Omer Tripp November 9 th , 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing
Feb 08, 2016
Omer TrippNovember 9th, 2009
Static Analysis for Security A Case Study in the Automation of
Code Auditing
Agenda• Motivation• Solution space• Security violations• Taint analysis• Demo• Conclusion
• Average number of bugs per KLOC is 15 [1]
• Developers find 6 defects per hour in code reviews [2]
Some Statistics
• There are 30 MLOC in e-Bay’s codebase– ~45K bugs– ~7.5K hours to find
• There are 50 MLOC in Windows Server 2003– ~75K bugs– ~12.5K hours for find
Some Math
• Heavy-weight static-analysis techniques process ~1K LOC per second
• Light-weight static-analysis techniques process ~5K LOC per second
• Human reviewers can only (effectively) digest 300 LOC per hour = 0.2 LOC per second [3]
Some More Statistics
• Manual auditing is problematic:– Too costly!– Doesn’t fit into SDLC– Results influenced by subjective
considerations• Sometimes it’s also impossible:
– 3rd-party component packaged as binary– Human auditing leaks IP– No in-house experts
Bottom Line
• Wide range of applications, including:– Run-time errors (e.g., NPE, unhandled
exceptions, etc…)– Security analysis– Performance analysis– Liveness properties– Synchronization problems– Quality issues– Refactoring– …
What Can Automation Do?
Static-analysis Tools
Dynamic-analysis Tools
• Integrity– Untrusted inputs flowing into security-
sensitive areas• Confidentiality
– Private information flowing into public areas
• DoS– Overwhelming the system– Causing crashes
Software Security
• Cross-site Scripting
• SQL injection (SQLi)
Exemplary Integrity Violations
• Error leakage
• Insufficient anonymity
Exemplary Confidentiality Violations
• Classic DoS/DDoS
• Through an integrity problem
Denial of Service
Code Examplespublic partial class Customize : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string langParam = Request.QueryString["lang"]; … if (langParam != "") { lang = langParam; } … langLabel.Text = lang; … } … }
public partial class Transfer : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string thisUser = Request.Cookies["amUserId"].Value; GetAccounts(thisUser); … } … private void GetAccounts(string userId) { … string query ="SELECT accountid, acct_type From accounts WHERE userid = " + userId; … myAccount = new OleDbDataAdapter(query , myConnection); … } … }
XSS
SQLi
• The problem of finding flows from unchecked/poorly checked inputs to security-sensitive operations
• Can be solved as graph-reachability problem
• Captures vast majority of integrity/confidentiality problems
Taint Analysis
• Build index of all relevant entities (type hierarchy, methods, etc…)
• Represent the program as a call graph
• Track control and data flow on top of the call graph
• Solve a reachability problem on top of the propagation graph (modulo some enhancements)
Bird’s-eye View
• Run the following algorithm:– Use statements defining untrusted
inputs as slicing criterion– Find the set S of all statements that are
(control-) and data-flow dependent on the slicing criterion
– For each s in S such that s is a security-sensitive operation, report all flows from statements in the slicing criterion to s
Taint Analysis Based on Program Slicing [4,5]
Taint Analysis Based on a Storeless Abstraction
X x = req.getParameter();
Y y = new Y();
y.f = x;
Z z = y.f;
resp.getWriter().write(z);
{ x }{ x }
{ x, y.f }{ x, y.f, z }
Challenges• The infamous precision-scalability
tradeoff• External resources
– Configuration files– Framework-specific configurations
• Beyond graph reachability…• SDLC-induced use cases
Precision versus Scalability• Modular analysis• Demand-driven strategies
External Resources• Synthetic models• Sometimes ignorance is a bliss…
Beyond Graph Reachability• PQL [6]
• String analysis [7]
SDLC-induced Use Cases• Incremental analysis• Parallelization on multi-core build
servers
DEMO
The Remaining 8 Yards• Instead of killing n birds with 1 stone,
use n stones to kill 1 bird (like humans)
• How do we catch up with changes in technology?
• How to tailor the analysis to the needs of different users?
• Useful heuristics often resilient to formal definition
[1] S. McConnell. Code Complete: A Practical Handbook of Software Construction
[2] W. S. Humphrey. Acquiring Quality Software in CrossTalk,18-12[3] Code Review at Cisco Systems[4] O. Tripp et al.. TAJ: Effective Taint Analysis of Web Applications[5] C. Hammer and G. Snelting. Flow-sensitive, Context-sensitive, and Object-
sensitive Information-flow Control Based on Program Dependence Graphs [6] B. Livshits and M. Lam. Finding Application Errors and Security Flaws Using
PQL: a Program Query Language [7] M. Christodorescu et al..String Analysis for X86 Binaries
References