Busting Software Bugs to Boost Application Security Data

Busting Software Bugs to Boost Application Security Data

Busting Software Bugs to Boost Application Security Data Flow Analysis as a source code quality tool (and hence a security tool) Daniel Liezrowice February 2016 Agenda How security processes are like quality processes How software bugs are security vulnerabilities How static source Code analysis can prevent defects and improve security

What is Data Flow Analysis? (and how it is different from classic \Static Code Analysis) Showing Example in a development environment (C/ C++) Your Presenter Daniel Liezrowice from ESL (Engineering Software Lab ) Did the deployment and integration of Parasoft Data Flow Analysis tool that will be used for the demonstration at 135 different companies in Israel Internet of Things Vulnerabilities

One weak spot is all it takes Exploitable Software Weaknesses (CWEs) are sources for future Zero-Day Attacks Poll 1 Is software security the same as application security? Yes No

Thats a silly question Security Belongs to Quality If you have a source code quality problem, you have a security problem. Modern systems are complex and defects dont always manifest when systems are used the same as they are tested Number of possible conditions my be infinite

Security and reliability have to be designed and engineered in. You cant always test them in. Security problems are design flaws Missing authorization Improper encryption Improper password handling

Allowing data to be tainted are code defects Buffer overflow Data leakage

Poll 2 Our security group: Is part of DevOps Is part of QA Stands on its own

Our what now? Copyright XKCD http://xkcd.com/538/ Quality Processes Policy Management & Enforcement Peer Code Review Unit Testing / Continuous Regression Static Code Analysis Runtime Error Detection Hybrid Analysis Prevention over reaction Reporting / Analytics Software Security Best Practices Software Security, Gary McGraw, Copyright 2003 Cigital Reprinted from the March/April 2004 issue of IEEE Security & Privacy. Important Steps

Train developers in secure development so that they can prevent or at least find and fix security problems Design and build your system with a deliberate focus on quality and security Collect/measure defect data (quality AND security) and use it to assess and improve your development practices Poll 3 Do bugs in open-source code represent security vulnerabilities?

Yes Im not sure No I never thought about it Copyright XKCD http://imgs.xkcd.com/comics/golden_hammer.png Bugs are vulnerabilities Heartbleed example

HEARTBLEED BUSTED MISRA C 2004 20.3 The validity of values passed to library functions shall be checked CWE-20 Improper input validation CWE-114 Process control CWE-125 Out-of-bounds read CWE-130 Improper handling of length parameter inconsistency One simple quality problem

Buffer Security Issues in CWE CWE 119 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE 120 Buffer Copy w/o Checking Size of Input CWE 121 Stack-based Buffer Overflow CWE 122 Heap-based Buffer Overflow

CWE 125 Out-of-bounds Read CWE 131 Incorrect Calculation of Buffer Size CWE 680 Integer Overflow to Buffer Overflow Buffer Impact CWE Technical Impacts: Read memory;

Modify memory; DoS: crash / exit / restart; resource consumption (CPU); resource consumption (memory)

Execute unauthorized code or commands Are there more Run the same coding standard on the rest of the file Key Points Static code analysis eases the burden on QA allowing for development work to continue in parallel with manual testing efforts. Root cause analysis of defects can influence the development policy in order to prevent making the same mistake again. . Inter

procedural Crash Causing Defects the Solution: Data Flow Analysis What Can be found with Data Flow Analysis ? Null pointer dereference Use after free Double free

Array indexing errors Mismatched array new/delete Potential stack overrun Potential heap overrun Return pointers to local variables Logically inconsistent code

Uninitialized variables Invalid use of negative values passing large parameters by value Under allocations of dynamic data

Memory leaks File handle leaks Network resource leaks Unused values Unhandled return codes

C++test Bug Detective Data Flow Analysis How does it work? 236800 - Parasoft C++test by Alon Bialik 27 , 3d Generation SCA tools 2006 to present source code int a, b; a = 2; b = a*2 + 1; target code SET STORE SHIFT

STORE ADD STORE R1,2 #0,R1 R1,1 #1,R1 R1,1 #2,R1 Compiler components Character Stream Intermediate Representation Lexical Analyzer Token Stream Syntax Analyzer Syntax Tree Semantic Analyzer Decorated Syntax Tree

Intermediate Code Generator Machine-Independent Code Optimization Intermediate Representation Code Generator Target Machine Code Machine-Dependent Code Optimization Target Machine Code Comprehensive: Bit-Accurate Bit-accurate representation of the data and logic of the software system allows SAT solvers to explore all possible values Enables integer overflow detection and optimal false path Control Flow 31

pruning Bit-Accurate Representation Example of a Control Flow Graph 1. 2. 3. 4. 5. 6. 7. 8. d:=0; while (x

x:=x+3; if (x+y < 100) s:=s+x+y; else s:=s+x-y; } 1 2 3 4 5 7 4 8 32

Boolean Satisfiability (SAT Solver) using the DNA map Take the expression A==19 (A is a 8 bit char) , DNA mapping will convert it to : !a7 ^ !a6 ^ !a5 ^ a4 ^ !a3

^ !a2 ^ a1 ^ a0 (a7 is the high bit) Plugging this into a SAT Solver would render the following assignment of variables for the formula to be satisfied: a 0 = True . ( 1 ) a 1 = True . ( 1 ) a 2 = False ( 0 ). a 3 = False (0). a 4 = True ( 1 ). a 5 = False ( 0 ). a 6 = False ( 0 ) a7 = False ( 0 ) We got 00010011 =19

