Static Analysis of the VoteHere
VHTi Reference
Implementation
Using Flawfinder and RATS
Markus Dale
December 2005
Outline
Results
New and Significant
Static Analysis and Limitations
Previous Work
Flawfinder/RATS
VoteHere Sentinel and VHTi Reference Implementation
Static Analysis Results
Future Work
References
Results Static analysis with Flawfinder and RATS found only
19 potential security problems in over 10,000 lines of
source code.
The security problems must be mitigated from within
the system that uses the VHTi Reference
Implementation API.
Different static analysis tools have different trade-
offs. Use as many tools as possible.
False positives can consume a large amount of time.
New and Significant
Applies Flawfinder and RATS open source
static analysis tools to the VoteHere VHTi
Reference Implementation.
Compares performance of Flawfinder and
RATS against VHTi Reference Implementation.
Static Analysis
Compiled from Michael/Lavenhar paper:
Potentially Insecure Library Functions
– Database of vulnerabilities
Type confusion between references and pointers
Detect memory allocation errors
– Double free, write to freed memory, buffer overflow
Temporal Safety constraints (ordered steps)
Data Flow Analysis – tainted variables
Pointer Aliasing Analysis – two pointers to same memory loc
Limitations of Static Analysis
Problem bounded by Rice’s Theorem:
– there exists no automatic method that decides with
generality non-trivial questions on the black-box
behavior of computer programs (Wikipedia)
False positives vs. false negatives trade-offs
Local, module, program analysis
Previous Work
Static Analysis Best Practice by DHS Build In
Security Site (also overview of tools)
Microsoft SLAM project: Static Driver Verifier
uses Specification Language for Interface
Checking to encode temporal safety constraints
(Ball/Rajamani)
MOPS – Model Checking Programs for
Security Properties (Chen/Wagner)
More Previous Work
Flanagan et al. ESC/Java
– Automated theorem prover: null references, array
error bounds, type cast errors, race conditions
Livshits DynaMine
– Add revision history information
Blanchet et al. Static Analyzer for Large Safety-
Critical Software – refinements and
parameterization
Flawfinder
David Wheeler, author of Secure Programming
for Linux and Unix HOWTO, latest 2004
Use lexical analysis and database for C/C++ buffer overflow risks
– e.g., strcpy(), strcat(), gets(), sprintf(), scanf()
format string problems
– [v][f]printf(), [v]snprintf(), and syslog()
Time Of Check to Time of Use (TOCTOU) race conditions
poor random number acquisition
Rough Auditing Tool for
Security (RATS) Secure Software, latest 2002
Commercial offering CodeAssure
Lexical analysis and database for
– C/C++
– Perl, PHP, Python
Buffer overflow problems
TOCTOU race conditions
VoteHere Sentinel
Add on to Diebold AccuVote-TS to
independently verify election results
Based on Neff’s E-Voting secure shuffle
implemented as VHTi Reference
Implementation
Reference Implementation freely downloadable
VHTi Reference
Implementation Docs API Developer’s Guide
– How to build, third-party libs, usage, security
concerns, DTDs for XML data structures
Known Issues doc
– Results from reviews
VHTi Threat Analysis Doc
– Attack tree and mitigation techniques
VHTi Reference Implemenation
RATS: getenv warning
./util/result.cpp:625: High: getenv
./util/vh_cout.cpp:123: High: getenv
Environment variables are highly untrustable input.
They may be of any length, and contain any data.
Do not make any assumptions regarding content or
length. If at all possible avoid using them, and if it is
necessary, sanitize them and truncate them to a
reasonable length.
Flawfinder: Warning about
memcpy
./pki/crypt.cpp:244: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination.
Make sure destination can always hold the source data.
Memcpy Mitigation
if (sizeof (iv) != initialization_vector.size ())
{
...
throw VHUtil::Exception (...)
}
memcpy (iv,
initialization_vector.data (),
initialization_vector.size ());
0 1 2 3 4 5
0
5
10
15
20
25
30
35
40
45
50
Flawfinder Vulnerabilities
Potential Vulnerability CountActual Problem Count
Level of Vulnerability (0 least risk, 5 highest risk)
Vu
lnera
bilit
y C
ou
nt
Low Medium High0
5
10
15
20
25
30
35
RATS Vulnerabilities
Potential Vulnerability CountActual Vulnerability Count
Level of Vulnerability
Vu
lnera
bili
ty C
ou
nt
Results from Static Analysis
Flawfinder: 64 total/9 actual (~7:1)
RATS: 41 total/14 actual (~3:1)
Overlapping problems found: 4
Unique problems: 19
Statically declared arrays
– 36 unique declaration
– Flawfinder: 32; RATS: 20
Findings
The 19 potential problems are not problems by
themselves
– Defensive Programming
– Library code – greatest reusability
– Must implement mitigation techniques and correct
usage of API in implemented system
Future Work
Use commercial static analysis tool such as
Klocwork K7, Ounce Labs Prexis or Secure
Software CodeAssure
Analyze complete source code for VoteHere
Sentinel system
Selected References
Chess, B. & McGraw, G. (2004), 'Static analysis for security', Security &
Privacy Magazine, IEEE 2(6), 76—79.
Flanagan, C.; Leino, K.R.M.; Lillibridge, M.; Nelson, G.; Saxe, J.B. &
Stata, R. (2002),Extended static checking for Java, in 'PLDI '02:
Proceedings of the ACM SIGPLAN 2002 Conference on Programming
language design and implementation', ACM Press, New York, NY, USA,
pp. 234—245.
Martin, M.; Livshits, B. & Lam, M.S. (2005),Finding application errors
and security flaws using PQL: a program query language, in 'OOPSLA
'05: Proceedings of the 20th annual ACM SIGPLAN conference on
Object oriented programming systems languages and applications', ACM
Press, New York, NY, USA, pp. 365--383.
More Selected References
Neff, C.A. (2001),A verifiable secret shuffle and its application to e-
voting, in 'CCS '01: Proceedings of the 8th ACM conference on
Computer and Communications Security', ACM Press, New York, NY,
USA, pp. 116—125.
RABA (2004),'Trusted Agent Report Diebold AccuVote-TS Voting
System', http://www.raba.com/press/TA_Report_AccuVote.pdf.
Michael, C. & Lavenhar, S.R. (2005),'Source Code Analysis Tools --
Overview',
https://buildsecurityin.us-cert.gov/portal/article/tools/code_analysis/
overview.xml, Published via the U.S. Department of Homeland Security
Build Security In website.
Top Related