X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Transcription

1 X05 An Overview of Source Code Scanning Tools Loulwa Salem Las Vegas, NV

2 Objectives This session will introduce better coding practices and tools available to aid developers in producing more secure code. At the end of this session, you will: Get an overview of code vulnerabilities Get an overview of common coding mistakes Get an introduction to source code scanners Learn about IBM s efforts in the source code vulnerability space 2

3 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 3

4 Definitions Software Bug An error, flaw, mistake, failure, or fault in a computer program that prevents it from working as intended, or produces an incorrect result Security Vulnerability A weakness or a bug in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the data and applications it hosts 4

5 Definitions Computer Virus a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents Computer Worm a self-replicating computer program similar to a virus. A worm is self-contained and does not need to be part of another program to propagate itself 5

6 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 6

7 Motivation Vulnerability Statistics Vulnerabilities Year 7 CERT/CC Statistics

8 Bits of History Famous viruses and worms Elk Cloner First known computer virus Melissa virus March 1999 ($80M in damage) Love Bug worm May 2000 (Billions of dollars in damage) Code Red worm July 2001 ($1.2B in damage) Bugbear virus October 2002 and then in

9 Bits of History Famous viruses and worms (Cont d) Blaster worm August 2003 Mydoom worm January 2004 Fastest spreading worm as of 2004 Santy worm first known webworm December 2004 Samy worm October 2005 Fastest spreading worm as of

10 Cause of Code Vulnerabilities Lack of focus on security and secure programming techniques Programmers do not think in multi-user mode Programmers do not think like attackers Lots of legacy code Programmers are human 10

11 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 11

12 Common Exploits Buffer Overflows Look for: gets(), scanf(), sprintf(), strcat(), strcpy() Stack-based overflow Heap-based overflow X X X X X X X X Y Y H I Function X caused a buffer overflow X X X X X X X X Y Y a b a d i n p u t 0 12

13 Common Exploits Backdoors Method of bypassing authentication mechanism of a system Race Conditions A flaw in a software such that one event critically depends on the outcome and sequence of other events Format Strings Use of unfiltered user input as the format string parameter in certain functions that perform formatting. Look for: printf(), fprintf(), vprintf(), snprintf(), vsnprintf(), syslog() 13

14 Common Exploits Random Numbers Either not random, or predictable Look for: rand(), random() Shell Metacharacter Look for: exec(), popen(), system() Malicious Inputs Valid input intended to cause harm to a system 14

15 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 15

16 Better Coding Practices Defensive Programming Make no assumptions Set standards for coding Think about security early Reduce source code complexity Validate all inputs 16

17 Better Coding Practices Sanity check all inputs Use secure functions (e.g. strncpy, strncat) Think principle of Least Privileges Perform regular source code reviews Include security related tests in your testing stage 17

18 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 18

19 Source Code Scanners Motivation Most exploits are due to bad programming Manual reviews have limitations Can overlook vulnerabilities Are resource extensive Are time consuming 19

20 Source Code Scanners Lexical Static Analyzers Flawfinder Developed by David Wheeler Scans C and C++ RATS Rough Auditing Tool for Security Developed by Secure Software Scans C, C++, Perl, PHP and Python ITS4 - It's the Software Stupid Source Scanner Developed by Cigital Scans C and C++ 20

21 Source Code Scanners Compile-time Analyzers Sparse Kernel code scanner Coverity Developed by Coverity Inc. Commercial code scanner 21

22 Source Code Scanners Limitations Do not replace good manual code audits Only find flaws they are taught to find Scan limited selection of programming languages Produce lengthy outputs High rate of false positives 22

23 Agenda Definitions Overview Common Exploits Better Coding Practices Overview of Source Code Scanners IBM s Efforts in Vulnerability Space Demo 23

24 IBM s Role BogoSec What is BogoSec? Source code security quality metric tool Parses and analyzes output of other scanners It is not a source code scanner itself Calculates a value based on number of vulnerabilities found per LOC (lines of code) Currently supports: Flawfinder RATS ITS4 24

