program analysis with prefast sal
play

Program Analysis with PREfast & SAL Erik Poll Digital Security - PowerPoint PPT Presentation

Jun 09, 2023 •121 likes •499 views

Software Security Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

  1. Software Security Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University Nijmegen 1

  2. Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of techniques, from light- to heavyweight: 1. simple syntactic checks, incl. grep or CTRL-F grep " gets(" *.cpp 2. type checking eg. adding an int and a bool 3. more advanced analyses taking into account semantics using: dataflow analysis, control flow analysis, abstract interpretation, symbolic evaluation, constraint solving, program verification, model checking... All compilers do some static analysis Lightweight static analysis tools also called source code scanners. Tools aiming at security: SAST (Static Application Security Testing) 2

  3. Static analysis in the SDLC In terms of McGraw ’ s Touchpoints: code review tools These tools can be applied before testing, or indeed even before the code can be run 3

  4. Why static analysis? (1) Traditional methods of finding errors: • testing • code inspection Security errors can be hard to find by these methods, because they only arise in unusual circumstances • – particular inputs uncommon execution paths, ... code base is too large for a human code inspection • Here static analysis can provide major improvement 4

  5. Evolution of quality assurance at Microsoft • Original process: manual code inspection – effective when team & system are small – too many paths/interactions to consider as system grew • Early 1990s: add massive system & unit testing – Test took weeks to run • different platforms & configurations • huge number of tests – Inefficient detection of security holes • Early 2000s: serious investment in static analysis 5

  6. False positives & false negatives Important quality measures for a static analysis: A. rate of false positives – tool complains about non-error B. rate of false negatives – tool fails to complain about error Which do you think is worse? False positives are worse, as they kill usability ! ! Alternative terminology: an analysis can be called • sound it only finds real bugs, ie no false positives • complete it finds all bugs, ie. no false negatives 6

  7. BOOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex], 1); q Very simple static analyses • Warning about bad names & violations of conventions, eg – constants not written in ALL CAPS – Java method starting with capital letter – C# method starting with lower case letter – … • Enforcing other (company-specific) naming conventions and coding guidelines This is also called style checking 7

  8. More interesting static analyses • Warning about unused variables • Warning about dead/unreachable code • Warning about missing initialisation – possibly as part of language definition (eg in Java) and checked by compiler This may involve control flow analysis if (b) { c = 5; } else { c = 6; } initialises c if (b) { c = 5; } else { d = 6; } does not data flow analysis d = 5; c = d; initialises c c = d; d = 5; does not 8

  9. OOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex], 1); que Spot the defect! BOOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex],1); queue.Delete(0); } } Suspicious code in xpdfwin found by PVS-Studio ( www.viva64.com) . V529 Odd semicolon ';' after 'if' operator. Note that this is a very simple syntactic check! You could (should?) use coding guidelines that disallow this, even though it is legal C++ 9

  10. Spot the security flaw! static OSStatus SSLVerifySignedServerKeyExchange (SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; .. if((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); } Infamous goto bug in iOS implementation of TLS Dead code analysis would easily reveal this flaw! • Or simply code style that insists you always use { } for branches • 10

  11. OOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex], 1); que Spot the 2 defects! void start_engine_control() { char* buf2 = malloc (2*SOME_CONSTANT); char* buf = malloc (SOME_CONSTANT); start_engine(); memset(buf2, 0, SOME_CONSTANT); // initialise first half of buf2 to 0 // main loop while (true) { get_readings(buf,buf2); perform_engine_control(buf,buf2); } } 11

  12. OOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex], 1); que possible integer Spot the defects! overflow (hard to check for code analyser, but void start_engine_control() { for a constant is may be doable) char* buf2 = malloc (2*SOME_CONSTANT); char* buf = malloc (SOME_CONSTANT); start_engine(); memset(buf2, 0, SOME_CONSTANT); // initialise first half of buf2 to 0 // main loop No check if mallocs succeeded!! while (true) { (easier to check syntactically) get_readings(buf,buf2); perform_engine_control(buf,buf2); } } 12

