Static analysis and Tools for Security Flashcards
What are software weaknesses
Errors in SW implementation, that if left unaddressed could result in system and networks being vulnerable to attacks.
e.g. buffer overflow, format string, injection, etc.
What are software vulnerabilities
A mistake/weakness in software that can be directly used by an attacker to gain access to a system
What is CWE?
Collection of weaknesses
What is CVE?
Common Vulnerabilities and Exposures list
When is a weakness a vulnerability?
When there is a path to exploit the weakness
What is an exploit?
A piece of SW containing attack vectors that could be used directly to take advantages of a vulnerability in a system
What is static analysis?
Passive scanning of application code without executing it using a source code security analyzer.
What does a source code security analyzer do?
Examines source code to detect and report weaknesses that can lead to vulnerabilities.
How can you integrate security analysers during development?
Integrate them into report form, IDEs, CI/CD environments
Why do we need code analysis for security audits?
Want to catch defects early in the development cycle
It functions as an aid for code review
Name some Static Application Security Tools
FindSecBugs
SpotBugs
CheckMarx
Fortify
How is FindSecBugs and SpotBugs combined?
FindSecBugs is a plugin that can be added to SpotBugs when we want to focus on security bugs
What is FindSecBugs
Analysis on Java code
How can FindSecBugs be used?
IDE plugin
Requires SpotBug
What is NIST testsuite?
Contains a lot of different variations of bad code and security bugs. Used for benchmarking different static analysis tools
What type of code representations can be fed to program analyzer?
Security code
Bytecode
Binaries
What does Data flow analysis operate on?
Control flow graph (and other intermediate representations)
How is source code processed?
Source code
Abstract syntax tree
Control flow graph
Object code
Name 7 well-known program analysis properties
- Intraprocedural
- Interprocedural
- Flow sensitive
- Context sensitive
- Field sensitive
- Object sensitive
- Path sensitive
What are some techniques for static code analysis?
Pattern matching
Control flow analysis - builds on pattern matching
Data flow analysis - builds on control flow
Taint analysis - more relevant to security
- Source of data, trusted input (entry points)
- Sinks, point where data is consumed (exit points)
- Sanitization points, is anything mitigating an attack between the source and sink (filters)
What does the analyser do before analysis?
The analyser builds a model from the source code we want to analyse.
After this, the analysis is performed.
In addition to the build model, was is the analysis supplied to be able to perform the analysis?
Security knowledge, this is what we have in the taint analysis.
This knowledge tells the analyser what patterns we are looking for, sources and sinks for the programming language.
What is lexical analysis?
Split code into tokens to identify language construct correctly.
Removes unimportant tokens (whitespace, comments, etc.)
What is semantic analysis?
Check the representation of each token for meaning (type, declaration, etc.)
What is control flow analysis?
Possible paths a program can take are determined and combined to several control flow graphs that represent all possible data flow paths
What happens when an analysis tool construct the model for source code analysis
Lexical analysis
Semantic analysis
Control flow analysis
What happens during pattern matching?
Have a set of insecure patterns. e.g.:
BAD_RANDOM_FUNCTION, XML_DECODER_SINK
Report security issues if these patterns are found in the code.
What are the different control flows?
if
while
for
switch
exceptions
What are the different type of data flow?
How data flows within a program, and to what methods, classes, etc.
If there is a change in assignments of variables during the execution of a program
intra procedure (within method)
Inter procedure (between methods)
- within a class
- between classes
Data flow uses the control flow
What is data flow - taint analysis?
We want to follow data from a possible untrusted source, and all the way to the (dangerous) sink.
When is data tainted
When it comes from an untrusted source
When does taint analysis report a security issue
If we have data flow from an untrusted source to a dangerous sink, that does not go through sanitization
Untrusted -> (tainted data) -> Dangerous sink
Instead of:
Untrusted -> (tainted data) -> Sanitization function -> (sanitized data) -> Dangerous sink
Give examples of untrusted data
We parameters
cookies
file-/db-data
data from web services
Environment variables
System properties
Open ports
Give an example of a HTML-sink
out.printLn(“<h3>” + input_username + “</h3>”)
How is taint analysis configured?
We configure what sources and sinks are safe or tainted/dangerous in different languages
These configuration files are used as security knowledge during analysis
When is a sink a security interest?
If its operation can read/write
What metrics are used to measure SAST tool performance?
Soundness
Completeness
True/false Positive/negative
What is soundness?
All reported bugs are real
Sound if it never overapproximates the set of bugs in a given program.
Unsound: When the tool report bugs that are not real, this situation is referred to as false positives
What is completeness?
All bugs are reported. Complete if it never underapproximates the set of bugs in a given program.
If bugs are missed, then it is incomplete. This is refered to as false negatives.
What does prectical static analysis tools do?
Make compromises between soundness and completeness
Circle: Sound (overapproximate) analysis
Sub-circle: Possible program behaviour
Sub-sub circle: Complete (underapproximate) analysis
