Upload
belinda-ross
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
Software Security with Static Code Analysis Using CAT.NETAndreas FuchsbergerInformation Security TechnologistMicrosoft
Agenda
Code Analysis/Code InspectionMotivation
Static Code AnalysisHistoryCurrent technologies
CAT.NETHow CAT.NET worksInstallationUse
Demo
Given Enough Eyeballs All Bugs Are Shallow
The Cathedral and the Bazaar by Eric S. Raymond (O'Reilly Media, 1999)
Code Inspection
Too good to be trueIf the eyes don’t know what to look for, they are likely to miss security bugsWho looks at code anyway?Code inspection is tedious and error prone: Automation is neededSee Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press®, 2003)
Building Secure Software
Building Secure Software by John Viega and Gary McGraw (Addison-Wesley, 2001)
From Building Secure Software
One example to consider is the GNU Mailman project, an open-source mailing list management package originally written by one of us (Viega).
Mailman has been used at an impressive number of places during the past several years to run mailing lists.
But for three years, Mailman had a handful of obvious and glaring security problems in the code. (Note that the code was written before we knew or cared much about security!)
From Building Secure Software
These problems were of the type that any person armed with grep and a single iota of security knowledge would have found in seconds.
Even though we had thousands and thousands of installs during that time period, no one reported a thing.
The horrible thing here is that the problem in Mailman persisted for four years, despite being packaged in products you’d expect to be security conscious, such as the Red Hat Secure Web Server product.
IPsec Encryption Only Flaw
“Attacking IPsec Standards in Encryption-only Configurations” by Jean Paul Degabriele and Kenneth G. Paterson (IEEE Symposium on Security and Privacy, 2007) 2007 saw the discovery of a fundamental problem in the design of IPsec ESP only configurationIPsec RFC standards (2401-2406) were published in 1998
Code Inspection
Too good to be trueIf the eyes don’t know what to look for, they are likely to miss security bugsSee Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, 2003)
Chapter 2: “Section Education Proves the More Eyes Fallacy”
Who looks at code anyway?Code inspection is tedious and error prone: Automation is needed
Code InspectionC Lint preprocessor first appeared in 1979“Using Programmer-Written Compiler Extensions to Catch Security Holes” by K. Ashcraft and D. Engler (IEEE Symposium on Security and Privacy, 2002)
Meta-compilation for C source code; ‘expert system’ incorporating rules for known issues: untrustworthy sources sanitizing checks trust sinks; raises alarm if untrustworthy input gets to sink without proper checks
Code analysis to learn new design rules: Where is the sink that belongs to the check we see?Microsoft has had its own code inspection tools PreFix and PreFast for some time and these have been integrated into Microsoft® VisualStudio® as well Microsoft® FxCop2005: Microsoft® Code Analysis Tool .NET (CAT.NET) 2008: CAT.NET Community Technology Preview (CTP)
Program Analysis
• Area of computer science in its own right• Relevant for software security: Adapt methods to
look for security problems• Objectives (for theoreticians):
• Soundness: no false alarms• Completeness: finds all bugs in a given class
• Objectives (for practitioners): • Useful results; picking the low-hanging fruit is fine; low
false alarm rate
Static Code Analysis in the SDL
Build
Build Plan
Plan
Test
Test Field
Field
FirewallsIntrusion DetectionPenetration Testing
Static Code AnalysisThreat ModellingSecurity Requirements From: Secure Programming with
Static Analysis
The Quality Fallacy
Often held misconception:Software Security is another case of Software Quality
Most testing concentrates on functionalitySecurity testing focuses on lack of functionality
Implementations may have functionality outside of the original requirementsBut building secure software often improves overall quality
Source Code Review
No one claims that source code review is capable of identifying all problems, but consensus is that source code review has a major part to play in any software security process
Static Code Analysis
Static code analysis describes the process by which computer software analysis is performed without actually executing binary code that makes up the softwareStatic analysis can be performed on the original source code or the binary code produced by the compiler
Capabilities and Limitations
Checks are performed consistently and thoroughlyCan find cause of security problem rather than just report the symptomStatic analysis can find bugs before the code runs or even compilesOnce new class of vulnerability is discovered, old code can be rechecked
Capabilities and Limitations
Most common complaint:False positivesFalse negatives
Implementation limitationsSpeedSize of code baseUsability
Problem Classes for Static Analysis
Type checkingStyle checkingProgram understandingProgram verificationProperty checkingBug findingSecurity review
Static Analysis Techniques
Access control Information flow
Integrity violations Confidentiality violations
API conformance
CAT.NET
CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysisTainted-variable analysis is an integrity problem in which that tries to identify whether less-trusted data obtained from the user might influence other data that the system trusts
How CAT.NET Works
CAT.NET uses a combination of Control Flow and Data Flow Graphs to build the relation for every object in every module supplied to CAT.NET
Control Flow GraphsData Flow GraphsData Flow Super Graphs
CAT.NET CTP Release
Current release is CTP available for free by searching for CAT.NET at http://msdn.microsoft.comAvailable as plug-in for Microsoft®
VisualStudio® 2008 or VisualStudio® 2005 in 32-bit, includes a command-line version, CATNETCmd.exeAvailable as 64-bit command-line version, only for large projects
Installing CAT.NET
CAT.NET Demo
Installation and Use
Setup.exe installPlug-in installs under the tools menu in VisualStudioStarting the plug-in opens the CAT.NET user interfaceClicking the Play button runs the analysis across all binaries that are part of the project
CAT.NET Rules
Rules are XML files stored in rules subdirectoryCurrently they include:
Cross-Site ScriptingSQL InjectionProcess Command InjectionFile CanonicalizationException InformationLDAP InjectionXPATH InjectionRedirection to User Controlled Site
The CAT.NET UI
CAT.NET Demo
Analysis Results
Analysis can take some timeResults are presented in as a list in the GUIIncludes information relating to the cause of the vulnerability
Allows export to Microsoft® Office Excel®
Command-Line Use
Alternative method for invoking CAT.NETOnly available option for 64-bit implementation
Command-line parametersOutput is written to an XML file as well as an HTML
Summary
Secure software must be able to handle intentionally malformed inputsCode therefore has to detect malformed inputs. Don’t trust your inputs!Test your code to detect whether there are malformed inputs that are not detectedFor the malformed inputs detected, pay attention to the error handlers
The CAT.NET Command-Line Interface
CAT.NET Demo
Further Reading and Information
.NET Framework Security by Brian LaMacchia, Sebastian Lange, and others (Addison-Wesley, 2002)Secure Programming with Static Analysis by Brian Chess and Jacob West (Addison-Wesley, 2007)http://blogs.msdn.com/cisg
Questions and Answers
Submit text questions using the “Ask” button Don’t forget to fill out the surveyFor upcoming and previously live webcasts: www.microsoft.com/events/developer.mspx Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781