  13. OOL AddTail(LPVOID p) { ... if(queue.GetSize() >= this->_limit); { while(queue.GetSize() > this->_limit-1) { ::WaitForSingleObject(handles[SemaphoreIndex], 1); que Check you mallocs! void start_engine_control() { ... char* buf = malloc (SOME_CONSTANT); if (buf == NULL) { // now what?!?!? exit(0); // or something more graceful?? } ... start_engine(); perform_engine_control(buf); Typically, the place where malloc fails is the place to think about what to do. The alternative is not check the result of malloc here, and simply let perform_engine_control segfault or let this function check for null arguments, but there we have even less clue on what to do. 13

  14. Spot the defect :-) First Ariane V launch integer overflow in conversion of 64 bit float to 16 bit int https://www.youtube.com/watch?v=PK_yguLapgA 14

  15. Limits of static analyses Does if (i < 5 ) { c = 5; } if ((i < 0) || (i*i > 20 )){ c = 6; } initialise c? Many analyses become hard – or undecidable - at some stage Analysis tools can then: report that they “ DON ’ T KNOW ” • give a (possible) false positive • give a (possible) false negative • 15

  16. Example source code analysis tools  free tools for Java: CheckStyle, PMD, Findbugs,.... easy & fun  for C(++) from Microsoft: PREfix, PREfast, FxCop to download and try out!  outdated, but free tools focusing on security ITS4 and Flawfinder (C, C++), RATS (also Perl, PHP)  commercial Coverity (C/C++), Klocwork (C/C++, Java), VeraCode (Java, C#, C/C++, JavaScript...), PVS-Studio (C++, C#, Java), PolySpace (C/C++, Ada), SparkAda (Ada)  for web-applications Fortify, Microsoft CAT.NET, IBM AppScan, VeraCode, RIPS..  for many languages: Semmle (bought by github) Such tools can be useful, but … a fool with a tool is still a fool 16

  17. PREfast & SAL 17

  18. PREfast & SAL • Developed by Microsoft as part of major push to improve quality assurance • PREfast is a lightweight static analysis tool for C(++) – only finds bugs within a single procedure • SAL (Standard Annotation Language) is a language for annotating C(++) code and libraries – SAL annotations improve the results of PREfast • more checks • more precise checks • PREfast is included is some variants of Visual Studio 18

  19. PREfast checks • library function usage – deprecated functions • eg gets() – correct use of functions • eg does format string match parameter types? • coding errors • eg using = instead of == in an if-statement • memory errors – assuming that malloc returns non-zero – going out of array bounds 19

  20. PREfast example _Check_return_ void *malloc(size_t s); _Check_return_ means that caller must check the return value of malloc 20

  21. PREfast annotations for buffers void memset( char *p, int v, size_t len); void memcpy( char *dest, char *src, size_t count); 21

  22. SAL annotations for buffer parameters • _In_ The function reads from the buffer. The caller provides the buffer and initializes it. The function both reads from and writes to buffer. • _ Inout_ The caller provides the buffer and initializes it. • _Out_ The function only writes to the buffer. The caller must provide the buffer, and the function will initialize it.. PREfast can use these annotations to check that (unitialised) variables are not read before they are written 22

  23. SAL annotations for buffer sizes specified with suffix of _In_ _Out_ _Inout_ _Ret_ cap_(size) the writeable size in elements  bytecap_(size) the writeable size in bytes  count_(size) bytecount_(size)  the readable size in elements count and bytecount should be only be used for inputs, ie. parameter declared as _In_ PREfast can use these annotations to check for buffer overruns 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program for Optimization Goal: improve some aspect of program

232 views • 12 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28. 9. 2016 2 / 43 Program correctness Is my program correct? Central question for this and the next lecture. Does a given program behave as intended?

