Static analysis and Tools for Security Flashcards

1
Q

What are software weaknesses

A

Errors in SW implementation, that if left unaddressed could result in system and networks being vulnerable to attacks.

e.g. buffer overflow, format string, injection, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are software vulnerabilities

A

A mistake/weakness in software that can be directly used by an attacker to gain access to a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is CWE?

A

Collection of weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is CVE?

A

Common Vulnerabilities and Exposures list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is a weakness a vulnerability?

A

When there is a path to exploit the weakness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an exploit?

A

A piece of SW containing attack vectors that could be used directly to take advantages of a vulnerability in a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is static analysis?

A

Passive scanning of application code without executing it using a source code security analyzer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does a source code security analyzer do?

A

Examines source code to detect and report weaknesses that can lead to vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you integrate security analysers during development?

A

Integrate them into report form, IDEs, CI/CD environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why do we need code analysis for security audits?

A

Want to catch defects early in the development cycle

It functions as an aid for code review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name some Static Application Security Tools

A

FindSecBugs
SpotBugs
CheckMarx
Fortify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How is FindSecBugs and SpotBugs combined?

A

FindSecBugs is a plugin that can be added to SpotBugs when we want to focus on security bugs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is FindSecBugs

A

Analysis on Java code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can FindSecBugs be used?

A

IDE plugin
Requires SpotBug

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is NIST testsuite?

A

Contains a lot of different variations of bad code and security bugs. Used for benchmarking different static analysis tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of code representations can be fed to program analyzer?

A

Security code

Bytecode

Binaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does Data flow analysis operate on?

A

Control flow graph (and other intermediate representations)

18
Q

How is source code processed?

A

Source code
Abstract syntax tree
Control flow graph
Object code

19
Q

Name 7 well-known program analysis properties

A
  1. Intraprocedural
  2. Interprocedural
  3. Flow sensitive
  4. Context sensitive
  5. Field sensitive
  6. Object sensitive
  7. Path sensitive
20
Q

What are some techniques for static code analysis?

A

Pattern matching

Control flow analysis - builds on pattern matching

Data flow analysis - builds on control flow

Taint analysis - more relevant to security
- Source of data, trusted input (entry points)
- Sinks, point where data is consumed (exit points)
- Sanitization points, is anything mitigating an attack between the source and sink (filters)

21
Q

What does the analyser do before analysis?

A

The analyser builds a model from the source code we want to analyse.

After this, the analysis is performed.

22
Q

In addition to the build model, was is the analysis supplied to be able to perform the analysis?

A

Security knowledge, this is what we have in the taint analysis.

This knowledge tells the analyser what patterns we are looking for, sources and sinks for the programming language.

23
Q

What is lexical analysis?

A

Split code into tokens to identify language construct correctly.

Removes unimportant tokens (whitespace, comments, etc.)

24
Q

What is semantic analysis?

A

Check the representation of each token for meaning (type, declaration, etc.)

25
What is control flow analysis?
Possible paths a program can take are determined and combined to several control flow graphs that represent all possible data flow paths
26
What happens when an analysis tool construct the model for source code analysis
Lexical analysis Semantic analysis Control flow analysis
27
What happens during pattern matching?
Have a set of insecure patterns. e.g.: BAD_RANDOM_FUNCTION, XML_DECODER_SINK Report security issues if these patterns are found in the code.
28
What are the different control flows?
if while for switch exceptions
29
What are the different type of data flow?
How data flows within a program, and to what methods, classes, etc. If there is a change in assignments of variables during the execution of a program intra procedure (within method) Inter procedure (between methods) - within a class - between classes Data flow uses the control flow
30
What is data flow - taint analysis?
We want to follow data from a possible untrusted source, and all the way to the (dangerous) sink.
31
When is data tainted
When it comes from an untrusted source
32
When does taint analysis report a security issue
If we have data flow from an untrusted source to a dangerous sink, that does not go through sanitization Untrusted -> (tainted data) -> Dangerous sink Instead of: Untrusted -> (tainted data) -> Sanitization function -> (sanitized data) -> Dangerous sink
33
Give examples of untrusted data
We parameters cookies file-/db-data data from web services Environment variables System properties Open ports
34
Give an example of a HTML-sink
out.printLn("

" + input_username + "

")
35
How is taint analysis configured?
We configure what sources and sinks are safe or tainted/dangerous in different languages These configuration files are used as security knowledge during analysis
36
When is a sink a security interest?
If its operation can read/write
37
What metrics are used to measure SAST tool performance?
Soundness Completeness True/false Positive/negative
38
What is soundness?
All reported bugs are real Sound if it never overapproximates the set of bugs in a given program. Unsound: When the tool report bugs that are not real, this situation is referred to as false positives
39
What is completeness?
All bugs are reported. Complete if it never underapproximates the set of bugs in a given program. If bugs are missed, then it is incomplete. This is refered to as false negatives.
40
What does prectical static analysis tools do?
Make compromises between soundness and completeness Circle: Sound (overapproximate) analysis Sub-circle: Possible program behaviour Sub-sub circle: Complete (underapproximate) analysis