Once the entire Software DNA Map is represented in this format of TRUES, FALSES, NOTS, ANDS, and ORS, a wide variety of formulas can be constructed from this representation and SAT solvers can be applied to analyze the code for additional, more sophisticated quality and security problems. It is this bitaccurate representation of the software that enables more precise static analysis than previously was possible based solely on path simulation. Path Simulation There are clearly four paths through this code base (a.b-d-e-g, a-c-d-e-g, a-b-d-f-g, a-c-d-f-g) B(t) E(t) D

G F(f) A C(f) Path Simulation , enter the SAT Lets assume we have the following expressions solver i f ( x = = 0 ) [ d ] : i f ( x ! = 0 ) ] : a[ B(t) E(t) D

G F(f) A C(f) The SAT Solver The SAT solver see x = = 0 AND x ! = 0 The SAT solver says this cannot be satisfied boolianly while there might appear to be 4 paths through the control flow graph, we know that because of the dependency between the condition of (a) and condition of (d), there are only 2 paths through the code base. If the analysis decides to explore the path a-b-d-e-g, this would be The SAT solver see x = = 0 AND x ! = 0 The SAT solver says this cannot be satisfied boolianly

while there might appear to be 4 paths through the control flow graph, we know that because of the dependency between the condition of (a) and condition of (d), there are only 2 paths through the code base. If the analysis decides to explore the path a-b-d-eg, this would be a FALSE path because its impossible to execute at runtime. Moreover, if the analysis reported a defect on this path, that defect would clearly be a false positive since that path cannot exist when running the program. a FALSE path because its impossible to execute at runtime. Moreover, if the analysis reported a defect on this path, that defect would clearly be a false positive since that path cannot exist when running the program. False Positive Problem: False Errors false error: reported by analyzer but not in fact a latent error in program 1 2 3 4 5 6

int f(int x) { int y; if (x > 0) y = x; if (x > 3) x = y; return x; } (x > 0) 3 y = x (x > 3) x = y Warning 644: Variable 'y' (line 2) may not have been initialized 10-Mar-05 4

5 (x 0) (x 3) return x 6 38 .Typical Defect void buffer_size_example() { char dest[128]; char source[256]; strncpy(dest, source, strlen(source)); } // This will flag an error as the size argument to strncpy() // can possibly be up to 255, yet

the destination only has // room for 128 elements (127 chars and the null termination). But it is never that obvious. Buffer overrun Or even looking remotely like that. void func (char *passedStr) { char localStr[4]; strcpy(localStr, passedStr); // length of passedStr is not checked } int main (int argc, char **argv) { func(argv[1]); } It can look like that.. History in the making static int The code that made the iPhone what it is The LIBTIFF VULNERABILITY

TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) { switch (dir->tdir_type) { case TIFF_BYTE: case TIFF_SBYTE: { uint8 v[4]; return TIFFFetchByteArray(tif, dir, v) && TIFFSetField(tif, dir->tdir_tag, v[0], v[1]); { :case TIFF_SHORT :case TIFF_SSHORT { ;uint16 v[2] return TIFFFetchShortArray(tif, dir, v) ;TIFFSetField(tif, dir->tdir_tag, v[0], v[1])&& { :default

Prevention 5-10 ' 054- [email protected] 6496673

Recently Viewed Presentations

  • ECE200  Computer Organization Chapter 4  Arithmetic for Computers

    ECE200 Computer Organization Chapter 4 Arithmetic for Computers

    Hint1: it's to minimize the adder delay Hint2: assume a k-input block has k time units of delay, and the AND- OR logic has 1 time unit of delay Time and space comparison of adders Differences only matter for large...
  • Instrumental variables - CEGA

    Instrumental variables - CEGA

    Instrumental Variables and IE. IV can be generated . ex ante: Randomized promotion (or encouragement design) "Randomized offering" of a program
  • System Design Review - EDGE

    System Design Review - EDGE

    Agenda. Team and Project Overview (2 min) Customer Needs and Specifications Review (3 min) Hardware Design (40 min) Test Fixture Design (40 min) Test Plans (5 min)
  • South Sudan - Loudoun County Public Schools

    South Sudan - Loudoun County Public Schools

    The History of South Sudan's Struggle . Before the creation of South Sudan, Sudan had many civil wars and conflicts with southern rebels over issues such as speech in government and laws/ regulations. The map above shows the newly defined...
  • Data generation - WUR

    Data generation - WUR

    Negative correlation with gene length and degree of codon bias. Codon bias is more extreme in highly expressed genes. Genes with longer introns show higher bias in codon usage. The overall codon usage matches the known bias. The expectations. Return...
  • Geometry Vocabulary Angle - A figure formed by

    Geometry Vocabulary Angle - A figure formed by

    A closed plane figure with sides made of straight line segments. Vocabulary Word. Definition. acute triangle. A triangle with three acute angles. equilateral triangle. Having all equal sides and angles. obtuse triangle. A triangle with one obtuse angle.
  • Decomposing baking soda - Los Angeles Harbor College

    Decomposing baking soda - Los Angeles Harbor College

    referred to as the actual yield. The calculated mass of Na2CO3 from the balanced equation is the theoretical yield. The ratio of actual yield to theoretical yield from the balance equation times 100%. This is called the percent yield. It...
  • Building Java Programs

    Building Java Programs

    Zorah Fung Created Date: 6/5/2015 6:03:37 AM Document presentation format: Custom Other titles: Verdana MS Pゴシック Wingdings Arial Wingdings 2 Times New Roman BJP 1_BJP Building Java Programs Slide 2 Slide 3 Implementing abstractions Final exam What's next? What can...