230 likes | 336 Views
Markus Dale December 2005. Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS. Outline. Results New and Significant Static Analysis and Limitations Previous Work Flawfinder/RATS VoteHere Sentinel and VHTi Reference Implementation
E N D
Markus Dale December 2005 Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS
Outline • Results • New and Significant • Static Analysis and Limitations • Previous Work • Flawfinder/RATS • VoteHere Sentinel and VHTi Reference Implementation • Static Analysis Results • Future Work • References
Results • Static analysis with Flawfinder and RATS found only 19 potential security problems in over 10,000 lines of source code. • The security problems must be mitigated from within the system that uses the VHTi Reference Implementation API. • Different static analysis tools have different trade-offs. Use as many tools as possible. • False positives can consume a large amount of time.
New and Significant • Applies Flawfinder and RATS open source static analysis tools to the VoteHere VHTi Reference Implementation. • Compares performance of Flawfinder and RATS against VHTi Reference Implementation.
Static Analysis • Compiled from Michael/Lavenhar paper: • Potentially Insecure Library Functions • Database of vulnerabilities • Type confusion between references and pointers • Detect memory allocation errors • Double free, write to freed memory, buffer overflow • Temporal Safety constraints (ordered steps) • Data Flow Analysis – tainted variables • Pointer Aliasing Analysis – two pointers to same memory loc
Limitations of Static Analysis • Problem bounded by Rice’s Theorem: • there exists no automatic method that decides with generality non-trivial questions on the black-box behavior of computer programs (Wikipedia) • False positives vs. false negatives trade-offs • Local, module, program analysis
Previous Work • Static Analysis Best Practice by DHS Build In Security Site (also overview of tools) • Microsoft SLAM project: Static Driver Verifier uses Specification Language for Interface Checking to encode temporal safety constraints (Ball/Rajamani) • MOPS – Model Checking Programs for Security Properties (Chen/Wagner)
More Previous Work • Flanagan et al. ESC/Java • Automated theorem prover: null references, array error bounds, type cast errors, race conditions • Livshits DynaMine • Add revision history information • Blanchet et al. Static Analyzer for Large Safety-Critical Software – refinements and parameterization
Flawfinder • David Wheeler, author of Secure Programming for Linux and Unix HOWTO, latest 2004 • Use lexical analysis and database for C/C++ • buffer overflow risks • e.g., strcpy(), strcat(), gets(), sprintf(), scanf() • format string problems • [v][f]printf(), [v]snprintf(), and syslog() • Time Of Check to Time of Use (TOCTOU) race conditions • poor random number acquisition
Rough Auditing Tool for Security (RATS) • Secure Software, latest 2002 • Commercial offering CodeAssure • Lexical analysis and database for • C/C++ • Perl, PHP, Python • Buffer overflow problems • TOCTOU race conditions
VoteHere Sentinel • Add on to Diebold AccuVote-TS to independently verify election results • Based on Neff’s E-Voting secure shuffle implemented as VHTi Reference Implementation • Reference Implementation freely downloadable
VHTi Reference Implementation Docs • API Developer’s Guide • How to build, third-party libs, usage, security concerns, DTDs for XML data structures • Known Issues doc • Results from reviews • VHTi Threat Analysis Doc • Attack tree and mitigation techniques
RATS: getenv warning ./util/result.cpp:625: High: getenv ./util/vh_cout.cpp:123: High: getenv Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.
Flawfinder: Warning about memcpy ./pki/crypt.cpp:244: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination. Make sure destination can always hold the source data.
Memcpy Mitigation if (sizeof (iv) != initialization_vector.size ()) { ... throw VHUtil::Exception (...) } memcpy (iv, initialization_vector.data (), initialization_vector.size ());
Results from Static Analysis • Flawfinder: 64 total/9 actual (~7:1) • RATS: 41 total/14 actual (~3:1) • Overlapping problems found: 4 • Unique problems: 19 • Statically declared arrays • 36 unique declaration • Flawfinder: 32; RATS: 20
Findings • The 19 potential problems are not problems by themselves • Defensive Programming • Library code – greatest reusability • Must implement mitigation techniques and correct usage of API in implemented system
Future Work • Use commercial static analysis tool such as Klocwork K7, Ounce Labs Prexis or Secure Software CodeAssure • Analyze complete source code for VoteHere Sentinel system
Selected References • Chess, B. & McGraw, G. (2004), 'Static analysis for security', Security & Privacy Magazine, IEEE2(6), 76—79. • Flanagan, C.; Leino, K.R.M.; Lillibridge, M.; Nelson, G.; Saxe, J.B. & Stata, R. (2002),Extended static checking for Java, in 'PLDI '02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation', ACM Press, New York, NY, USA, pp. 234—245. • Martin, M.; Livshits, B. & Lam, M.S. (2005),Finding application errors and security flaws using PQL: a program query language, in 'OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications', ACM Press, New York, NY, USA, pp. 365--383.
More Selected References • Neff, C.A. (2001),A verifiable secret shuffle and its application to e-voting, in 'CCS '01: Proceedings of the 8th ACM conference on Computer and Communications Security', ACM Press, New York, NY, USA, pp. 116—125. • RABA (2004),'Trusted Agent Report Diebold AccuVote-TS Voting System', http://www.raba.com/press/TA_Report_AccuVote.pdf. • Michael, C. & Lavenhar, S.R. (2005),'Source Code Analysis Tools -- Overview', https://buildsecurityin.us-cert.gov/portal/article/tools/code_analysis/overview.xml, Published via the U.S. Department of Homeland Security Build Security In website.