Secure Software Programming and Vulnerability Analysis



Similar documents
Security Testing. Davide Balzarotti

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Software Security Testing

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Improving Software Security at the. Source

Linux Kernel. Security Report

Securing Network Software using Static Analysis

Detecting Critical Defects on the Developer s Desktop

Automatic vs. Manual Code Analysis

Oracle Solaris Studio Code Analyzer

Software security specification and verification

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Source Code Review Using Static Analysis Tools

Formal Software Testing. Terri Grenda, CSTE IV&V Testing Solutions, LLC

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Software testing. Objectives

Web application security: automated scanning versus manual penetration testing.

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

- Table of Contents -

APPROACHES TO SOFTWARE TESTING PROGRAM VERIFICATION AND VALIDATION

Software security assessment based on static analysis

Introduction to Automated Testing

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Best Practices for Verification, Validation, and Test in Model- Based Design

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Static Code Analysis Procedures in the Development Cycle

Security Testing OpenGGSN: a Case Study

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Visualizing Information Flow through C Programs

The ROI of Test Automation

OPEN SOURCE SECURITY

How to Build a Trusted Application. John Dickson, CISSP

D. Best Practices D.1. Assurance The 5 th A

STATIC CODE ANALYSIS Alexandru G. Bardas 1

Access Control Fundamentals

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

The Road from Software Testing to Theorem Proving

Security and Vulnerability Testing How critical it is?

Application Code Development Standards

Secure Programming with Static Analysis. Jacob West

Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities

Specification and Analysis of Contracts Lecture 1 Introduction

90% of data breaches are caused by software vulnerabilities.

Applying the Blackboard Model in the Security Field

On the value of hybrid security testing

CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS

How To Detect A Buffer Overflow Vulnerability In Binary Code

TOOL EVALUATION REPORT: FORTIFY

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Keywords: 2013, IJARCSSE All Rights Reserved Page 451

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Levels of Software Testing. Functional Testing

Reduce Medical Device Compliance Costs with Best Practices.

Achilles Assurance Platform. Dr. Nate Kube Founder / CTO Wurldtech

CS52600: Information Security

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

WHITEPAPER. Nessus Exploit Integration

Software Active Online Monitoring Under. Anticipatory Semantics

Security Testing & Load Testing for Online Document Management system

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Measuring the Effect of Code Complexity on Static Analysis Results

The FDA Forensics Lab, New Tools and Capabilities

Security Vulnerability Management. Mark J Cox

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Developing Secure Software, assignment 1

Effective Software Security Management

Quality Management. Lecture 12 Software quality management

Effective Patch Management: How to make the pain go away. Adam Shostack

Static Techniques for Vulnerability Detection

Adobe Systems Incorporated

Testing for Security

Learning objectives for today s session

Self Service Penetration Testing

Application Intrusion Detection

Software Vulnerabilities

The Need for Fourth Generation Static Analysis Tools for Security From Bugs to Flaws

Web application testing

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

Using Web Security Scanners to Detect Vulnerabilities in Web Services

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Know or Go Practical Quest for Reliable Software

Web Application Security

MPI-Checker Static Analysis for MPI

Penetration Testing. Security Testing

Integrating Tools Into the SDLC

Satisfying ASIL Requirements with Parasoft C++test Achieving Functional Safety in the Automotive Industry

Idea: Measuring the Effect of Code Complexity on Static Analysis Results

Secure Software Programming and Vulnerability Analysis

Carlos Villavieja, Nacho Navarro Arati Baliga, Liviu Iftode

Detecting Software Vulnerabilities Static Taint Analysis

Restraining Execution Environments

The Hacker Strategy. Dave Aitel Security Research

A very short history of networking

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Introducing Formal Methods. Software Engineering and Formal Methods

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Transcription:

Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2

Overview When system is designed and implemented correctness has to be tested Different types of tests are necessary validation is the system designed correctly? does the design meet the problem requirements? verification is the system implemented correctly? does the implementation meet the design requirements? Different features can be tested functionality, performance, security Secure Software Programming 3 Testing Edsger Dijkstra Program testing can be quite effective for showing the presence of bugs, but is hopelessly inadequate for showing their absence. Testing analysis that discovers what is and compares it to what should be should be done throughout the development cycle necessary process but not a substitute for sound design and implementation for example, running public attack tools against a server cannot proof that server is implemented secure Secure Software Programming 4

Testing Classification of testing techniques white-box testing testing all the implementation path coverage considerations faults of commission find implementation flaws but cannot guarantee that specifications are fulfilled black-box testing testing against specification only concerned with input and output faults of omissions specification flaws are detected but cannot guarantee that implementation is correct Secure Software Programming 5 Testing Classification of testing techniques static testing check requirements and design documents perform source code auditing theoretically reason about (program) properties cover a possible infinite amount of input (e.g., use ranges) no actual code is executed dynamic testing feed program with input and observe behavior check a certain number of input and output values code is executed (and must be available) Secure Software Programming 6

Testing Automatic testing testing should be done continuously involves a lot of input, output comparisons, and test runs therefore, ideally suitable for automation testing hooks are required, at least at module level nightly builds with tests for complete system are advantageous Regression tests test designed to check that a program has not "regressed, that is, that previous capabilities have not been compromised by introducing new ones Secure Software Programming 7 Testing Software fault injection go after effects of bugs instead of bugs reason is that bugs cannot be completely removed thus, make program fault-tolerant failures are deliberately injected into code effects are observed and program is made more robust Most techniques can be used to identify security problems Secure Software Programming 8

Security Testing Design level not much tool support available manual design reviews formal methods attack graphs Formal methods formal specification that can be mathematically described and verified often used for small, safety-critical programs e.g., control program for nuclear power plant state and state transitions must be formalized and unsafe states must be described model checker can ensure that no unsafe state is reached Secure Software Programming 9 Security Testing Attack graph given a finite state model, M, of a network a security property! an attack is an execution of M that violates! an attack graph is a set of attacks of M Attack graph generation done by hand error prone and tedious impractical for large systems automatic generation provide state description transition rules Secure Software Programming 10

Security Testing Sandia Red Team White Board attack graph from DARPA CC20008 Information battle space preparation experiment Secure Software Programming 11 Security Testing! = Attacker gains root access to Host 1. 4 hosts 30 actions 310 nodes 3400 edges Secure Software Programming 12

Security Testing Implementation Level detect known set of problems and security bugs more automatic tool support available target particular flaws reviewing (auditing) software for flaws is reasonably well-known and well-documented support for static and dynamic analysis ranges from how-to for manual code reviewing to elaborate model checkers or compiler extension Secure Software Programming 13 Static Security Testing Manual auditing code has to support auditing architectural overview comments functional summary for each method OpenBSD is well know for good auditing process 6-12 members since 1996 comprehensive file-by-file analysis multiple reviews by different people search for bugs in general proactive fixes Secure Software Programming 14

Static Security Testing Manual auditing tedious and difficult task other initiatives were less successful Sardonix Reviewing old code is tedious and boring and no one wants to do it, Crispin Cowan said. Linux Security Audit Project (LSAP) Statistics for All Time Lifespan Rank Page Views D/l Bugs Support Patches Trkr Tasks 1459 days 0(0.00) 4,887 0 0(0) 0(0) 0(0) 0(0) 0(0) Secure Software Programming 15 Static Security Testing Syntax checker parse source code and check for functions that have known vulnerabilities, e.g., strcpy(), strcat() also limited support for arguments (e.g., variable, static string) only suitable as first basic check cannot understand more complex relationships no control flow or data flow analysis Examples flawfinder RATS (rough auditing tool for security) ITS4 Secure Software Programming 16

