Gold Standard Benchmark for Static Source Code Analyzers

Similar documents
Gold Standard Method for Benchmarking C Source Code Static Analysis Tools

How To Develop A Static Analysis System For Large Programs

Using Static Code Analysis Tools for Detection of Security Vulnerabilities

Visualizing Information Flow through C Programs

IKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper)

Code Dx: Visual analytics for triage of source code vulnerabilities

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

A Technical Review of TIBCO Patterns Search

Development Testing for Agile Environments

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

Measuring the Effect of Code Complexity on Static Analysis Results

Interactive Application Security Testing (IAST)

Detecting Critical Defects on the Developer s Desktop

Oracle Solaris Studio Code Analyzer

Software security specification and verification

Source Code Review Using Static Analysis Tools

Idea: Measuring the Effect of Code Complexity on Static Analysis Results

STATIC CODE ANALYSIS Alexandru G. Bardas 1

Streamlining BEA WebLogic Server Application Development. With VMware Infrastructure 3. With VMware Infrastructure 3

The VMware Reference Architecture for Stateless Virtual Desktops with VMware View 4.5

Please consult the Department of Engineering about the Computer Engineering Emphasis.

Open-source Versus Commercial Software: A Quantitative Comparison

ECS 235A Project - NVD Visualization Using TreeMaps

Source Code Security Analysis Tool Functional Specification Version 1.0

Tackling Third-Party Patches

Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Cloud Data Management Interface (CDMI) The Cloud Storage Standard. Mark Carlson, SNIA TC and Oracle Chair, SNIA Cloud Storage TWG

Deep Security Vulnerability Protection Summary

The Road from Software Testing to Theorem Proving

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Pattern Insight Clone Detection

Static Analysis Tool Exposition (SATE) 2008

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Evaluation of Load/Stress tools for Web Applications testing

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Endpoint Security Solutions Comparative Analysis Report

Testing for Security

Service Availability Metrics

The Importance of Patching Non-Microsoft Applications

IT Security & Compliance. On Time. On Budget. On Demand.

Analysis Of Source Lines Of Code(SLOC) Metric

Object Oriented Database Management System for Decision Support System.

Virtual Routing: What s The Goal? And What s Beyond? Peter Christy, NetsEdge Research Group, August 2001

Redefining Static Analysis A Standards Approach. Mike Oara CTO, Hatha Systems

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Verum white paper study ASD SaaS Business Case for Philips Healthcare

Transparent Monitoring of a Process Self in a Virtual Environment

Free Network Monitoring Software for Small Networks

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

The Eighth International Conference INCOSE_IL Formal Methods Security Tools in the Service of Cyber Security

PSG College of Technology, Coimbatore Department of Computer & Information Sciences BSc (CT) G1 & G2 Sixth Semester PROJECT DETAILS.

Continuous Prevention Testing

Total Protection for Compliance: Unified IT Policy Auditing

CIA Lab Assignment: Web Servers

Secure Software Programming and Vulnerability Analysis

The ROI from Optimizing Software Performance with Intel Parallel Studio XE

INTRODUCTION TO JAVA PROGRAMMING LANGUAGE

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Efficiency Considerations of PERL and Python in Distributed Processing

MALAYSIAN PUBLIC SECTOR OPEN SOURCE SOFTWARE (OSS) PROGRAMME. COMPARISON REPORT ON NETWORK MONITORING SYSTEMS (Nagios and Zabbix)

The Data Quality Continuum*

Code Review Best Practices. With Adam Kolawa, Ph.D.

Monitoring Windows Servers and Applications with GroundWork Monitor Enterprise 6.7. Product Application Guide October 8, 2012

University of Dayton Department of Computer Science Undergraduate Programs Assessment Plan DRAFT September 14, 2011

Developers and the Software Supply Chain. Andy Chou, PhD Chief Technology Officer Coverity, Inc.

