1 / 18

Automatic Source Code Security Boost: The Power of Static Analysis

Enhance your code security using advanced static analysis methods like dataflow and model checking. Discover vulnerabilities in PHP, C, Java, C++ codes to ensure robust software development. Effortless and effective techniques for early bug detection and security reinforcement. Stay ahead of potential threats with this essential security measure.

farrah-head
Download Presentation

Automatic Source Code Security Boost: The Power of Static Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Methods of increasing source code security automatically Ben ChelfCTO

  2. 10,000 foot view MAGIC STATIC ANALYSIS BOX dataflow analysis, pointer alias analysis, abstract interpretation, model checking, flow-sensitive, flow-insensitive, context-sensitive, context-insensitive, interprocedural, intraprocedural, solving constraints PHP Code Security Vulnerabilities C Code Java Code C++ Code Coverity Confidential: Do not distribute

  3. What to look for? { strcpy(dest, src); } Coverity Confidential: Do not distribute

  4. What to look for? { char src[100]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute

  5. What to look for? { char src[50]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute

  6. What to look for? { char src[50]; char dest[50]; src[sizeof(dest) – 1] = 0; strcpy(dest, src); } Coverity Confidential: Do not distribute

  7. The Promise of Static Analysis Tools Software Development Process Design Code QA Release Integrate Static Analysis BENEFITS Detects problems early in SDLC No test cases required Points to specific LOC Systematic Bugs Security Vulnerabilities Coverity Confidential: Do not distribute

  8. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) Coverity Confidential: Do not distribute

  9. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) Coverity Confidential: Do not distribute

  10. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) Coverity Confidential: Do not distribute

  11. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) Coverity Confidential: Do not distribute

  12. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) Coverity Confidential: Do not distribute

  13. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) Coverity Confidential: Do not distribute

  14. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) Coverity Confidential: Do not distribute

  15. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) • …many others Coverity Confidential: Do not distribute

  16. Making it work in the real world Build Systems Parsing Code Analysis time Configuration for the code Noise versus False Positives What to report Reviewing the results PHP Code C Code Java Code C++ Code Coverity Confidential: Do not distribute

  17. Evil Tetris /* * Set times to 0 except for * high score on each level. */ for (i = MINLEVEL; i < NLEVELS; i++)   levelfound[i] = 0; for (i = 0, sp = scores; i < nscores; i++, sp++) {   if (levelfound[sp->hs_level])     sp->hs_time = 0;   else {     sp->hs_time = 1;     levelfound[sp->hs_level] = 1;   } } Coverity Confidential: Do not distribute

  18. Do you use X? if (getuid() != 0 && geteuid == 0) {      ErrorF(“only root”);      exit(1); } Since without the parentheses, the code is simply checking to see if the geteuid function in libc was loaded somewhere other than address 0 (which is pretty much guaranteed to be true), it was reporting it was safe to allow risky options for all users, and thus a security hole was born. - Alan Coopersmith, Sun Developer Coverity Confidential: Do not distribute

More Related