Static Security Testing Annotation-based systems programmer uses annotations to specify properties in the source code (e.g., this value must not be NULL) analysis tool checks source code to find possible violations control flow and data flow analysis is performed problems are undecidable in general, therefore trade-off between correctness and completeness Examples SPlint Eau-claire UNO (uninitialized vars, null-ptr dereferencing, out-of-bounds access) Secure Software Programming 17 Static Security Testing Model-checking programmer specifies security properties that have to hold models realized as state machines statements in the program result in state transitions certain states are considered insecure usually, control flow and data flow analysis is performed example properties drop privileges properly race conditions creating a secure chroot jail examples MOPS (an infrastructure for examining security properties of software) Secure Software Programming 18

Static Security Testing Meta-compilation programmer adds simple system-specific compiler extensions these extensions check (or optimize) the code flow-sensitive, inter-procedural analysis not sound, but can detect many bugs no annotations needed example extensions system calls must check user pointers for validity before using them disabled interrupts must be re-enabled to avoid deadlock, do not call a blocking function with interrupts disabled examples Dawson Engler (Stanford) Secure Software Programming 19 Static Security Testing Model-checking versus Meta-compilation (Engler 03) General perception static analysis: easy to apply but shallow bugs model checking: harder, but strictly better once done ccnuma with cache coherence protocols in software 1 bug deadlocks entire machine code with many ad hoc correctness rules WAIT_FOR_DB_FULL must precede MISCBUS_READ_DB but they have a clear mapping to source code easy to check with compiler Secure Software Programming 20

Static Security Testing Meta-compilation scales relatively precise statically found 34 bugs, although code tested for 5 years however, many deeper properties are missed Deeper properties nodes never overflow their network queues sharing list empty for dirty lines nodes do not send messages to themselves Perfect application for model checking bugs depend on intricate series of low-probability events self-contained system that generates its own events Secure Software Programming 21 Static Security Testing The (known) problem writing model is hard someone did it for a similar protocol than ccnuma several months effort no bugs use correspondence to auto-extract model from code Result 8 errors two deep errors, but 6 bugs found with static analysis as well. Myth: model checking will find more bugs in reality, 4x fewer Secure Software Programming 22

Static Security Testing Where meta-compilation is superior Static analysis Compile! Check Model checking Run! Check Don t understand? So what. Problem. Can t run? So what. Can t play. Coverage? All paths! All paths! Executed paths. First question: How big is code? What does it do? Time: Hours. Weeks. Bug counts 100-1000s 0-10s Big code: 10MLOC 10K No results? Surprised. Less surprised. Secure Software Programming 23 Static Security Testing Where model-checking is superior Subtle errors run code, so can check its implications data invariants, feedback properties, global properties static better at checking properties in code model checking better at checking properties implied by code End-to-end catch bug no matter how it is generated static detects ways to cause error model checking checks for the error itself Secure Software Programming 24

Dynamic Security Testing Run-time checking between operating system and program intercept and check system calls Run-time checking between libraries and program intercept and check library functions often used to detect memory problems interception of malloc() and free() calls emulation of heap behavior and code instrumentation purify, valgrind also support for buffer overflow detection libsafe Secure Software Programming 25 Dynamic Security Testing Profiling record the dynamic behavior of applications with respect to interesting properties Obviously interesting to tune performance gprof But also useful for improving security sequences of system calls system call arguments same for function calls Secure Software Programming 26

Dynamic Security Testing Penetration testing explicitly trying to break applications security general tool support available nessus ISS Internet Scanner nmap also tools for available that can test a particular protocol whisker ISS Database scanner Secure Software Programming 27 Summary Testing important part of regular software life-cycle but also important to ensure a certain security standard Important at design and implementation level design attack graphs, formal methods, manual reviews implementation static and dynamic techniques Static techniques code review, syntax checks, model checking, meta-compilation Dynamic techniques system call and library function interposition, profiling Secure Software Programming 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information