1 / 20

Software Security Reviews – Static and dynamic analysis

Software Security Reviews – Static and dynamic analysis. Magnus Ahlbin EC/ITSEF. Agenda. Background Software security reviews and test methods Static tests methods Dynamic tests methods Summary. Background. Security issues for software includes

lisas
Download Presentation

Software Security Reviews – Static and dynamic analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Security Reviews – Static and dynamic analysis • Magnus Ahlbin • EC/ITSEF

  2. Agenda • Background • Software security reviews and test methods • Static tests methods • Dynamic tests methods • Summary

  3. Background • Security issues for software includes • Buffer overflows, Race conditions, Declarations, Synchronization, Temporary buffers, Error handling, Parameter control, Memory leaks...

  4. Background • Security reviews • the whole software development cycle • security critical functionality • vulnerabilities • pre-conditions • assumptions • threats • security requirements • evidences • design documentation and source code

  5. Software security reviews and test methods • Software security reviews and Common Criteria • Source code review • ADV_IMP • ATE • Sample tests • Independent tests • AVA_VLA

  6. Software security reviews and test methods • Static and Dynamic test methods Dynamic methods Static methods

  7. Software security reviews and test methods • Static methods • Investigating of each line • Source code reviews • Complement to the functionally tests • Dynamical methods • Investigating of the behavior of the application during run-time • Source code reviews • Complement to the penetration tests

  8. Static test methods • Static tests methods • simple syntactic standards and manual checks • advanced automated methods • A static checking tool • analyses the source code of a program • assumes all inputs are possible

  9. Static test methods • Weaknesses detected by a statically tests • Bad Syntax • Uninitialized variables • Dead code • Buffer overflows • Memory leaks • Sensitive data left in memory

  10. Static test methods • Three example of methods for static tests • Pattern matching • Lexical analysis • Parsing and AST analysis

  11. Static test methods • Example of tools • Jlint • Splint • ITS4 • RATS • CGS • Uno

  12. Static test methods • Example • RATS : • Lab2.cpp:22: High: fixed size local buffer • Lab2.cpp:44: High: fixed size local buffer • Lab2.cpp:119: High: fixed size local buffer • Lab2.cpp:147: High: fixed size local buffer • Extra care should be taken to ensure that character arrays that are • allocated on the stack are used safely. They are prime targets for buffer • overflow attacks. • Lab2.cpp:71: High: gets • Gets is unsafe!! No bounds checking is performed, buffer is easily • overflowable by user. Use fgets(buf, size, stdin) instead. • Lab2.cpp:152: High: strcpy • Check to be sure that argument 2 passed to this function call will not copy • more data than can be handled, resulting in a buffer overflow.

  13. Static test methods • Advantages • Requires no prior knowledge about the source code • It covers all paths in the source code • Disadvantages • Static test tools frequently emit false error reports, so called false positives • Can miss run-time errors

  14. Dynamic tests methods • Dynamic analysis methods • manual checks • automated program analyses • Dynamic test tools • inserted into the tested software at compile time • checks the software during execution • no false positives • can only detect errors that occur during a manual run of particular test cases

  15. Dynamic tests methods • Examples of what we might investigate during run-time • Trust boundaries • Application state • Input limitations • RAM memory • Dependencies (OS, DLL, etc.) • Memory leakage • Data flow • Process conditions • Internal parameters • Error handling • Use of temporary buffers

  16. Dynamic tests methods • Complexities • Auditing large piece of software is very, very time consuming • Hard to establish a good metric for dynamic analyses • Code coverage is one solution, but • could execute the code below without reporting anything setTableData(int pos, char *data) memcpy(table[pos], data, DATA_MAX_SIZE) • The product must exist, must be done late in a development life-cycle • The main advantage is that the application is tested in the environment it will be running

  17. Dynamical tests methods • Example • ..\..\..\Desktop\rom_demo\flow.avi • rom_demo\flow.avi

  18. Summary • Static and dynamic analysis, complement each other • Automatic static analysis has great potential • A combination of manually and automated tests are preferred.

  19. Summary • Software security reviews and Common Criteria • Source code review • ADV_IMP • ATE • Sample tests • Independent tests • AVA_VLA

  20. Questions and contact • Questions? • Contact • Combitech ABSE-351 80 Växjö • SwedenVisiting address Ljungadalsgatan 2www.itsef.se •www.combitech.se • Head of ITSEFMagnus Ahlbinmagnus.ahlbin@combitech.sePhn +46 470 42208 • Fax +46 470 48203 • Mobile +46 70 6950228 • Combitech Evaluation Centre is an evaluation facility* operating within Swedish Common Criteria Evaluation and Certification Scheme. * Conditional License . • Combitech is a leading supplier of services within system development, system integration, information security and system safety. • We are an independent consultancy company that with high competence and continuity, create great customer benefits by providing valuable and innovative solutions. Combitech is a part of the Saab Group – one of the world’s leading high technology companies with its main operations within defence, aviation and space.

More Related