200 likes | 381 Views
Static Analysis for Security. POSTECH Laboratory for UNIX Security (PLUS) Kwang Yul Seo skyul@postech.ac.kr. Static Analysis for Security. Detecting security problems through source code (or binary) Identifying many common coding problems automatically. Dynamic vs Static.
E N D
Static Analysis for Security POSTECH Laboratory for UNIX Security (PLUS) Kwang Yul Seo skyul@postech.ac.kr
Static Analysis for Security • Detecting security problems through source code (or binary) • Identifying many common coding problems automatically
Dynamic vs Static • Static tools examine the text of a program statically, without attempting to execute it • Source code • Binary • E.g., Java Bytecode • Dynamic • Poor testability: due to hard-to-reach states, unusual circumstances
Manual vs Automatic • Manual • Time cosuming • Auditor dependent • Automatic • Fast • Easy to use
Pitfalls • Aim for good, not perfect • Check a fixed set of patterns, or rules in the code • Require human evaluation • Priority, supression • Undecideable • Rice’s theorem: every non-trivial problem-> halting problem • False negatives <-> False positives
Example of Static Analysis: grep • Grep can be a static analysis tool for security $ grep gets * • Cannot differntiate comments, declarations, defintions… (1) gets(&buf); (2) /* never ever call gets */ (3) int begetsNextChild = 0; • Lexical analysis is required!
Lexical Analysis Tools • ITS4 • FlawFinder(www.dwheeler.com/flawfinder) • RATS(www.securesoftware.com) • Matt Bishop & Mike Dilger’s TOCTOU(time-of-check time-of-use) check tool • Preprocess and tokenize the source files, and then match the result token stream against a library of vulnerable constructs
Lexical Analysis Tool: Pitfalls • No semantic checks! • Many false positives • Must borrow compiler technologies • E.g., AST (Abstract Syntax Tree) • Data-flow analysis
Analysis Scopes • Local analysis • One function at a time • Module-level analysis • One class/or compilation unit • Global(interprocedural) analysis • Entire program • More context is better, but computation grows so fast!
Tool Tradeoffs • Sound vs unsound • Flexible(General) vs special-purpose • General tools are able to read definitions of bugs and apply them
Example: Boon • Integer range analysis • Catch bugs indexing an array outside its bounds in C • However, Bool is imprcise • Ignores statement order • Can’t model interprocedural dependencies • Ignores pointer aliasing
Example: CQual • Inspired by Perl’s taint mode • Detects format string vulnerabilities in C programs • Use type qualifiers to perform a taint analysis • Annotate a few variables as tainted/untainted • Use type inference rules to propagate the qualifiers • The system can check format string bugs by type checking
Example: xg++ • Use template-driven compiler extension to find kernel vulnerabilities in Linux/OpenBSD • Looks for locations where kernel uses data from untrusted source without checking it first • E.g., A user can cause the kernel to allocate memory and not free it • A user can cause the kernel to deadlock
Example: Eau Claire • Use a theorem-prover to create a general specification-checking framework for C programs • Find common security bugs • Buffer overflows • File access race conditions • Format string bugs • Developers can use specifications to verify that a function implementations behave as expected
Example: MOPS • Model-checking approach to look for violations of temporal safety properties • Developer can model their own safety properties • Privilege management errors • Incorrect construction of chroot jails • File access race conditions • Ill-conceived temporary file schemes
Example: Splint • Extends lint concept into security realm • By adding annotations, find • Abstraction violations • Unannounced modifications to global variables • Possible use-before-initialization • Reason about minimum and maximum array bounds accesses if it is provided with function pre and post conditions
Example: Other tools • ESP, a large-scale property verification approach • Model checkers such as SLAM and BLAST • Use predicate abstraction to examine program safety properties • FindBugs, a lightweight checker with a good reputation for unearthing common errors in Java programs
Further Requirements • Easy to use even for non-security people • Easy to apply regularly
References • Static Analysis for Security by Gary McGraw http://www.cigital.com/papers/download/bsi5-static.pdf