Static Code AnalysisIntroduction and examples

Roberto Battistoni(rbattistoni@acm.org)

Information Security course 2009/2010: prof. Luigi V. Mancini

Secure SDLC(Secure Software Development Life Cycle)

• Abuse Case and Threat Modeling

• Static Analysis or Code Review

Seven Pernicious Kingdoms

1. Input Validation and Representation

2. API Abuse 3. Security Features 4. Time and State5. Errors

6. Code Quality

7. Encapsulation

8. (*) Environment

Definition: By phylum we mean a specific type of coding error. For example, “Illegal Pointer Value” is a phylum.

Definition: A kingdom is a collection of phyla that share a common theme. For example, “Input Validation and Representation” is a kingdom.

Buffer Overflow. Writing outside the bounds of allocated memory can corrupt data, crash the program, or cause the execution of an attack payload.Command Injection. Executing commands from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.Cross-Site Scripting. Sending unvalidated data to a Web browser can result in the browser executing malicious code (usually scripts).SQL Injection. Constructing a dynamic SQL statement with user input may allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.[...]

Fortify SCA(Static Code Analysis con Fortify SCA)

Example n° 1Kingdom: API Abuse

/*** Get a database escaped string* @return string*/function getEscaped( $text ) { if (phpversion() < '4.3.0') { return mysql_escape_string( $text ); } else { return mysql_real_escape_string( $text ); }}

Example n° 1

Example n° 2Kingdom: Input Validation and Representation (SQL Injection)

/*** Execute the query* @return mixed A database resource if successful, FALSE if not.*/function query($sql = '') { global $mosConfig_debug; if ($sql == '') $sql = $this->_sql; if ($this->_debug) $this->_log[] = $sql; if ($this->_cursor = mysql_query($sql, $this->_resource)) { $this->_errorNum = 0; $this->_errorMsg = ''; return $this->_cursor; } else { $this->_errorNum = mysql_errno( $this->_resource ); $this->_errorMsg = mysql_error( $this->_resource )." SQL=$sql"; if ($this->_debug) $this->debug_trace(); return false; }}

Example n° 3Kingdom: Encapsulation (System Information Leak)

<html><!-- Copyright (c) 1999 The Apache Software Foundation. All rights reserved. (-->)-->

<body bgcolor="red">

<%@ page isErrorPage="true" %> <h1> The exception <%= exception.getMessage() %> tells me you made a wrong choice. <h2> Exception raised was <%= exception.toString() %>.</h2></body></html>

Example n° 4

Kingdom: Security Features (Weak Encryption)

private void loadPBESecretKey() throws Exception{

// Create the PBE secret keycipherSpec = new PBEParameterSpec(salt, iterationCount);PBEKeySpec keySpec = new PBEKeySpec(keyStorePassword);SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES"); [...]

}

Example n° 5Kingdom: Security Features (Weak Cryptographic hash)

public String digest(String password, String digestType, String inputEncoding) throws CmsPasswordEncryptionException {

MessageDigest md; String result;

try { if (DIGEST_TYPE_PLAIN.equals(digestType.toLowerCase())) {

result = password;

} else if (DIGEST_TYPE_SSHA.equals(digestType.toLowerCase())) {

byte[] salt = new byte[4]; byte[] digest; byte[] total;

if (m_secureRandom == null) { m_secureRandom = SecureRandom.getInstance("SHA1PRNG"); } m_secureRandom.nextBytes(salt);

md = MessageDigest.getInstance(DIGEST_TYPE_SHA); md.reset(); md.update(password.getBytes(inputEncoding)); md.update(salt);

digest = md.digest(); total = new byte[digest.length + salt.length]; System.arraycopy(digest, 0, total, 0, digest.length); System.arraycopy(salt, 0, total, digest.length, salt.length);

result = new String(Base64.encodeBase64(total));

}

Example n° 6Kingdom: Errors (Empty Catch Block)

if (!stdinInput) { try { inputReader.close(); } catch (IOException e1) { } }

return inputString; }

Example n° 7

Kingdom: Errors (overly broad exception)

public AdminClientMain() throws Exception {

[...]