1 / 27

Application Security – The code analysis way

Application Security – The code analysis way. Maty Siman CTO Checkmarx. Agenda. Algorithms and code. Data Flow Graph. Represents the flow of data through code. Each LOC has its own vertex.

mei
Download Presentation

Application Security – The code analysis way

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security – The code analysis way Maty Siman CTO Checkmarx

  2. Agenda • Algorithms and code

  3. Data Flow Graph • Represents the flow of data through code. • Each LOC has its own vertex. • Edge represents direct influence of data in the source vertex on the data in the destination vertex (therefore, assignment statements are source vertexes)

  4. Data Flow Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

  5. Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

  6. Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

  7. Tainted value propagation • Can be used for many vulnerabilities: • SQL Injection • XSS • Stored XSS • Second Order SQL Injection • Log forgery • Some types of race condition • LDAP Injection • Command injection • Directory traversal • … Input Data influencing on XXXX And not sanitized by YYYY

  8. But … • Parameters • Data members • Static variables • Events • Global • Generics • And many manymanymanymany more issues • Resolve - Code most compile? • Direct Access to the engine?

  9. And again - SQL Injection Parameterized queries SqlConnection con = (acquire connection) con.Open(); SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE name = @userName", con) cmd.Parameters.Add("@userName", userName); SqlDataReader rdr = cmd.ExecuteReader()

  10. more SQL Injection What about: data=input() if (isValid(data)) { SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE age = “ + data, con) }

  11. Control Dependence Graph • Enhances CFG. • Each LOC has its own vertex • Edge B is directed by edge A iff the execution if B depends on the execution of A

  12. Control Dependence Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

  13. What is the benefit of super-imposing graphs? bool b = true;if (b) { ExecuteCommand(x); }

  14. Slicing • Finding a relevant subset of the application void main() { int sum = 0; inti = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

  15. Slicing • Finding a relevant subset of the application void main() { int sum = 0; inti = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

  16. CDG Sum = 0 Start i = 1 While (i<11) Printf(sum) Printf(i) Sum +=i ++i

  17. DFG Sum = 0 i = 1 While (i<11) Printf(sum) Printf(i) Sum +=i ++i

  18. (DFG+CDG)’ Sum = 0 i = 1 While (i<11) Printf(sum) Printf(i) Sum +=i ++i

  19. (DFG+CDG)’ Sum = 0 i = 1 While (i<11) Printf(sum) Printf(i) Sum +=i ++i

  20. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); }

  21. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Backward slicing Backward slicing Backward slicing Backward slicing

  22. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Backward slicing Backward slicing Backward slicing Backward slicing

  23. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Forward slicing

  24. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Forward slicing

  25. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Chopping on “Execute”

  26. Some security string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3;s2 = s1; Execute(s1); } Chopping on “Execute”

  27. Q&A Thank you Maty Simanmaty@checkmarx.com OWASP September 2008 27

More Related