1 / 18

Methods of increasing source code security automatically

Methods of increasing source code security automatically. Ben Chelf CTO. 10,000 foot view. MAGIC STATIC ANALYSIS BOX

farrah-head
Download Presentation

Methods of increasing source code security automatically

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Methods of increasing source code security automatically Ben ChelfCTO

  2. 10,000 foot view MAGIC STATIC ANALYSIS BOX dataflow analysis, pointer alias analysis, abstract interpretation, model checking, flow-sensitive, flow-insensitive, context-sensitive, context-insensitive, interprocedural, intraprocedural, solving constraints PHP Code Security Vulnerabilities C Code Java Code C++ Code Coverity Confidential: Do not distribute

  3. What to look for? { strcpy(dest, src); } Coverity Confidential: Do not distribute

  4. What to look for? { char src[100]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute

  5. What to look for? { char src[50]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute

  6. What to look for? { char src[50]; char dest[50]; src[sizeof(dest) – 1] = 0; strcpy(dest, src); } Coverity Confidential: Do not distribute

  7. The Promise of Static Analysis Tools Software Development Process Design Code QA Release Integrate Static Analysis BENEFITS Detects problems early in SDLC No test cases required Points to specific LOC Systematic Bugs Security Vulnerabilities Coverity Confidential: Do not distribute

  8. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) Coverity Confidential: Do not distribute

  9. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) Coverity Confidential: Do not distribute

  10. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) Coverity Confidential: Do not distribute

  11. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) Coverity Confidential: Do not distribute

  12. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) Coverity Confidential: Do not distribute

  13. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) Coverity Confidential: Do not distribute

  14. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) Coverity Confidential: Do not distribute

  15. Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) • …many others Coverity Confidential: Do not distribute

  16. Making it work in the real world Build Systems Parsing Code Analysis time Configuration for the code Noise versus False Positives What to report Reviewing the results PHP Code C Code Java Code C++ Code Coverity Confidential: Do not distribute

  17. Evil Tetris /* * Set times to 0 except for * high score on each level. */ for (i = MINLEVEL; i < NLEVELS; i++)   levelfound[i] = 0; for (i = 0, sp = scores; i < nscores; i++, sp++) {   if (levelfound[sp->hs_level])     sp->hs_time = 0;   else {     sp->hs_time = 1;     levelfound[sp->hs_level] = 1;   } } Coverity Confidential: Do not distribute

  18. Do you use X? if (getuid() != 0 && geteuid == 0) {      ErrorF(“only root”);      exit(1); } Since without the parentheses, the code is simply checking to see if the geteuid function in libc was loaded somewhere other than address 0 (which is pretty much guaranteed to be true), it was reporting it was safe to allow risky options for all users, and thus a security hole was born. - Alan Coopersmith, Sun Developer Coverity Confidential: Do not distribute

More Related