330 likes | 533 Views
Software Security with Static Code Analysis Using CAT.NET. Andreas Fuchsberger Information Security Technologist Microsoft. Agenda. Code Analysis/Code Inspection Motivation Static Code Analysis History Current technologies CAT.NET How CAT.NET works Installation Use Demo.
E N D
Software Security with Static Code Analysis Using CAT.NET Andreas Fuchsberger Information Security Technologist Microsoft
Agenda • Code Analysis/Code Inspection • Motivation • Static Code Analysis • History • Current technologies • CAT.NET • How CAT.NET works • Installation • Use • Demo
Given Enough Eyeballs All Bugs Are Shallow • The Cathedral and the Bazaar by Eric S. Raymond (O'Reilly Media, 1999)
Code Inspection • Too good to be true • If the eyes don’t know what to look for, they are likely to miss security bugs • Who looks at code anyway? • Code inspection is tedious and error prone: Automation is needed • See Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press®, 2003)
Building Secure Software • Building Secure Software by John Viega and Gary McGraw (Addison-Wesley, 2001)
From Building Secure Software One example to consider is the GNU Mailman project, an open-source mailing list management package originally written by one of us (Viega). Mailman has been used at an impressive number of places during the past several years to run mailing lists. But for three years, Mailman had a handful of obvious and glaring security problems in the code. (Note that the code was written before we knew or cared much about security!)
From Building Secure Software These problems were of the type that any person armed with grep and a single iota of security knowledge would have found in seconds. Even though we had thousands and thousands of installs during that time period, no one reported a thing. The horrible thing here is that the problem in Mailman persisted for four years, despite being packaged in products you’d expect to be security conscious, such as the Red Hat Secure Web Server product.
IPsec Encryption Only Flaw • “Attacking IPsec Standards in Encryption-only Configurations” byJean Paul Degabriele and Kenneth G. Paterson (IEEE Symposium on Security and Privacy,2007) • 2007 saw the discovery of a fundamental problem in the design of IPsec ESP only configuration • IPsec RFC standards (2401-2406) were published in 1998
Code Inspection • Too good to be true • If the eyes don’t know what to look for, they are likely to miss security bugs • See Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, 2003) • Chapter 2: “Section Education Proves the More Eyes Fallacy” • Who looks at code anyway? • Code inspection is tedious and error prone: Automation is needed
Code Inspection • C Lint preprocessor first appeared in 1979 • “Using Programmer-Written Compiler Extensions to Catch Security Holes” by K. Ashcraft and D. Engler (IEEE Symposium on Security and Privacy, 2002) • Meta-compilation for C source code; ‘expert system’ incorporating rules for known issues: untrustworthy sources sanitizing checks trust sinks; raises alarm if untrustworthy input gets to sink without proper checks • Code analysis to learn new design rules: Where is the sink that belongs to the check we see? • Microsoft has had its own code inspection tools PreFix and PreFast for some time and these have been integrated into Microsoft® VisualStudio® as well Microsoft® FxCop • 2005: Microsoft® Code Analysis Tool .NET (CAT.NET) • 2008: CAT.NET Community Technology Preview (CTP)
Program Analysis • Area of computer science in its own right • Relevant for software security: Adapt methods to look for security problems • Objectives (for theoreticians): • Soundness: no false alarms • Completeness: finds all bugs in a given class • Objectives (for practitioners): • Useful results; picking the low-hanging fruit is fine; low false alarm rate
Static Code Analysis in the SDL Build Plan Test Field Firewalls Intrusion Detection Penetration Testing Build Plan Test Field Static Code Analysis Threat Modelling Security Requirements From: Secure Programming with Static Analysis
The Quality Fallacy • Often held misconception: • Software Security is another case of Software Quality • Most testing concentrates on functionality • Security testing focuses on lack of functionality • Implementations may have functionality outside of the original requirements • But building secure software often improves overall quality
Source Code Review • No one claims that source code review is capable of identifying all problems, but consensus is that source code review has a major part to play in any software security process
Static Code Analysis • Static code analysis describes the process by which computer software analysis is performed without actually executing binary code that makes up the software • Static analysis can be performed on the original source code or the binary code produced by the compiler
Capabilities and Limitations • Checks are performed consistently and thoroughly • Can find cause of security problem rather than just report the symptom • Static analysis can find bugs before the code runs or even compiles • Once new class of vulnerability is discovered, old code can be rechecked
Capabilities and Limitations • Most common complaint: • False positives • False negatives • Implementation limitations • Speed • Size of code base • Usability
Problem Classes for Static Analysis • Type checking • Style checking • Program understanding • Program verification • Property checking • Bug finding • Security review
Static Analysis Techniques • Access control • Information flow • Integrity violations • Confidentiality violations • API conformance
CAT.NET • CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysis • Tainted-variable analysis is an integrity problem in which that tries to identify whether less-trusted data obtained from the user might influence other data that the system trusts
How CAT.NET Works • CAT.NET uses a combination of Control Flow and Data Flow Graphs to build the relation for every object in every module supplied to CAT.NET • Control Flow Graphs • Data Flow Graphs • Data Flow Super Graphs
CAT.NET CTP Release • Current release is CTP available for free by searching for CAT.NET at http://msdn.microsoft.com • Available as plug-in for Microsoft® VisualStudio® 2008 or VisualStudio® 2005 in 32-bit, includes a command-line version, CATNETCmd.exe • Available as 64-bit command-line version, only for large projects
Installing CAT.NET CAT.NET Demo
Installation and Use • Setup.exe install • Plug-in installs under the tools menu in VisualStudio • Starting the plug-in opens the CAT.NET user interface • Clicking the Play button runs the analysis across all binaries that are part of the project
CAT.NET Rules • Rules are XML files stored in rules subdirectory • Currently they include: • Cross-Site Scripting • SQL Injection • Process Command Injection • File Canonicalization • Exception Information • LDAP Injection • XPATH Injection • Redirection to User Controlled Site
The CAT.NET UI CAT.NET Demo
Analysis Results • Analysis can take some time • Results are presented in as a list in the GUI • Includes information relating to the cause of the vulnerability • Allows export to Microsoft® Office Excel®
Command-Line Use • Alternative method for invoking CAT.NET • Only available option for 64-bit implementation • Command-line parameters • Output is written to an XML file as well as an HTML
Summary • Secure software must be able to handle intentionally malformed inputs • Code therefore has to detect malformed inputs. Don’t trust your inputs! • Test your code to detect whether there are malformed inputs that are not detected • For the malformed inputs detected, pay attention to the error handlers
The CAT.NET Command-Line Interface CAT.NET Demo
Further Reading and Information • .NET Framework Security by Brian LaMacchia, Sebastian Lange, and others (Addison-Wesley, 2002) • Secure Programming with Static Analysis by Brian Chess and Jacob West (Addison-Wesley, 2007) • http://blogs.msdn.com/cisg
Questions and Answers • Submit text questions using the “Ask” button • Don’t forget to fill out the survey • For upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx • Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781