1. Teachable Static Analysis Workbench by Igor Konnov, Dmitry Kozlov

2. Who we are Web security group at Computing Systems Lab, Moscow State University and MSU Computer Science faculty students who participate in our projects: Georgy Klimov, Edward Toroschin, Denis Zalivin, Alexander Mischenkko Igor Konnov Andrew Petukhov Dmitry Kozlov

3. Our contributions to OWASP Python tainted mode (SoC 2007) Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing (AppSecEU08) Static analysis of Python web applications (SoC 2008) Teachable Static Analysis Workbench (SoC 2008) Access Control Rules Tester (SoC 2008) OWASP Site Generator Refresh (SoC 2008)

4. Project goal To build a tool, teachable by security analyst, which helps to verify that web application has the appropriate security mechanisms and they are used in right way. One more idea: look at this project as integration project: investigate can different OWASP tools and docs work together?

5. Motivation Manual code review is boring, so error-prone work. Static analysis tools are helpful to perform routine checks. Web apps varies in frameworks, libraries, security technologies. So, static analysis tool have to support every technology, library, etc. to be applicable. Vulnerabilities varies depending on technologies used in web app: XSS, SQLI, LDAPI, etc.

6. Teaching static analyzer Input validation vulnerabilities: XSS, SQLI, HTTP Response Splitting, and more. Are they so different? All of them are dataflow from some source of “tainted” data provided by malicious user to some sensitive function (system call, HTTP headers, HTML page,…) They differ in technologies: when using LDAP sensitive function is LDAP modification, for SQL – query execution, etc. They differ in source of tainted data: request parameters, database records, files, etc.

7. Teaching static analyzer Security mechanisms are different mysql_real_escape_string() public static boolean validateRequired(Object bean, Field field) { String value = ValidatorUtil.getValueAsString(bean, field.getProperty()); return GenericValidator.isBlankOrNull(value); } XML validators: email ^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$

8. ESAPI Secure Coding Guide’s patterns Authentication All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken() All requests for pages that require authentication shall call the ESAPI.authenticator().login() method. Access Control The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files. Input Validation The application shall add all custom cookies with ESAPI.httpUtilities().safeAddCookie() to ensure they are properly secured. Banned API Replace ServletResponse.setContentType() with HTTPUtilities.setContentType()

9. Teaching static analyzer to ESAPI ESAPI Secure Coding Guide: “call stack at some program point should (not) contain some call”: HTTPServlet.service() method shouldn’t call ServletResponse.addCookie(), but HTTPUtilities().safeAddCookie(). => SA must be capable of searching patterns on Call Graph or Control Flow Graph. Teaching is creating logical expressions on these graphs.

10. Key requirements to Security Analysis Workbench Teachable: about technologies about vulnerabilities about security mechanisms Reuse of analyst knowledge: teach once and reuse for many web applications Recalculation of results on the fly The tool should work as part of Eclipse IDE

11. How to work with Teachable Static Analysis Workbench

20. What is inside Teachable Static Analysis Workbench

21. Static analyzers LAPSE unsupported, no users community, lastest source is unavailable, doesn’t work with current stable Eclipse, very primitive analysis, works slow. FindBugs alive project: good documentation and code, broad users community, intraprocedural analysis for XSS: need to be extended, Eclipse integration. PQL interesting analysis, lack of documentation, very limited community, immature implementation. Indus mature project, good community, very sophisticated, slower than FindBugs.

22. Workbench architecture *.jsp.class JSP Precompiler TeSA Eclipse Plugin *.java javac modified FindBugs SecBugs plugin for FindBugs modified FindBugs Eclipse Plugin Eclipse source code markers Analysis configuration TeSA Eclipse Plugin HelloWorld.java: … Request.getParameter(“login”) … Mark method as tainted source

23. Status and Future Steps Current status is beta. Reviewers promised to finish 100% review soon Future work: GUI improvements: view vulnerabilities in Eclipse Project explorer. Support for XML-based and annotation-based validations. Support for ESAPI-like patterns: give analyst ability to create expressions on Call Graph and CFG. Support “on the fly” analysis. Backports of FindBugs improvements to FindBugs project.

24. Closing: project contribution Secbugs - interprocedural tainted analysis, configurable to different types of input validation vulnerabilities. TeSA – “teaching” environment, which allows security analyst to markup code Eclipse source editor and creates configuration for Secbugs. JSP support SA can rerun continuously but it’s real “on the fly”. LAPSE port to Eclipse 3.4. But actually our tool makes use of LASPE deprecated.