Static analysis and Tools for Security

Question 1

What are software weaknesses

Answer 1

Errors in SW implementation, that if left unaddressed could result in system and networks being vulnerable to attacks.

e.g. buffer overflow, format string, injection, etc.

Question 2

What are software vulnerabilities

Answer 2

A mistake/weakness in software that can be directly used by an attacker to gain access to a system

Question 3

What is CWE?

Answer 3

Collection of weaknesses

Question 4

What is CVE?

Answer 4

Common Vulnerabilities and Exposures list

Question 5

When is a weakness a vulnerability?

Answer 5

When there is a path to exploit the weakness

Question 6

What is an exploit?

Answer 6

A piece of SW containing attack vectors that could be used directly to take advantages of a vulnerability in a system

Question 7

What is static analysis?

Answer 7

Passive scanning of application code without executing it using a source code security analyzer.

Question 8

What does a source code security analyzer do?

Answer 8

Examines source code to detect and report weaknesses that can lead to vulnerabilities.

Question 9

How can you integrate security analysers during development?

Answer 9

Integrate them into report form, IDEs, CI/CD environments

Question 10

Why do we need code analysis for security audits?

Answer 10

Want to catch defects early in the development cycle

It functions as an aid for code review

Question 11

Name some Static Application Security Tools

Answer 11

FindSecBugs
SpotBugs
CheckMarx
Fortify

Question 12

How is FindSecBugs and SpotBugs combined?

Answer 12

FindSecBugs is a plugin that can be added to SpotBugs when we want to focus on security bugs

Question 13

What is FindSecBugs

Answer 13

Analysis on Java code

Question 14

How can FindSecBugs be used?

Answer 14

IDE plugin
Requires SpotBug

Question 15

What is NIST testsuite?

Answer 15

Contains a lot of different variations of bad code and security bugs. Used for benchmarking different static analysis tools

Question 16

What type of code representations can be fed to program analyzer?

Answer 16

Security code

Bytecode

Binaries

Question 17

What does Data flow analysis operate on?

Answer 17

Control flow graph (and other intermediate representations)

Question 18

How is source code processed?

Answer 18

Source code
Abstract syntax tree
Control flow graph
Object code

Question 19

Name 7 well-known program analysis properties

Answer 19

1. Intraprocedural
2. Interprocedural
3. Flow sensitive
4. Context sensitive
5. Field sensitive
6. Object sensitive
7. Path sensitive

Question 20

What are some techniques for static code analysis?

Answer 20

Pattern matching

Control flow analysis - builds on pattern matching

Data flow analysis - builds on control flow

Taint analysis - more relevant to security
- Source of data, trusted input (entry points)
- Sinks, point where data is consumed (exit points)
- Sanitization points, is anything mitigating an attack between the source and sink (filters)

Question 21

What does the analyser do before analysis?

Answer 21

The analyser builds a model from the source code we want to analyse.

After this, the analysis is performed.

Question 22

In addition to the build model, was is the analysis supplied to be able to perform the analysis?

Answer 22

Security knowledge, this is what we have in the taint analysis.

This knowledge tells the analyser what patterns we are looking for, sources and sinks for the programming language.

Question 23

What is lexical analysis?

Answer 23

Split code into tokens to identify language construct correctly.

Removes unimportant tokens (whitespace, comments, etc.)

Question 24

What is semantic analysis?

Answer 24

Check the representation of each token for meaning (type, declaration, etc.)

Question 25

What is control flow analysis?

Answer 25

Possible paths a program can take are determined and combined to several control flow graphs that represent all possible data flow paths

Question 26

What happens when an analysis tool construct the model for source code analysis

Answer 26

Lexical analysis
Semantic analysis
Control flow analysis

Question 27

What happens during pattern matching?

Answer 27

Have a set of insecure patterns. e.g.:
BAD_RANDOM_FUNCTION, XML_DECODER_SINK

Report security issues if these patterns are found in the code.

Question 28

What are the different control flows?

Answer 28

if
while
for
switch
exceptions

Question 29

What are the different type of data flow?

Answer 29

How data flows within a program, and to what methods, classes, etc.

If there is a change in assignments of variables during the execution of a program

intra procedure (within method)

Inter procedure (between methods)
- within a class
- between classes

Data flow uses the control flow

Question 30

What is data flow - taint analysis?

Answer 30

We want to follow data from a possible untrusted source, and all the way to the (dangerous) sink.

Question 31

When is data tainted

Answer 31

When it comes from an untrusted source

Question 32

When does taint analysis report a security issue

Answer 32

If we have data flow from an untrusted source to a dangerous sink, that does not go through sanitization

Untrusted -> (tainted data) -> Dangerous sink

Instead of:

Untrusted -> (tainted data) -> Sanitization function -> (sanitized data) -> Dangerous sink

Question 33

Give examples of untrusted data

Answer 33

We parameters
cookies
file-/db-data
data from web services
Environment variables
System properties
Open ports

Question 34

Give an example of a HTML-sink

Answer 34

out.printLn(“<h3>” + input_username + “</h3>”)

Question 35

How is taint analysis configured?

Answer 35

We configure what sources and sinks are safe or tainted/dangerous in different languages

These configuration files are used as security knowledge during analysis

Question 36

When is a sink a security interest?

Answer 36

If its operation can read/write

Question 37

What metrics are used to measure SAST tool performance?

Answer 37

Soundness
Completeness

True/false Positive/negative

Question 38

What is soundness?

Answer 38

All reported bugs are real

Sound if it never overapproximates the set of bugs in a given program.

Unsound: When the tool report bugs that are not real, this situation is referred to as false positives

Question 39

What is completeness?

Answer 39

All bugs are reported. Complete if it never underapproximates the set of bugs in a given program.

If bugs are missed, then it is incomplete. This is refered to as false negatives.

Question 40

What does prectical static analysis tools do?

Answer 40

Make compromises between soundness and completeness

Circle: Sound (overapproximate) analysis
Sub-circle: Possible program behaviour
Sub-sub circle: Complete (underapproximate) analysis