Software Security with Static Code Analysis Using CAT.NETAndreas FuchsbergerInformation Security TechnologistMicrosoft

Agenda

Code Analysis/Code InspectionMotivation

Static Code AnalysisHistoryCurrent technologies

CAT.NETHow CAT.NET worksInstallationUse

Demo

Given Enough Eyeballs All Bugs Are Shallow

The Cathedral and the Bazaar by Eric S. Raymond (O'Reilly Media, 1999)

Code Inspection

Too good to be trueIf the eyes don’t know what to look for, they are likely to miss security bugsWho looks at code anyway?Code inspection is tedious and error prone: Automation is neededSee Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press®, 2003)

Building Secure Software

Building Secure Software by John Viega and Gary McGraw (Addison-Wesley, 2001)

From Building Secure Software

One example to consider is the GNU Mailman project, an open-source mailing list management package originally written by one of us (Viega).

Mailman has been used at an impressive number of places during the past several years to run mailing lists.

But for three years, Mailman had a handful of obvious and glaring security problems in the code. (Note that the code was written before we knew or cared much about security!)

From Building Secure Software

These problems were of the type that any person armed with grep and a single iota of security knowledge would have found in seconds.

Even though we had thousands and thousands of installs during that time period, no one reported a thing.

The horrible thing here is that the problem in Mailman persisted for four years, despite being packaged in products you’d expect to be security conscious, such as the Red Hat Secure Web Server product.

IPsec Encryption Only Flaw

“Attacking IPsec Standards in Encryption-only Configurations” by Jean Paul Degabriele and Kenneth G. Paterson (IEEE Symposium on Security and Privacy, 2007) 2007 saw the discovery of a fundamental problem in the design of IPsec ESP only configurationIPsec RFC standards (2401-2406) were published in 1998

Code Inspection

Too good to be trueIf the eyes don’t know what to look for, they are likely to miss security bugsSee Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, 2003)

Chapter 2: “Section Education Proves the More Eyes Fallacy”

Who looks at code anyway?Code inspection is tedious and error prone: Automation is needed

Code InspectionC Lint preprocessor first appeared in 1979“Using Programmer-Written Compiler Extensions to Catch Security Holes” by K. Ashcraft and D. Engler (IEEE Symposium on Security and Privacy, 2002)

Meta-compilation for C source code; ‘expert system’ incorporating rules for known issues: untrustworthy sources sanitizing checks trust sinks; raises alarm if untrustworthy input gets to sink without proper checks

Code analysis to learn new design rules: Where is the sink that belongs to the check we see?Microsoft has had its own code inspection tools PreFix and PreFast for some time and these have been integrated into Microsoft® VisualStudio® as well Microsoft® FxCop2005: Microsoft® Code Analysis Tool .NET (CAT.NET) 2008: CAT.NET Community Technology Preview (CTP)

Program Analysis

• Area of computer science in its own right• Relevant for software security: Adapt methods to

look for security problems• Objectives (for theoreticians):

• Soundness: no false alarms• Completeness: finds all bugs in a given class

• Objectives (for practitioners): • Useful results; picking the low-hanging fruit is fine; low

false alarm rate

Static Code Analysis in the SDL

Build

Build Plan

Plan

Test

Test Field

Field

FirewallsIntrusion DetectionPenetration Testing

Static Code AnalysisThreat ModellingSecurity Requirements From: Secure Programming with

Static Analysis

The Quality Fallacy

Often held misconception:Software Security is another case of Software Quality

Most testing concentrates on functionalitySecurity testing focuses on lack of functionality

Implementations may have functionality outside of the original requirementsBut building secure software often improves overall quality

Source Code Review

No one claims that source code review is capable of identifying all problems, but consensus is that source code review has a major part to play in any software security process

Static Code Analysis

Static code analysis describes the process by which computer software analysis is performed without actually executing binary code that makes up the softwareStatic analysis can be performed on the original source code or the binary code produced by the compiler

Capabilities and Limitations

Checks are performed consistently and thoroughlyCan find cause of security problem rather than just report the symptomStatic analysis can find bugs before the code runs or even compilesOnce new class of vulnerability is discovered, old code can be rechecked

Capabilities and Limitations

Most common complaint:False positivesFalse negatives

Implementation limitationsSpeedSize of code baseUsability

Problem Classes for Static Analysis

Type checkingStyle checkingProgram understandingProgram verificationProperty checkingBug findingSecurity review

Static Analysis Techniques

Access control Information flow

Integrity violations Confidentiality violations

API conformance

CAT.NET

CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysisTainted-variable analysis is an integrity problem in which that tries to identify whether less-trusted data obtained from the user might influence other data that the system trusts

How CAT.NET Works

CAT.NET uses a combination of Control Flow and Data Flow Graphs to build the relation for every object in every module supplied to CAT.NET

Control Flow GraphsData Flow GraphsData Flow Super Graphs

CAT.NET CTP Release

Current release is CTP available for free by searching for CAT.NET at http://msdn.microsoft.comAvailable as plug-in for Microsoft®

VisualStudio® 2008 or VisualStudio® 2005 in 32-bit, includes a command-line version, CATNETCmd.exeAvailable as 64-bit command-line version, only for large projects

Installing CAT.NET

CAT.NET Demo

Installation and Use

Setup.exe installPlug-in installs under the tools menu in VisualStudioStarting the plug-in opens the CAT.NET user interfaceClicking the Play button runs the analysis across all binaries that are part of the project

CAT.NET Rules

Rules are XML files stored in rules subdirectoryCurrently they include:

Cross-Site ScriptingSQL InjectionProcess Command InjectionFile CanonicalizationException InformationLDAP InjectionXPATH InjectionRedirection to User Controlled Site

The CAT.NET UI

CAT.NET Demo

Analysis Results

Analysis can take some timeResults are presented in as a list in the GUIIncludes information relating to the cause of the vulnerability

Allows export to Microsoft® Office Excel®

Command-Line Use

Alternative method for invoking CAT.NETOnly available option for 64-bit implementation

Command-line parametersOutput is written to an XML file as well as an HTML

Summary

Secure software must be able to handle intentionally malformed inputsCode therefore has to detect malformed inputs. Don’t trust your inputs!Test your code to detect whether there are malformed inputs that are not detectedFor the malformed inputs detected, pay attention to the error handlers

The CAT.NET Command-Line Interface

CAT.NET Demo

Further Reading and Information

.NET Framework Security by Brian LaMacchia, Sebastian Lange, and others (Addison-Wesley, 2002)Secure Programming with Static Analysis by Brian Chess and Jacob West (Addison-Wesley, 2007)http://blogs.msdn.com/cisg

Questions and Answers

Submit text questions using the “Ask” button Don’t forget to fill out the surveyFor upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781