880 views • 43 slides
Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

1.21k views • 41 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to analyze, or carefully examine, some aspect of a program. We can categorize program analyses into two groups: Static analysis involves analyzing a program's

511 views • 35 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program, Nutrition secondary analysis 2014 CDHS, UNICEF/IRD/MOH, Phnom Penh, Cambodia, January 2016 Team For the secondary analysis: IRD MOH Dr Frank Wieringa

826 views • 57 slides
Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega csci 210: Data Structures big-theta asymptotic notation commonly used functions Program Analysis discrete math

112 views • 9 slides
CS330, March 9, 2004 Indexing, Query Processing, and Transactions 1 Some Logistics Next two

CS330, March 9, 2004 Indexing, Query Processing, and Transactions 1 Some Logistics Next two

CS330, March 9, 2004 Indexing, Query Processing, and Transactions 1 Some Logistics Next two homework assignments out today Extra lab session: This Thursday, after class, in this room Bring your laptop fully charged Extra

379 views • 23 slides
DBS Database Systems Implementing and Optimising Query Languages Peter Buneman 9 November 2010

DBS Database Systems Implementing and Optimising Query Languages Peter Buneman 9 November 2010

DBS Database Systems Implementing and Optimising Query Languages Peter Buneman 9 November 2010 Storage and Indexing Reading: R&amp;G Chapters 8, 9 &amp; 10.1 We typically store data in external (secondary) storage. Why? Becuase: Secondary

668 views • 63 slides
High-performance and Memory-saving Sparse General Matrix-Matrix Multiplication for Pascal GPU

High-performance and Memory-saving Sparse General Matrix-Matrix Multiplication for Pascal GPU

High-performance and Memory-saving Sparse General Matrix-Matrix Multiplication for Pascal GPU Yusuke Nagasaka, Akira Nukada, Satoshi Matsuoka Tokyo Institute of Technology Sparse General Matrix-Matrix Multiplication (SpGEMM) Numerical

943 views • 34 slides
CXual Healing Content Creators are people, too! ADRIAN ROLLETT Technical Director @

CXual Healing Content Creators are people, too! ADRIAN ROLLETT Technical Director @

CXual Healing Content Creators are people, too! ADRIAN ROLLETT Technical Director @ bluespark.com Twitter: acrollet www.bluespark.com WHO DO YOU BUILD SITES FOR? www.bluespark.com STEP 1 Define the problem www.bluespark.com

784 views • 33 slides
Enabling Preservation by means of Open Source dave rice @dericed #fosdem 2015-01-31

Enabling Preservation by means of Open Source dave rice @dericed #fosdem 2015-01-31

Enabling Preservation by means of Open Source dave rice @dericed #fosdem 2015-01-31 Preservation of audiovisual material like the preservation of a species requires creation of copies Preservation copies are generated to deter

806 views • 36 slides
Structure preservation in (some) deep learning architectures Brynjulf Owren Department of

Structure preservation in (some) deep learning architectures Brynjulf Owren Department of

Structure preservation in (some) deep learning architectures Brynjulf Owren Department of Mathematical Sciences, NTNU, Trondheim, Norway LMS-Bath Symposium 2020 Joint work with: Martin Benning, Elena Celledoni, Matthias Ehrhardt, Christian

805 views • 31 slides
ATALM Post-Conference SHN Workshop October 2016 Alex Merrill, Lotus Norton-Wisla Agenda

ATALM Post-Conference SHN Workshop October 2016 Alex Merrill, Lotus Norton-Wisla Agenda

Digital Preservation ATALM Post-Conference SHN Workshop October 2016 Alex Merrill, Lotus Norton-Wisla Agenda 2:15-3:30 Digital Preservation Overview 3:30-4:00 Storage Activity 4:00-4:30 Digital Preservation Action Plan 4:30-5:00

576 views • 44 slides
Preservation of Affordable Housing Aaron Gornstein, President and CEO presentation to Florida

Preservation of Affordable Housing Aaron Gornstein, President and CEO presentation to Florida

Preservation of Affordable Housing Aaron Gornstein, President and CEO presentation to Florida Housing Coalition Preservation Workshop About Preservation of Affordable Housing (POAH) POAH is a national nonprofit organization that owns and

372 views • 8 slides

More recommend