teachable Static Analysis Workbench

by Igor Konnov,Dmitry Kozlov

Project goal

To build a tool, teachable by security analyst, which helps to verify that web application has the appropriate security mechanisms and they are used in right way.

One more idea: look at this project as integration project: investigate can different OWASP tools and docs work together?

Motivation

• Manual code review is boring, so error-prone work. Static analysis tools are helpful to perform routine checks.

• Web apps varies in frameworks, libraries, security technologies. So, static analysis tool have to support every technology, library, etc. to be applicable.

• Vulnerabilities varies depending on technologies used in web app: XSS, SQLI, LDAPI, etc.

Teaching static analyzer

Input validation vulnerabilities: XSS, SQLI, HTTP Response Splitting, and more. Are they so different?

• All of them are dataflow from some source of “tainted” data provided by malicious user to some sensitive function (system call, HTTP headers, HTML page,…)

• They differ in technologies: when using LDAP sensitive function is LDAP modification, for SQL – query execution, etc.

• They differ in source of tainted data: request parameters, database records, files, etc.

Teaching static analyzer

Security mechanisms are different

• mysql_real_escape_string()

• public static boolean validateRequired(Object bean, Field field) {    String value = ValidatorUtil.getValueAsString(bean, field.getProperty());    return GenericValidator.isBlankOrNull(value);}

• XML validators:

<name>email</name>

<pattern>^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$</pattern>

ESAPI Secure Coding Guide’s patterns

• Authentication

• All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken()

• All requests for pages that require authentication shall call the ESAPI.authenticator().login() method.

• Access Control

• The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files.

• Input Validation

• The application shall add all custom cookies with ESAPI.httpUtilities().safeAddCookie() to ensure they are properly secured.

• Banned API

• Replace ServletResponse.setContentType() with HTTPUtilities.setContentType()

Teaching static analyzer to ESAPI

ESAPI Secure Coding Guide:

“call stack at some program point should (not) contain some call”:

HTTPServlet.service() method shouldn’t call ServletResponse.addCookie(), but HTTPUtilities().safeAddCookie().

=> SA must be capable of searching patterns on Call Graph or Control Flow Graph. Teaching is creating logical expressions on these graphs.

Key requirements to Security Analysis

Workbench

• Teachable:

• about technologies

• about vulnerabilities

• about security mechanisms

• Reuse of analyst knowledge: teach once and reuse for many web applications

• Recalculation of results on the fly

• The tool should work as part of Eclipse IDE

How to work with

Teachable Static Analysis Workbench

What is inside

Teachable Static Analysis Workbench

Static analyzers

•LAPSE• unsupported, no users community, lastest source is

unavailable, doesn’t work with current stable Eclipse, very primitive analysis, works slow.

•FindBugs• alive project: good documentation and code, broad users

community, intraprocedural analysis for XSS: need to be extended, Eclipse integration.

•PQL• interesting analysis, lack of documentation, very limited

community, immature implementation.

•Indus• mature project, good community, very sophisticated, slower

than FindBugs.

Workbench architecture

*.jsp

.class

JSP Precompiler

TeSA Eclipse Plugin

*.java

javac

modified FindBugs

SecBugs plugin for FindBugs

modified FindBugs

Eclipse Plugin

Eclipse source code

markers

Analysisconfiguration

TeSA Eclipse Plugin

HelloWorld.java:…

Request.getParameter(“login”)…

Mark method as tainted

source

Status and Future Steps

Current status is beta. Reviewers promised to finish 100% review soon

Future work:

• GUI improvements: view vulnerabilities in Eclipse Project explorer.

• Support for XML-based and annotation-based validations.

• Support for ESAPI-like patterns: give analyst ability to create expressions on Call Graph and CFG.

• Support “on the fly” analysis.

• Backports of FindBugs improvements to FindBugs project.

Closing: project contribution

• Secbugs - interprocedural tainted analysis, configurable to different types of input validation vulnerabilities.

• TeSA – “teaching” environment, which allows security analyst to markup code Eclipse source editor and creates configuration for Secbugs.

• JSP support

• SA can rerun continuously but it’s real “on the fly”.

• LAPSE port to Eclipse 3.4. But actually our tool makes use of LASPE deprecated.