Source Code Analysis Flashcards
What can we do to be sure that code is trustworthy ?
Evaluate binary
- Review source code, compile yourself
- Evaluate compiler
- Review compiler source code? +compiler’s compiler?
- Review compiler machine code?
- Evaluate operating system
- Evaluate hardware, firmware
Evaluate persons, processes
what are risks to outsourcing and offshore development ?
Untrustworthy staff
- Contract workers, contractors, sub-contracting
- Insider threat, traceability of code origin/modification
Untrustworthy suppliers
- Products: Libraries, components
- Services: Deployment, operation
What trust models exist for ICT supply chain ?
“Blind trust”, “Trust by directive”, “Liability”
-> Sufficient to evaluate 1st supplier
“Reputation”, “Strong interest”
-> Evaluate 1st supplier + 3rd party components
“Proven in use”
->All relevant components known and evaluated?
Higher risk
- “Weak interest”
- > Supplier without active interest
- “Idealism”
- > Supplier might be harmed by others
What are factors that need to be considerd for software inspections ?
Effectiveness: how much reduction?
Efficiency: at what cost?
- Manual reviews: Skilled labor is scarce
- Automation (but manual follow-up)
Risk-based analysis/testing
- Reduce scope
what is the goal for software inspections ?
Reduce vulnerabilities in code
what are advantages of software inspections ?
Ensure that more than one person
has seen every piece of code
Prospect of someone else reviewing
your code raises quality
Force developers to document decisions
Train junior developers to get familiar with code base
What are methods used to find vulnerabilities ?
Black box
- Same situation as attackers
White box
- Insider knowledge, e.g., review of source code
Grey box
How could an example process of a code review look ?
- Define scope
- Collect information
- Review: design, code; test
- Document findings
- Analyse findings: severity, remediation effort
- (Support remediation)
Which parameters define the scope of a code review ?
Goal of review
– Ease of detection, severity, code coverage, depth
– Business context
– Compliance with regulations
Type of access
– Source
– Binary, binary+debug info
– Black box access to interfaces
What tools can aid in the definiton of the scope ?
Coverage
- Execute test cases, measure coverage, i.e. which parts of
code affected
- Inspect affected code (assumption: what is not tested is less
relevant code)
Call graphs
- Identify modules used by many
- E.g. CScout
Hot spots
- Issue trackers: modules mentioned often (past experience)
- Version control logs
- Code modified often
- Code modified often because of bug fixes
- Defect prediction (type of change, dev. experience,
affected LOC, affected #files)
- Code metrics: complexity, #dependencies
- Code visualisation
- E.g. CodeCity, Gource
Where can we collect infos while doing a code review ?
System documentation
Developer documentation
– Might not exist or might not be current
– Version control log is also documentation
Interviews: be polite
Documentation of standards that are used
Source code: get overview, get feeling
Deployed system: get overview, run scans
What are the steps while doing the actual review ?
Plan: Decide what to look for and how
- High level (design) vs low level (implementation)
- Assets, entry points, trust boundaries, relationships
Review: Perform the review
- Vary: people, perspective
- Take notes, annotate source code
- Stay focused, do not get lost in details
Reflect: What worked well, what did not?
- Relate to review goals
What are common review strategies ?
Code comprehension
– Analyse source code, gain understanding
– Trace input, analyse module/algorithm/class
Candidate points
– List potential issues, then examine source code
– Tools often used to create list
Design generalisation
– Recover design from source code
– Identify missing trust boundaries
What tools are used during the review stage ?
Code browsers
– Navigation in code, often integrated in IDE
– Cross-referencing variable/function definition/use
– Formatting/pretty-printing, make code easier to read,
e.g. Artistic Style (http://astyle.sourceforge.net)
– Call graphs, functional dependencies
Version control logs
Issue trackers (linked to version control)
What should be documented after a code review ?
Method used
Code coverage
Findings
– Threat, description, impact, location
– Proposed remediation (steps, effort)
What comes after a code review ?
Support remediation:
- Not part of review, but consequence of review
- Knowledge gained in discovery useful for fixing
- To fix or not to fix
-Estimate effort
- Business context
- Alternatives: change configuration,
reduce functionality, change environment
- Review fix
What can Type Systems do in terms of Security ?
Support security by
– imposing discipline/restrictions on developer
– enforcing abstractions on developer
What is Memory safety ?
Programming language ensures that only allocated (and
initialised) memory can be referenced
What is Type safety ?
– Types annotate program elements to assert invariant
properties (e.g. integer, array, string)
– Type checking verifies the assertions
What is Static code analysis and what are advantages ?
Detection of errors in a program without executing it
- No overhead in execution
- Often automated
- Focus on implementation vulnerabilities
- Beneficial for software quality in general
- Avoiding vulnerabilities is one aspect
- Often detects more (and different) errors
than manual review
- Examine unusual execution paths
What are disadvantages of static analysis ?
False positives – Static analysis tool reports non-error – Low rate of false positives important, critical for acceptance – Big issue with existing code
False negatives
– Tool does not report error
– Static analysis does not cover all classes of vulnerabilities,
even if you buy all the combined tools on the market
What are issues that can be cought with an analysis at compile- time ?
Analysis at compile-time
- Syntactic checks (often caught by compiler)
- Type checking (often done by compiler)
- Program semantics
- Unused variables, unreachable code, missing
initialisation
- Dataflow analysis, control flow analysis, abstract
interpretation, program verification, model checking
What are classes of programm error ?
Data – Are all variables initialized before use? – Have all constants been named? – Array lower bounds: 0, 1, k? – Array upper bounds: size? size-1?
Control flow
– Correct conditions for conditional statements?
– Termination of loops?
– Correct bracketing?
– All cases accounted for in switch statements?
What are analitcal approaches used in static code analysis ?
Syntactical analysis (find strings in source code)
Lexical analysis
– Match sequence of tokens against pattern
Data-flow analysis
– Determine possible values for variables
Abstract interpretation – Model execution on (simpler) abstract machine – Define abstract security requirements in advance, e.g., access to resources
