Static analysis and Tools for Security Flashcards
What are software weaknesses
Errors in SW implementation, that if left unaddressed could result in system and networks being vulnerable to attacks.
e.g. buffer overflow, format string, injection, etc.
What are software vulnerabilities
A mistake/weakness in software that can be directly used by an attacker to gain access to a system
What is CWE?
Collection of weaknesses
What is CVE?
Common Vulnerabilities and Exposures list
When is a weakness a vulnerability?
When there is a path to exploit the weakness
What is an exploit?
A piece of SW containing attack vectors that could be used directly to take advantages of a vulnerability in a system
What is static analysis?
Passive scanning of application code without executing it using a source code security analyzer.
What does a source code security analyzer do?
Examines source code to detect and report weaknesses that can lead to vulnerabilities.
How can you integrate security analysers during development?
Integrate them into report form, IDEs, CI/CD environments
Why do we need code analysis for security audits?
Want to catch defects early in the development cycle
It functions as an aid for code review
Name some Static Application Security Tools
FindSecBugs
SpotBugs
CheckMarx
Fortify
How is FindSecBugs and SpotBugs combined?
FindSecBugs is a plugin that can be added to SpotBugs when we want to focus on security bugs
What is FindSecBugs
Analysis on Java code
How can FindSecBugs be used?
IDE plugin
Requires SpotBug
What is NIST testsuite?
Contains a lot of different variations of bad code and security bugs. Used for benchmarking different static analysis tools
What type of code representations can be fed to program analyzer?
Security code
Bytecode
Binaries
What does Data flow analysis operate on?
Control flow graph (and other intermediate representations)
How is source code processed?
Source code
Abstract syntax tree
Control flow graph
Object code
Name 7 well-known program analysis properties
- Intraprocedural
- Interprocedural
- Flow sensitive
- Context sensitive
- Field sensitive
- Object sensitive
- Path sensitive
What are some techniques for static code analysis?
Pattern matching
Control flow analysis - builds on pattern matching
Data flow analysis - builds on control flow
Taint analysis - more relevant to security
- Source of data, trusted input (entry points)
- Sinks, point where data is consumed (exit points)
- Sanitization points, is anything mitigating an attack between the source and sink (filters)
What does the analyser do before analysis?
The analyser builds a model from the source code we want to analyse.
After this, the analysis is performed.
In addition to the build model, was is the analysis supplied to be able to perform the analysis?
Security knowledge, this is what we have in the taint analysis.
This knowledge tells the analyser what patterns we are looking for, sources and sinks for the programming language.
What is lexical analysis?
Split code into tokens to identify language construct correctly.
Removes unimportant tokens (whitespace, comments, etc.)
What is semantic analysis?
Check the representation of each token for meaning (type, declaration, etc.)