Www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on

www.mimos.my © 2009 MIMOS Berhad. All Rights Reserved.

Nurul Haszeli AhmadPM Dr Syed Ahmad AljunidDr. Jamalul-Lail Ab Manan

Preventing Exploitation on Software Vulnerabilities – Why Static Analysis Failed?

www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved

Q&A

Conclusion

Result of DiscussionDiscussion

Why Static Analysis Failed? Why not Dynamic Analysis? Can Static Analysis be improved?

Static Analysis – What? When? How?

Exploitation on Software Vulnerabilities

Flow of content

www.mimos.my © 2010 MIMOS Berhad. All Rights Reserved.www.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved

• Software Vulnerabilities– Exist since program/applications exist– Due to:

1. Language behaviour (Viega & McGraw ‘02, Yoran ‘05)2. Human factors (SANS Institute ‘10, Secunia ‘10)3. Complexity of system

– Unix Shell Command – sendmail, fingerd, and rsh/exec.• Exploitation

– 1988 – First exploitation• was unintended exploitation on fingerd command by

Robert Morris Jr (Aleph One ‘96)

Exploitation on Software Vulnerabilities


Exploitation on Software Vulnerabilities... Continue..


Exploitation using Buffer Overflow Attack

Source: http://en.wikipedia.org/wiki/Stack_buffer_overflowwww.mimos.my © 2009 – 2010 MIMOS BERHAD. All Rights Reserved



Figure 1: Vulnerabilities disclose between 2000 – 2009

Source: IBM ’10, X-Force 2009 Trend and Risk Report

Figure 2: Number of malicious program identified from 2003 – 2009

Source: Kaspersky ’09, Kaspersky Security Buletin 2009




Figure 3: Sample of malicious code reside in a web page exploiting visitor’s machine upon visiting the site.

Source: M86 Security.com ‘09, Closing the Vulnerability Window in Today’s Web Environment, M86 Security Lab Report




• EC-Council & ISC²




Impact

Image

Economy

Privacy

Death

• Static Analysis– A branch of Program Analysis– Started in 1974 by King – Program Comprehension– Being used in security for the purpose of finding and removing vulnerabilities in

software as early as 2000 – Wagner– Binkley ‘07 – “Automation process of extracting information of a

program for debugging, comprehension, validations, etc”.– How? How does SA being apply in Security– 2000 – To date – > 10 techniques and > 40 tools– Technique:

• Lexical Analysis, Inter-procedural Analysis, Intra-Procedural Analysis, Abstract Interpretation, Data Flow Analysis, Symbolic Analysis, Integer Range Analysis, and Annotation Based

– Tools:• BOON, ITS4, RATS, UNO, ARCHER, Flaw-Finder, F-Soft, ASTREE,

SPLINT, GCC Security Analyzer, etc– The promised – A well verified & clean code

Static Analysis – What? When? How?


1. Lexical Analysis– Straight forward analysis mechanism– Tools – extremely fast compare to other technique– Major drawback

1. Does not consider semantics & program flow (Chess B. & McGraw G’04, Kolmonen ’07, Zitser ’04, Walden et.al ‘09)

2. Pattern Matching (Walden et. al. ‘09, Sotirov ‘05, Kolmonen ‘07)

2. Abstract Interpretation– One of the earliest and most complicated technique - establish by Naur – The technique looks into semantics of the program– Using formal method with mathematical formula; such as approximation– Most promises technique in Static Analysis (Logozzo ‘04, Ferrara ‘09)– Major drawback (Logozzo ‘04, Ferrara ’09, Lhee et. al ‘02)

1. Too complicated2. Constraint of mathematical formula used

Discussion – Why Static Analysis Failed? ... continue


3. Integer Range– Comparable to Lexical Analysis in term of processing speed– Mathematically analysis, find and prove existence of vulnerabilities – Looking mostly at buffer related issues.– Major drawback (Pozza & Sisto ’08, Kolmonen ’07, Kratkiewicz ‘05, Zitser ‘04,

Hugh & Bishop ‘03)

1. Ignores the program semantics2. Wrong Focus - Focus on vulnerabilities than can be mathematically

proven

4. Data Flow Analysis– Looking into the attribute of program (variables) and path taken– Nagy & Mancoridis (‘09) refer as Taint Analysis – Using Program Dependency Graph (PDG) or System Dependency Graph (SDG)– Major drawback (Nagy & Mancoridis ‘09, Pozza & Sisto ’08, Kratkiewicz ‘05,

Zitser ‘04,)

1. Require few iteration of analysis2. Implementation issues



5. Annotation Based– Introduce by Evans et. al. In 1994 (LCLINT)– Using annotation or specifications written together with source code which

specified pre and post condition of an attribute– Analysis will ensure the pre and post condition satisfied the specifications.– Larochelle expand the technique with heuristic approach (Kratkiewicz ’05) –

LCLINT later known as SPLINT– Major drawback (Mantere ‘09, Kratkiewicz ‘05, Zitser ‘04, Dor et. al ‘03)

1. Required annotation



Discussion – Why Static Analysis Failed? ... Continue


Technique Detection Rate

False Positive

False Negatives

Performance

Lexical Analysis Low High High Very FastAbstract Interpretation

High Medium Medium Low

Integer Range Low Medium Medium Very FastData Flow Analysis High Medium Medium LowAnnotation-based Low High High Medium

Table 1: Summary of Analysis on Static Analysis Technique


• Dynamic Analysis?– Based on true semantics or program flow– At execution time

• The advantages (Cornell ‘09 , Ernst ‘04, Haugh & Bishop ’03)– No source code required– No assumption or annotation required– Accurate result

• Drawback (Zitser et. al. ‘04, Xie et. al ‘03, Haugh & Bishop ’03)– Possibility of path covered– Possibility of DOS/DDOS– Performance

• Major Drawback - Cost ineffective (GrammaTech ‘10, Terry et. al. ‘06)

Discussion – Why Not Dynamic Analysis?


• Few ways of improving1. Unification - Improving the technique itself2. Multiplication - Improving the tools that implement the

technique3. Asymetrix concept – Different technique use at different time

& space for better result4. Division concept – Unity of methods

• Our Proposal1. Combination of few techniques

Discussion – Can Static Analysis be improved?


•Combination of method/techniques

•Improvement of the techniques

•Improvement of the tool implementing the techniques

Improving static

analysis

Future Work


With improvement on the method/technique, ways of implementing, and wider vulnerabilities coverage, Static Analysis will prevail.

A well verified code will ensure global stability & security

Conclusion


THANK YOU


Documents

Www.mimos.my© 2009 MIMOS Berhad. All Rights Reserved. Nurul Haszeli Ahmad PM Dr Syed Ahmad Aljunid Dr. Jamalul-Lail Ab Manan Preventing Exploitation on