Consulting Guide: Microsoft Exchange Solutions on VMware

Configuration Maximums VMware vsphere 4.0

Computer Science. Computer Science 213. Faculty and Offices. Degrees and Certificates Awarded. AS Computer Science Degree Requirements

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

Toward a lightweight framework for monitoring public clouds

Trustworthy Software Systems

GenICam 3.0 Faster, Smaller, 3D

CCA CYBER SECURITY TRACK

Configuration Maximums VMware Infrastructure 3

Týr: a dependent type system for spatial memory safety in LLVM

Automated Performance Testing of Desktop Applications

How To Use Open Source Software In Defence

Computer and Information Sciences

Transcription:

CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS Gold Standard Benchmark for Static Source Code Analyzers Kestrel Technology, LLC Dr. Henny B. Sipma Sep 16, 2013

Kestrel Technology Founded: 2000 Location: Palo Alto, CA Core activity: Sound static analysis (mathematical proof of safety) Properties Tool: CodeHawk Languages supported: C, Java, x86 executables Underlying technology: Abstract interpretation (Cousot,Cousot, 1977) C: Language-level properties: memory safety, null-dereference (application-independent, mathematically well-defined properties) Java: Information flow analysis, resource analysis, integer overflow, error handling X86: Memory safety, information extraction 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 1 1

Software infrastructure: A need for software security metrics Cement is everywhere. Our very lives depend on cement, yet we don't worry about it: such is the legacy of Joseph Bazalgette, who introduced measurement and strict quality controls Like cement, software is everywhere: our very lives are becoming more and more dependent on software. Unlike cement, for more than 50 years software has been continuously released and added to the national infrastructure, plagued by design and implementation defects that were largely detectable and preventable, but were not. Why not? (from Geekonomics, David Rice) Physically safe in the largest buildings, but not safe from continuous attacks from all over the world 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2

Customer Need We need the ability to measure software quality We need the ability to measure the effectiveness of the tools that are used for software assurance in terms of False positives: bugs that turn out not to be bugs AND False negatives: bugs that are missed 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 3

Problems with measurement From the 2012 Coverity Scan Report (May 2013): Did software get worse? Did detection technology get better? Some combination of the two? (number of defects per 1000 LOC) What is the "real" number? What is a defect? 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 4

Compounding problem: Economic incentives favor less assurance Reality Customer sees false positives Tool A Tool B false negatives... and will choose Tool A Tool A Tool B 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 5

Our Solution: Measure memory-safety defects Define Defect mathematical definition based on C standard semantics (37 cases of memory-related undefined behavior) Semantic explication of C semantics by George Necula (Berkeley, 2002) covers all of C plus gcc extensions Measure Defects mathematical proof based on Primary proof obligations (for all memory accesses and related instructions) Sound static analysis to discharge proof obligations of safe memory accesses Demonstrate vulnerability in remaining cases 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 6

Our Solution: Measure memory-safety defects Define Defect mathematical definition based on C standard semantics (37 cases of memory-related undefined behavior) Semantic explication of C semantics by George Necula (Berkeley, 2002) covers all of C plus gcc extensions Measure Defects mathematical proof based on Primary proof obligations (for all memory accesses and related instructions) Sound static analysis to discharge proof obligations of safe memory accesses Demonstrate vulnerability in remaining cases DIFFICULT 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 7

Approach: Capability and Technology Kestrel Technology's Core Capability: powerful and scalable, sound static analysis engine: based on theory of abstract interpretation (Cousot, Cousot 1977) generates invariants (over-approximation of program behaviors for all possible inputs Technology: Distributed Proof Structure structural induction over the control flow graph of all functions assume-guarantee reasoning based on function summaries (contracts) data structure invariants global data invariants hierarchy of primary and secondary proof obligations local invariant generation whole-program pointer analysis 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 8

