16computer and network security--Automated Tools,Application

1 .Automated Tools for System and Application Security John Mitchell CS 155 Spring 2018

2 .Outline Introduction: static vs dynamic analysis Static analysis Program execution using state descriptions Security examples: static analysis to find vulnerabilities Dynamic vulnerability finding Black-box testing: principles and web examples Fuzzing: principles and examples

3 .Users of these methods and tools Engineers Criminals Security Researchers Pen Testers Governments Hacktivists Academics Remember this: If you develop code, you should test it using the same methods that attackers will use against you

4 .Software bugs are serious problems Thanks: Isil and Thomas Dillig

5 .http://www.popphoto.com/news/2015/02/man-finds-easy-hack-to-delete-any-facebook-photo-album [PopPhoto.com Feb 10] Facebook missed a single security check…

6 .Cost of Fixing a Defect Credit: Andy Chou, Coverity

7 .Engineering challenges People care about features, not security (until something goes wrong) Engineers typically only see a small piece of the puzzle “OMG PDF WTF” (Julia Wolf, 2010) How many lines of code in Linux 2.6.32? 10 million How many lines in Windows NT 4? 11-12 million How many in Adobe Acrobat? 13 million

8 .Summary Program bugs are ubiquitous Security vulnerabilities are common too Not all bugs lead to exploits Exploits are serious and occur in many systems Program bugs can be found through systematic methods Better to find bugs and vulnerabilities early Before attackers find and exploit them Use tools and systematic methods in development, Q/A, later

9 .Summary Program bugs are ubiquitous Security vulnerabilities are common too Not all bugs lead to exploits Exploits are serious and occur in many systems Program bugs can be found through systematic methods Better to find bugs and vulnerabilities early Before attackers find and exploit them Use tools and systematic methods in development, Q/A, later

10 .Program Analyzers Code Report Type Line 1 mem leak 324 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 … … … 10,502 info leak 10,921 Program Analyzer Spec

11 .Two options Static analysis Automated methods to find errors or check their absence Consider all possible inputs (in summary form) Find bugs and vulnerabilities Can prove absence of bugs, in some cases Dynamic analysis Run instrumented code to find problems Need to choose sample test input Can find vulnerabilities but cannot prove their absence

12 .Entry 1 2 3 4 Software Exit Behaviors Entry 1 2 4 Exit 1 2 4 1 2 4 1 3 4 1 2 4 1 2 4 1 2 3 1 2 4 1 3 4 1 2 4 1 2 3 1 3 4 1 2 3 1 2 3 1 3 4 1 2 4 1 2 4 1 3 4 . . . 1 2 4 1 3 4 12

13 .Entry 1 2 3 4 Software Exit Behaviors Entry 1 2 4 Exit 1 2 4 1 2 4 1 3 4 1 2 4 1 2 4 1 2 3 1 2 4 1 3 4 1 2 4 1 2 3 1 3 4 1 2 3 1 2 3 1 3 4 1 2 4 1 2 4 1 3 4 . . . 1 2 4 1 3 4 13 Dynamic testing examines subset of behaviors

14 .Entry 1 2 3 4 Software Exit Behaviors 1 2 4 1 3 4 1 2 4 1 2 4 1 2 3 1 2 4 1 3 4 1 2 4 1 2 3 1 3 4 1 2 3 1 2 3 1 3 4 1 2 4 1 2 4 1 3 4 . . . 1 2 4 1 3 4 14 Static testing uses abstraction to consider all behaviors

15 .Static Analysis Long history of academic research Decades of commercial products FindBugs , Fortify, Coverity, MS tools, … Commonly used in current practice Teams use development process and unit tests Static, dynamic tools find certain classes of bugs in dev, Q/A After release, hackers and support teams look for vulns

16 .Dynamic analysis Instrument code for testing Heap memory: Purify Perl tainting (information flow) Java race condition checking Black-box testing Black-box web application security analysis Fuzzing and penetration testing

17 .Comparison Summary Program analyzers Find problems in code before it is shipped to customers or before you install and run it Static analysis Analyze code to determine behavior on all inputs Dynamic analysis Choose some sample inputs and run code to see what happens Sample inputs can be based on code analysis In practice, static and dynamic analysis are often combined

18 .Comparison Summary Program analyzers Find problems in code before it is shipped to customers or before you install and run it Static analysis Analyze code to determine behavior on all inputs Dynamic analysis Choose some sample inputs and run code to see what happens Sample inputs can be based on code analysis In practice, static and dynamic analysis are often combined

19 .“Sound” Program Analyzer Code Report Type Line 1 mem leak 324 2 buffer oflow 4,353,245 3 sql injection 23,212 4 stack oflow 86,923 5 dang ptr 8,491 … … … 10,502 info leak 10,921 Program Analyzer Spec Sound: ma y report many warnings Analyze large code bases false alarm false alarm Verify absence of vulnerabilities

20 .Soundness, Completeness Property Definition Soundness “Sound for reporting correctness” Analysis says no bugs  N o bugs or equivalently There is a bug  Analysis finds a bug Completeness “Complete for reporting correctness” No bugs  Analysis says no bugs Fact from logic: A  B is equivalent to (B)  ( A)

21 .Complete Incomplete Sound Unsound Reports all errors Reports no false alarms Reports all errors May report false alarms Undecidable Decidable Decidable May not report all errors May report false alarms Decidable May not report all errors Reports no false alarms

22 .Software . . . Behaviors Sound Over-approximation of Behaviors False Alarm Reported Error approximation is too coarse… …yields too many false alarms Modules

23 .Example Program execution based on abstract states

24 .entry X  0 Is Y = 0 ? X  X + 1 X  X - 1 Is Y = 0 ? Is X < 0 ? exit crash yes no yes no yes no Does this program ever crash?

25 .entry X  0 Is Y = 0 ? X  X + 1 X  X - 1 Is Y = 0 ? Is X < 0 ? exit crash yes no yes no yes no infeasible path! … program will never crash Does this program ever crash?

26 .entry X  0 Is Y = 0 ? X  X + 1 X  X - 1 Is Y = 0 ? Is X < 0 ? exit crash yes no yes no yes no X = 0 X = 0 X = 1 X = 1 X = 1 X = 1 X = 1 X = 2 X = 2 X = 2 X = 2 X = 2 X = 3 X = 3 X = 3 X = 3 non-termination! … therefore, need to approximate Try analyzing without approximating…

27 .X  X + 1 f d in d out d out = f(d in ) X = 0 X = 1 dataflow elements transfer function dataflow equation

28 .X  X + 1 f1 d in1 d out1 = f 1 (d in1 ) Is Y = 0 ? f2 d out2 d out1 d in2 d out1 = d in2 d out2 = f 2 (d in2 ) X = 0 X = 1 X = 1 X = 1

29 .d out1 = f 1 (d in1 ) d join = d out1 ⊔ d out2 d out2 = f 2 (d in2 ) f 1 f 2 f 3 d out1 d in1 d in2 d out2 d join d in3 d out3 d join = d in3 d out3 = f 3 (d in3 ) least upper bound operator Example: union of possible values What is the space of dataflow elements,  ? What is the least upper bound operator, ⊔?