25 IBM s Role BogoSec Motivation Scanners produce lengthy outputs Quick measure of vulnerabilities per lines of code Easy way to compare packages Different versions of a package as well Automation of code scanning Current Status Available on Sourceforge 25

26 IBM s Role Coverity Scans Coverity Commercial source code scanner based on the Stanford Checker Detects problems at compile time Consists of a compilation wrapper and a web GUI to display results 26

27 27

28 IBM s Role Coverity Scans Results Scanned over 20 open source packages Submitted 78 patches to fix 148 bugs Submitted 49 fixes that are still awaiting acceptance Google and found by Coverity to see some of our contributions. 28

29 Conclusion Less vulnerable software starts with security conscious developers Code security should be considered early during the software development life cycle Multiple tools are available to aid programmers in developing more secure code 29

30 Resources Flawfinder ITS4 RATS Sparse Coverity 30

31 Resources BogoSec Wikipedia _science%29 nd_worms 31

32 Resources BULLGUARD 32 ruses.aspx Online NewsHour amous.html Secure Programming for Linux and Unix HOWTO by David Wheeler Secure Coding by David Wong

33 ?????? Questions???? 33

34 Legal Notice This work represents the views of the author and does not necessarily reflect the views of IBM. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this publication to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. 34

35 Legal Notice (Cont d) All information contained in this document is subject to change without notice. The products described in this document are NOT intended for use in applications such as implantation, life support, or other hazardous uses where malfunction could result in death, bodily injury, or catastrophic property damage. The information contained in this document does not affect or change IBM product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of IBM or third parties. All information contained in this document was obtained in specific environments, and is presented as an illustration. The results obtained in other operating environments may vary. THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. In no event will IBM be liable for damages arising directly or indirectly from any use of the information contained in this document. 35

36 Legal Notice - Trademarks IBM is a registered trademarks of International Business Machines Corporation. Linux is a registered trademark of Linus Torvalds. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, and/or other countries. Red Hat is a registered trademark of Red Hat, Inc. in the US and other countries. SUSE is a registered trademark of SUSE LINUX AG, a Novell business. Trusted Solaris is a trademark of Sun Microsystems, Inc. in the U.S. and other countries. Type Enforcement is a registered trademark of Secure Computing Corporation. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Other company, product and service names may be trademarks or service marks of others. 36

37 Backup Slides Demo Screen Shots 37

38 Flawfinder Flawfinder version 1.26, (C) David A. Wheeler. Number of dangerous functions in C/C++ ruleset: 158 Examining /tmp/bogosec.rpm.dhcgmd/build/eject /eject.c /tmp/bogosec.rpm.dhcgmd/build/eject /eject.c:284: [4] (race) access: This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition. Set up the correct permissions (e.g., using setuid()) and try to open the file directly.... Hits = 59 Lines analyzed = 1037 in 0.86 seconds (2897 lines/second) Physical Source Lines of Code (SLOC) = 779 Hits@level = [0] 0 [1] 11 [2] 30 [3] 3 [4] 14 [5] 1 Hits@level+ = [0+] 59 [1+] 59 [2+] 48 [3+] 18 [4+] 15 [5+] 1 Hits/KSLOC@level+ = [0+] [1+] [2+] [3+] [4+] [5+] Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! 38

39 RATS Entries in perl database: 33 Entries in python database: 62 Entries in c database: 334 Entries in php database: 55 Analyzing /tmp/bogosec.rpm.dhcgmd/build/eject /eject.c /tmp/bogosec.rpm.dhcgmd/build/eject /eject.c:1024: High: fprintf Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Total lines analyzed: 1038 Total time seconds lines per second 39

40 BogoSec Running flawfinder... Running its4... Running rats... flawfinder 282 points 779 lines its4 754 points 1037 lines rats 983 points 1037 lines >>> Using scanners: (flawfinder its4 rats ) >>> 2019 total severity points >>> 2853 total lines of code scanned >>> final score =

41 BogoSec - Wrapper START : Mon May 10 15:57:00 CST 2006 ====================================== Package Sev Points Lines Of Code Final Score 4Suite src.rpm acpid src.rpm alsa-lib src.rpm am-utils src.rpm anacron src.rpm