Apply to six benchmark programs lighttpd nagios naim webserver designed and optimized for high-performance environments used by several popular websites, including YouTube and Wikipedia tool for IT-infrastructure monitoring with more than a million users, including Comcast, Philips, Siemens, Thales, McAfee console chat client for AOL instant messaging (AIM) and internet relay chat (IRC) 144 files 38 KLOC 73 files 65 KLOC 44 files 23 KLOC irssi terminal-based IRC client for UNIX systems 347 files 53 KLOC pvm dovecot package that lets heterogeneous collections of Unix and Windows computers to be used as a single large parallel computer, developed by Oak Ridge Nat'l Labs open-source IMAP and POP3 email server for Linux (written with security in mind) 320 files 72 KLOC 1,111 files 119 KLOC 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 9

Apply to six benchmark programs lighttpd (SATE 2008) nagios (SATE 2008) naim (SATE 2008) webserver designed and optimized for high-performance environments used by several popular websites, including YouTube and Wikipedia tool for IT-infrastructure monitoring with more than a million users, including Comcast, Philips, Siemens, Thales, McAfee console chat client for AOL instant messaging (AIM) and internet relay chat (IRC) 144 files 38 KLOC 73 files 65 KLOC 44 files 23 KLOC irssi (SATE 2009) terminal-based IRC client for UNIX systems 347 files 53 KLOC pvm (SATE 2009) dovecot (SATE 2010) package that lets heterogeneous collections of Unix and Windows computers to be used as a single large parallel computer, developed by Oak Ridge Nat'l Labs open-source IMAP and POP3 email server for Linux (written with security in mind) 320 files 72 KLOC 1,111 files 119 KLOC 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 10

Approach: Architecture Interactive Proof Assistant XML library function summaries C program CHCIL parser compilation units XML representation of code and proofs linking units Progress Monitor Scoring Tool 3 rd party tool results Tool Report 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 11

Approach: Scoring tool Scoring Tool: o Import results for all primary and secondary proof obligations o Import 3 rd party analysis tool results o Compare o Establish correspondence and report false negatives false positives adequacy of bug placement Identify strengths and weaknesses of 3 rd party analysis tool Programs: Apply to results from any static analysis tool in the SWAMP on o o o o o o lighttpd nagios naim irssi pvm dovecot XML XML representation XML representation of representation code and of code and proofs of code and proofs proofs Scoring Tool 3 rd party tool results Tool Report 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 12

Benefit: Ability to grade tools Email client Tool A results for A report card for A Webserver Tool B results for B report card for B Network infrastructure Tool C results for C report card for C Chat client 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 13

Collaboration (rather than Competition) Other government organizations: NIST (Dr. Paul E. Black) Vendors of bug-finding tools: Offer scoring tool as a service to Identify strengths and weaknesses in bug-finding tools Improve bug-finding tools 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 14

Current Status: Accomplishments Theoretical foundations of memory-safety defect measurement shared and discussed with Dr. Paul E. Black (NIST) relationship to 27 CWE's illustrative application to lighttpd Software architecture and implementation (in progress) xml representation of CIL semantic constructs xml library function summaries interactive proof assistant progress monitor Benchmark programs (in progress) xml representation of lighttpd 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 15

Schedule and Milestones IPA PM XML XML representation XML representation of representation code and of code and proofs of code and proofs proofs lighttpd nagios irssi pvm Scoring Tool Tool Report naim dovecot Sep Dec Mar June Sep 9/12/2013 2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP 16

Technology Transition SWAMP Scoring Tool Tool Report Ability to score and evaluate static analysis tools C prog ram CHCIL XML Preprocessed programs to lower entry barrier for new tool developers facilitate collaborative analysis 8/713 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 17

Contact Information Team: Henny Sipma, Principal Investigator Rich Barry, Program Manager Eric Bush Arnaud Venet (Consultant) Contact Information: sipma@kestreltechnology.com Kestrel Technology, LLC 3260 Hillview Ave Palo Alto, CA 94304 tel. (650) 320 8487 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information