Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx.

Similar presentations


Presentation on theme: "The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx."— Presentation transcript:

1 The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx

2 OWASP Agenda  Algorithms and code

3 OWASP Data Flow Graph  Represents the flow of data through code.  Each LOC has its own vertex.  Edge represents direct influence of data in the source vertex on the data in the destination vertex (therefore, assignment statements are source vertexes)

4 OWASP Data Flow Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

5 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

6 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; }

7 OWASP Tainted value propagation Can be used for many vulnerabilities: SQL Injection XSS Stored XSS Second Order SQL Injection Log forgery Some types of race condition LDAP Injection Command injection Directory traversal … Input Data influencing on XXXX And not sanitized by YYYY

8 OWASP But … Parameters Data members Static variables Events Global Generics And many many many many many more issues Resolve - Code most compile? Direct Access to the engine?

9 OWASP And again - SQL Injection Parameterized queries SqlConnection con = (acquire connection) con.Open(); SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE name con) userName); SqlDataReader rdr = cmd.ExecuteReader()

10 OWASP more SQL Injection What about: data=input() if (isValid(data)) { SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE age = “ + data, con) }

11 OWASP Control Dependence Graph  Enhances CFG.  Each LOC has its own vertex  Edge B is directed by edge A iff the execution if B depends on the execution of A

12 OWASP Control Dependence Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }

13 OWASP What is the benefit of super-imposing graphs? bool b = true; if (b) { ExecuteCommand(x); }

14 OWASP Slicing  Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

15 OWASP Slicing  Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (“%d\n”, sum); printf (“%d\n”, i); }

16 OWASP CDG Start Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

17 OWASP DFG Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

18 OWASP (DFG+CDG)’ Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

19 OWASP (DFG+CDG)’ Sum = 0 i = 1 While (i<11)Printf(sum)Printf(i) ++iSum +=i

20 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); }

21 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Backward slicing

22 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Backward slicing

23 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Forward slicing

24 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Forward slicing

25 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); } Chopping on “Execute”

26 OWASP Some security string FixSql(string s) { string res = ""; if (...) res =... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1);Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1;Execute(s1); } Chopping on “Execute”

27 OWASP 27 Thank you Maty Siman OWASP September 2008 Q&A


Download ppt "The OWASP Foundation OWASP OWASP Conference 2008 Application Security – The code analysis way Maty Siman CTO Checkmarx."

Similar presentations


Ads by Google