Static Analysis for Security A Case Study in the Automation of Code Auditing

Omer TrippNovember 9th, 2009

Static Analysis for Security A Case Study in the Automation of

Code Auditing

Agenda• Motivation• Solution space• Security violations• Taint analysis• Demo• Conclusion

• Average number of bugs per KLOC is 15 [1]

• Developers find 6 defects per hour in code reviews [2]

Some Statistics

• There are 30 MLOC in e-Bay’s codebase– ~45K bugs– ~7.5K hours to find

• There are 50 MLOC in Windows Server 2003– ~75K bugs– ~12.5K hours for find

Some Math

• Heavy-weight static-analysis techniques process ~1K LOC per second

• Light-weight static-analysis techniques process ~5K LOC per second

• Human reviewers can only (effectively) digest 300 LOC per hour = 0.2 LOC per second [3]

Some More Statistics

• Manual auditing is problematic:– Too costly!– Doesn’t fit into SDLC– Results influenced by subjective

considerations• Sometimes it’s also impossible:

– 3rd-party component packaged as binary– Human auditing leaks IP– No in-house experts

Bottom Line

• Wide range of applications, including:– Run-time errors (e.g., NPE, unhandled

exceptions, etc…)– Security analysis– Performance analysis– Liveness properties– Synchronization problems– Quality issues– Refactoring– …

What Can Automation Do?

Static-analysis Tools

Dynamic-analysis Tools

• Integrity– Untrusted inputs flowing into security-

sensitive areas• Confidentiality

– Private information flowing into public areas

• DoS– Overwhelming the system– Causing crashes

Software Security

• Cross-site Scripting

• SQL injection (SQLi)

Exemplary Integrity Violations

• Error leakage

• Insufficient anonymity

Exemplary Confidentiality Violations

• Classic DoS/DDoS

• Through an integrity problem

Denial of Service

Code Examplespublic partial class Customize : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string langParam = Request.QueryString["lang"]; … if (langParam != "") { lang = langParam; } … langLabel.Text = lang; … } … }

public partial class Transfer : System.Web.UI.Page { … protected void Page_Load(object sender, System.EventArgs e) { … string thisUser = Request.Cookies["amUserId"].Value; GetAccounts(thisUser); … } … private void GetAccounts(string userId) { … string query ="SELECT accountid, acct_type From accounts WHERE userid = " + userId; … myAccount = new OleDbDataAdapter(query , myConnection); … } … }

XSS

SQLi

• The problem of finding flows from unchecked/poorly checked inputs to security-sensitive operations

• Can be solved as graph-reachability problem

• Captures vast majority of integrity/confidentiality problems

Taint Analysis

• Build index of all relevant entities (type hierarchy, methods, etc…)

• Represent the program as a call graph

• Track control and data flow on top of the call graph

• Solve a reachability problem on top of the propagation graph (modulo some enhancements)

Bird’s-eye View

• Run the following algorithm:– Use statements defining untrusted

inputs as slicing criterion– Find the set S of all statements that are

(control-) and data-flow dependent on the slicing criterion

– For each s in S such that s is a security-sensitive operation, report all flows from statements in the slicing criterion to s

Taint Analysis Based on Program Slicing [4,5]

Taint Analysis Based on a Storeless Abstraction

X x = req.getParameter();

Y y = new Y();

y.f = x;

Z z = y.f;

resp.getWriter().write(z);

{ x }{ x }

{ x, y.f }{ x, y.f, z }

Challenges• The infamous precision-scalability

tradeoff• External resources

– Configuration files– Framework-specific configurations

• Beyond graph reachability…• SDLC-induced use cases

Precision versus Scalability• Modular analysis• Demand-driven strategies

External Resources• Synthetic models• Sometimes ignorance is a bliss…

Beyond Graph Reachability• PQL [6]

• String analysis [7]

SDLC-induced Use Cases• Incremental analysis• Parallelization on multi-core build

servers

DEMO

The Remaining 8 Yards• Instead of killing n birds with 1 stone,

use n stones to kill 1 bird (like humans)

• How do we catch up with changes in technology?

• How to tailor the analysis to the needs of different users?

• Useful heuristics often resilient to formal definition

[1] S. McConnell. Code Complete: A Practical Handbook of Software Construction

[2] W. S. Humphrey. Acquiring Quality Software in CrossTalk,18-12[3] Code Review at Cisco Systems[4] O. Tripp et al.. TAJ: Effective Taint Analysis of Web Applications[5] C. Hammer and G. Snelting. Flow-sensitive, Context-sensitive, and Object-

sensitive Information-flow Control Based on Program Dependence Graphs [6] B. Livshits and M. Lam. Finding Application Errors and Security Flaws Using

PQL: a Program Query Language [7] M. Christodorescu et al..String Analysis for X86 Binaries

References