Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESSoS: February 4-6 2009 Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.

Published byAubrie Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "ESSoS: February 4-6 2009 Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern."— Presentation transcript:

1 ESSoS: February 4-6 2009 Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern Kentucky University February 5, 2009

2 ESSoS: February 4-6 2009 Leuven, Belgium2 Outline 1.Research Goals 2.Research Design 3.Results and Analysis 4.Conclusions and Future Work

3 ESSoS: February 4-6 2009 Leuven, Belgium3 Research Goals 1.Study how static analysis works on whole programs, not samples or synthetic benchmarks. 2.Determine if static analysis detection rates are correlated with code size or complexity. 3.Identify causes of failed vulnerability detection in static analysis tools.

4 ESSoS: February 4-6 2009 Leuven, Belgium4 Static Analysis Tools Open Source lexing tools –Flawfinder, ITS4, RATS –High false positive rates. –Purely local analysis. Open Source parsing tools –cqual, splint –Can’t handle large C programs. Commercial tools –Coverity, Fortify, Klocwork, Polyspace –Difficult to obtain. –Older versions of gcc allow unsupported code.

5 ESSoS: February 4-6 2009 Leuven, Belgium5 Format String Vulnerabilities Recent vulnerability –Use %n specifier to write code to memory. –September 1999. Small quantity –420 from 2000-2006. Easy to verify –Does user input control the format specifier?

6 ESSoS: February 4-6 2009 Leuven, Belgium6 Metrics Static Analysis Metrics –Detection rate –False positive rate –Discrimination Code Metrics –Source Lines of Code (SLOC) –Cyclomatic Complexity (CC)

7 ESSoS: February 4-6 2009 Leuven, Belgium7 Test Cases 35 format string vulnerabilities –Selected randomly from NVD 2000-2006. –Open source C/C++ code that compiles on Linux. –Each case has two versions of the code One version has a format string vulnerability. Other version is same program with vulnerability fixed. Examples wu-ftpd screen stunnel gpg hylafax exim dhcpd squid Kerberos 5 cdrtools gnats cvs socat ethereal openvpn

8 ESSoS: February 4-6 2009 Leuven, Belgium8 Results Detections –22 of 35 (63%) flaws detected by SCA 4.5. Detections by Complexity –Divided samples into 5 complexity bins. –No significant difference between SLOC and CC. Discrimination: –Measure of how often analyzer passes fixed test cases when it also passes vulnerable case. –Results almost identical to detection results since –Only one false positive from 35 fixed samples.

9 ESSoS: February 4-6 2009 Leuven, Belgium9 Detections by Complexity Class 4> 25,0004> 100,000Very Large 610,000 – 25,000650,000 – 100,000Large 55000 – 10,000725,000 – 50,000Medium 101000 – 500095000 – 25,000Small 10< 10009< 5000Very Small SamplesCyclomaticSamplesLines of CodeClass

10 ESSoS: February 4-6 2009 Leuven, Belgium10 Discrimination by Complexity Class 4> 25,0004> 100,000Very Large 610,000 – 25,000650,000 – 100,000Large 55000 – 10,000725,000 – 50,000Medium 101000 – 500095000 – 25,000Small 10< 10009< 5000Very Small SamplesCyclomaticSamplesLines of CodeClass

11 ESSoS: February 4-6 2009 Leuven, Belgium11 Characteristics of Large Software 1.More complex control + data flow. 2.Participation of multiple developers. 3.Use of a broader set of language features. 4.Increased use of libraries that are not part of the C/C++ standard libraries.

12 ESSoS: February 4-6 2009 Leuven, Belgium12 Causes of 13 Failed Detections Format string functions not in rule set. –4 of 13 (31%) failed from this cause. –ex: ap_vsnprintf() from APR. –Can be fixed by adding new rules. Bug in varargs argument counting in SCA. –9 of 13 (69%) failed from this cause. –Fixed in version 5 of Fortify SCA.

13 ESSoS: February 4-6 2009 Leuven, Belgium13 Generalizability of Results Limits –One static analysis tool studied. –One class of vulnerabilities studied. However, both causes apply to any vuln/tool: –Rule sets can’t include every dangerous sink. –Static analysis software will have bugs. How large are those effects? –Do they vary by vulnerability type/language?

14 ESSoS: February 4-6 2009 Leuven, Belgium14 Future Work & Current Results How do static analysis results change with time? What happens after we remove all of the bugs that can be detected? How do code size and complexity metrics affect the number of vulnerabilities in a program over time? How does churn affect this?

15 ESSoS: February 4-6 2009 Leuven, Belgium15 Conclusions 35 Linux C programs with fmt string vulns. One version with a known vuln from NVD. One version where vuln was patched. Static analysis detection rate of 63%. 31% of errors resulted from missing rules. 69% of errors resulted from bug in SCA. Detection rate declines with code size/CC. Only 2 of 6 large projects had bugs detected. 0 of 4 very large projects had bugs detected.

Download ppt "ESSoS: February 4-6 2009 Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Juliet Test Suite Overview

Juliet Test Suite Overview
Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.

Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.
Programming Paradigms and languages

Programming Paradigms and languages
Software & Services Group, Developer Products Division Copyright© 2010, Intel Corporation. All rights reserved. *Other brands and names are the property.

Software & Services Group, Developer Products Division Copyright© 2010, Intel Corporation. All rights reserved. *Other brands and names are the property.
Regression Methodology Einat Ravid. Regression Testing - Definition  The selective retesting of a hardware system that has been modified to ensure that.

Regression Methodology Einat Ravid. Regression Testing - Definition  The selective retesting of a hardware system that has been modified to ensure that.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
1 Presentation at the 4 th PMEO-PDS Workshop Benchmark Measurements of Current UPC Platforms Zhang Zhang and Steve Seidel Michigan Technological University.

1 Presentation at the 4 th PMEO-PDS Workshop Benchmark Measurements of Current UPC Platforms Zhang Zhang and Steve Seidel Michigan Technological University.
Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May 21-23 2002.

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Similar presentations

Ads by Google