Static Analysis for SecurityPOSTECH Laboratory for UNIX Security (PLUS)

Kwang Yul Seo

skyul@postech.ac.kr

Static Analysis for Security

Detecting security problems through source code (or binary)

Identifying many common coding problems automatically

Dynamic vs Static

Static tools examine the text of a program statically, without attempting to execute it Source code Binary

E.g., Java Bytecode

Dynamic Poor testability: due to hard-to-reach states, unusual circumstances

Manual vs Automatic

Manual Time cosuming Auditor dependent

Automatic Fast Easy to use

Pitfalls

Aim for good, not perfect Check a fixed set of patterns, or rules in the code

Require human evaluation Priority, supression

Undecideable Rice’s theorem: every non-trivial problem-> halting problem False negatives <-> False positives

Example of Static Analysis: grep

Grep can be a static analysis tool for security

$ grep gets *

Cannot differntiate comments, declarations, defintions…

(1) gets(&buf);

(2) /* never ever call gets */

(3) int begetsNextChild = 0;

Lexical analysis is required!

Lexical Analysis Tools

ITS4 FlawFinder(www.dwheeler.com/flawfinder) RATS(www.securesoftware.com) Matt Bishop & Mike Dilger’s TOCTOU(time-of-

check time-of-use) check tool

Preprocess and tokenize the source files, and then match the result token stream against a library of vulnerable constructs

Lexical Analysis Tool: Pitfalls

No semantic checks! Many false positives Must borrow compiler technologies

E.g., AST (Abstract Syntax Tree) Data-flow analysis

Analysis Scopes

Local analysis One function at a time

Module-level analysis One class/or compilation unit

Global(interprocedural) analysis Entire program

More context is better, but computation grows so fast!

Tool Tradeoffs

Sound vs unsound

Flexible(General) vs special-purpose

General tools are able to read definitions of bugs and apply them

Example: Boon

Integer range analysis Catch bugs indexing an array outside its bounds in C

However, Bool is imprcise Ignores statement order Can’t model interprocedural dependencies Ignores pointer aliasing

Example: CQual

Inspired by Perl’s taint mode Detects format string vulnerabilities in C programs

Use type qualifiers to perform a taint analysis Annotate a few variables as tainted/untainted Use type inference rules to propagate the qualifiers The system can check format string bugs by type

checking

Example: xg++

Use template-driven compiler extension to find kernel vulnerabilities in Linux/OpenBSD

Looks for locations where kernel uses data from untrusted source without checking it first E.g., A user can cause the kernel to allocate memory and

not free it A user can cause the kernel to deadlock

Example: Eau Claire

Use a theorem-prover to create a general specification-checking framework for C programs

Find common security bugs Buffer overflows File access race conditions Format string bugs

Developers can use specifications to verify that a function implementations behave as expected

Example: MOPS

Model-checking approach to look for violations of temporal safety properties

Developer can model their own safety properties Privilege management errors Incorrect construction of chroot jails File access race conditions Ill-conceived temporary file schemes

Example: Splint

Extends lint concept into security realm By adding annotations, find

Abstraction violations Unannounced modifications to global variables Possible use-before-initialization

Reason about minimum and maximum array bounds accesses if it is provided with function pre and post conditions

Example: Other tools

ESP, a large-scale property verification approach Model checkers such as SLAM and BLAST

Use predicate abstraction to examine program safety properties

FindBugs, a lightweight checker with a good reputation for unearthing common errors in Java programs

Further Requirements

Easy to use even for non-security people Easy to apply regularly

Revised Software Development Life Cycle

References

Static Analysis for Security by Gary McGrawhttp://www.cigital.com/papers/download/bsi5-static.pdf