220 likes | 395 Views
Teachable Static Analysis Workbench . by Igor Konnov, Dmitry Kozlov. Project goal. To build a tool, teachable by security analyst, which helps to verify that web application has the appropriate security mechanisms and they are used in right way.
E N D
Teachable Static Analysis Workbench • by Igor Konnov, • Dmitry Kozlov
Project goal To build a tool, teachable by security analyst, which helps to verify that web application has the appropriate security mechanisms and they are used in right way. One more idea: look at this project as integration project: investigate can different OWASP tools and docs work together?
Motivation • Manual code review is boring, so error-prone work. Static analysis tools are helpful to perform routine checks. • Web apps varies in frameworks, libraries, security technologies. So, static analysis tool have to support every technology, library, etc. to be applicable. • Vulnerabilities varies depending on technologies used in web app: XSS, SQLI, LDAPI, etc.
Teaching static analyzer Input validation vulnerabilities: XSS, SQLI, HTTP Response Splitting, and more. Are they so different? • All of them are dataflow from some source of “tainted” data provided by malicious user to some sensitive function (system call, HTTP headers, HTML page,…) • They differ in technologies: when using LDAP sensitive function is LDAP modification, for SQL – query execution, etc. • They differ in source of tainted data: request parameters, database records, files, etc.
Teaching static analyzer Security mechanisms are different • mysql_real_escape_string() • public static boolean validateRequired(Object bean, Field field) { String value = ValidatorUtil.getValueAsString(bean, field.getProperty()); return GenericValidator.isBlankOrNull(value);} • XML validators: <name>email</name> <pattern>^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$</pattern>
ESAPI Secure Coding Guide’s patterns • Authentication • All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken() • All requests for pages that require authentication shall call the ESAPI.authenticator().login() method. • Access Control • The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files. • Input Validation • The application shall add all custom cookies with ESAPI.httpUtilities().safeAddCookie() to ensure they are properly secured. • Banned API • Replace ServletResponse.setContentType() withHTTPUtilities.setContentType()
Teaching static analyzer to ESAPI ESAPI Secure Coding Guide: “call stack at some program point should (not) contain some call”: HTTPServlet.service() method shouldn’t call ServletResponse.addCookie(), but HTTPUtilities().safeAddCookie(). => SA must be capable of searching patterns on Call Graph or Control Flow Graph. Teaching is creating logical expressions on these graphs.
Key requirements to Security Analysis Workbench • Teachable: • about technologies • about vulnerabilities • about security mechanisms • Reuse of analyst knowledge: teach once and reuse for many web applications • Recalculation of results on the fly • The tool should work as part of Eclipse IDE
How to work with Teachable Static Analysis Workbench
What is inside Teachable Static Analysis Workbench
Static analyzers • LAPSE • unsupported, no users community, lastest source is unavailable, doesn’t work with current stable Eclipse, very primitive analysis, works slow. • FindBugs • alive project: good documentation and code, broad users community, intraprocedural analysis for XSS: need to be extended, Eclipse integration. • PQL • interesting analysis, lack of documentation, very limited community, immature implementation. • Indus • mature project, good community, very sophisticated, slower than FindBugs.
Workbench architecture TeSA Eclipse Plugin HelloWorld.java: … Request.getParameter(“login”) … Analysis configuration TeSA Eclipse Plugin Mark method as tainted source modified FindBugs .class SecBugs plugin for FindBugs javac modified FindBugs Eclipse Plugin JSP Precompiler Eclipse source code markers *.java *.jsp
Status and Future Steps Current status is beta. Reviewers promised to finish 100% review soon Future work: • GUI improvements: view vulnerabilities in Eclipse Project explorer. • Support for XML-based and annotation-based validations. • Support for ESAPI-like patterns: give analyst ability to create expressions on Call Graph and CFG. • Support “on the fly” analysis. • Backports of FindBugs improvements to FindBugs project.
Closing: project contribution • Secbugs - interprocedural tainted analysis, configurable to different types of input validation vulnerabilities. • TeSA – “teaching” environment, which allows security analyst to markup code Eclipse source editor and creates configuration for Secbugs. • JSP support • SA can rerun continuously but it’s real “on the fly”. • LAPSE port to Eclipse 3.4. But actually our tool makes use of LASPE deprecated.