Software Security Reviews – Static and dynamic analysis • Magnus Ahlbin • EC/ITSEF
Agenda • Background • Software security reviews and test methods • Static tests methods • Dynamic tests methods • Summary
Background • Security issues for software includes • Buffer overflows, Race conditions, Declarations, Synchronization, Temporary buffers, Error handling, Parameter control, Memory leaks...
Background • Security reviews • the whole software development cycle • security critical functionality • vulnerabilities • pre-conditions • assumptions • threats • security requirements • evidences • design documentation and source code
Software security reviews and test methods • Software security reviews and Common Criteria • Source code review • ADV_IMP • ATE • Sample tests • Independent tests • AVA_VLA
Software security reviews and test methods • Static and Dynamic test methods Dynamic methods Static methods
Software security reviews and test methods • Static methods • Investigating of each line • Source code reviews • Complement to the functionally tests • Dynamical methods • Investigating of the behavior of the application during run-time • Source code reviews • Complement to the penetration tests
Static test methods • Static tests methods • simple syntactic standards and manual checks • advanced automated methods • A static checking tool • analyses the source code of a program • assumes all inputs are possible
Static test methods • Weaknesses detected by a statically tests • Bad Syntax • Uninitialized variables • Dead code • Buffer overflows • Memory leaks • Sensitive data left in memory
Static test methods • Three example of methods for static tests • Pattern matching • Lexical analysis • Parsing and AST analysis
Static test methods • Example of tools • Jlint • Splint • ITS4 • RATS • CGS • Uno
Static test methods • Example • RATS : • Lab2.cpp:22: High: fixed size local buffer • Lab2.cpp:44: High: fixed size local buffer • Lab2.cpp:119: High: fixed size local buffer • Lab2.cpp:147: High: fixed size local buffer • Extra care should be taken to ensure that character arrays that are • allocated on the stack are used safely. They are prime targets for buffer • overflow attacks. • Lab2.cpp:71: High: gets • Gets is unsafe!! No bounds checking is performed, buffer is easily • overflowable by user. Use fgets(buf, size, stdin) instead. • Lab2.cpp:152: High: strcpy • Check to be sure that argument 2 passed to this function call will not copy • more data than can be handled, resulting in a buffer overflow.
Static test methods • Advantages • Requires no prior knowledge about the source code • It covers all paths in the source code • Disadvantages • Static test tools frequently emit false error reports, so called false positives • Can miss run-time errors
Dynamic tests methods • Dynamic analysis methods • manual checks • automated program analyses • Dynamic test tools • inserted into the tested software at compile time • checks the software during execution • no false positives • can only detect errors that occur during a manual run of particular test cases
Dynamic tests methods • Examples of what we might investigate during run-time • Trust boundaries • Application state • Input limitations • RAM memory • Dependencies (OS, DLL, etc.) • Memory leakage • Data flow • Process conditions • Internal parameters • Error handling • Use of temporary buffers
Dynamic tests methods • Complexities • Auditing large piece of software is very, very time consuming • Hard to establish a good metric for dynamic analyses • Code coverage is one solution, but • could execute the code below without reporting anything setTableData(int pos, char *data) memcpy(table[pos], data, DATA_MAX_SIZE) • The product must exist, must be done late in a development life-cycle • The main advantage is that the application is tested in the environment it will be running
Dynamical tests methods • Example • ..\..\..\Desktop\rom_demo\flow.avi • rom_demo\flow.avi
Summary • Static and dynamic analysis, complement each other • Automatic static analysis has great potential • A combination of manually and automated tests are preferred.
Summary • Software security reviews and Common Criteria • Source code review • ADV_IMP • ATE • Sample tests • Independent tests • AVA_VLA
Questions and contact • Questions? • Contact • Combitech ABSE-351 80 Växjö • SwedenVisiting address Ljungadalsgatan 2www.itsef.se •www.combitech.se • Head of ITSEFMagnus Ahlbinmagnus.firstname.lastname@example.orgPhn +46 470 42208 • Fax +46 470 48203 • Mobile +46 70 6950228 • Combitech Evaluation Centre is an evaluation facility* operating within Swedish Common Criteria Evaluation and Certification Scheme. * Conditional License . • Combitech is a leading supplier of services within system development, system integration, information security and system safety. • We are an independent consultancy company that with high competence and continuity, create great customer benefits by providing valuable and innovative solutions. Combitech is a part of the Saab Group – one of the world’s leading high technology companies with its main operations within defence, aviation and space.