ESSoS: February 4-6 2009 Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Juliet Test Suite Overview

Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.

Programming Paradigms and languages

Software & Services Group, Developer Products Division Copyright© 2010, Intel Corporation. All rights reserved. *Other brands and names are the property.

Regression Methodology Einat Ravid. Regression Testing - Definition  The selective retesting of a hardware system that has been modified to ensure that.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

1 Presentation at the 4 th PMEO-PDS Workshop Benchmark Measurements of Current UPC Platforms Zhang Zhang and Steve Seidel Michigan Technological University.

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

Guide To UNIX Using Linux Third Edition

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Static Code Analysis and Governance Effectively Using Source Code Scanners.

Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.

Static Analysis for Security Amir Bazine Per Rehnberg.

A Scanner Sparkly Web Application Proxy Editors and Scanners.

Basics Programming Concepts. Basics A computer program is a set of instructions to tell a computer what to do Machine language = circuit level language.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

EMI INFSO-RI Metrics review Claudio (SA1), Lars, Duarte, Eamonn and Maria (SA2)

Security of Open Source Web Applications Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements:

SDD/DFS L.K.Lundin VLT 2 nd Generation Instrumentation Pipelines, 19 Apr Pipeline Test methods Lars Kr. Lundin - CPL developer - NACO and VISIR.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

MSFC Avionics Department Flight Software Group CMM Level 2 Certified Automated Software Coding Standards System Development Team Assessment Team Luis Trevino.

Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.

SECURE PROGRAMMING Chapter 1. Overview What is the problem Cost? Threat? Software Security Concepts Policy Flaws Vulnerabilities Exploits Mitigations.

Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.

Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

Static Analysis James Walden Northern Kentucky University.

QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs By Koen Claessen, Juhn Hughes ME: Mike Izbicki.

Software Metrics Cmpe 550 Fall Software Metrics.

1 Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.

Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

1 Exposing Behavioral Differences in Cross-Language API Mapping Relations Hao Zhong Suresh Thummalapenta Tao Xie Institute of Software, CAS, China IBM.

Software Metric Tools Joel Keyser, Jacob Napp, Carey Norslien, Stephen Owings, Tristan Paynter.

Cross Language Clone Analysis Team 2 February 3, 2011.

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Computer and Programming. Computer Basics: Outline Hardware and Memory Programs Programming Languages and Compilers.

B UFFER O VERFLOW V ULNERABILITIES Prudhviraj Karumanchi Vijay Venugopalan Vijaya Raghavan CPSC 620 Presentation 12/3/2009.

Creating FunctionstMyn1 Creating Functions Function can be divided into two groups: –Internal (built in) functions –User-defined functions.

Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.

Copyright © 2014 Pearson Addison-Wesley. All rights reserved. Chapter 2 C++ Basics.

CSCI 161 Lecture 3 Martin van Bommel. Operating System Program that acts as interface to other software and the underlying hardware Operating System Utilities.

OPERATING SYSTEMS (OS) By the end of this lesson you will be able to explain: 1. What an OS is 2. The relationship between the OS & application programs.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

1 Library emulation: combating library aging Fabio Corubolo London, December 3 rd 2009.

Content Coverity Static Analysis Use cases of Coverity Examples

Sabrina Wilkes-Morris CSCE 548 Student Presentation

PRINCIPLES OF COMPILER DESIGN

Introduction to Compiler Construction

Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation

Improving Security Using Extensible Lightweight Static Analysis

Mid Term II Review.

Introduction to Static Analyzer

A Metric for Evaluating Static Analysis Tools

Semantic Type Qualifiers

White Box testing & Inspections

Sample Sizes for IE Power Calculations.

SeeSoft A Visualization Tool..

Presentation transcript:

ESSoS: February Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern Kentucky University February 5, 2009

ESSoS: February Leuven, Belgium2 Outline 1.Research Goals 2.Research Design 3.Results and Analysis 4.Conclusions and Future Work

ESSoS: February Leuven, Belgium3 Research Goals 1.Study how static analysis works on whole programs, not samples or synthetic benchmarks. 2.Determine if static analysis detection rates are correlated with code size or complexity. 3.Identify causes of failed vulnerability detection in static analysis tools.

ESSoS: February Leuven, Belgium4 Static Analysis Tools Open Source lexing tools –Flawfinder, ITS4, RATS –High false positive rates. –Purely local analysis. Open Source parsing tools –cqual, splint –Can’t handle large C programs. Commercial tools –Coverity, Fortify, Klocwork, Polyspace –Difficult to obtain. –Older versions of gcc allow unsupported code.

ESSoS: February Leuven, Belgium5 Format String Vulnerabilities Recent vulnerability –Use %n specifier to write code to memory. –September Small quantity –420 from Easy to verify –Does user input control the format specifier?

ESSoS: February Leuven, Belgium6 Metrics Static Analysis Metrics –Detection rate –False positive rate –Discrimination Code Metrics –Source Lines of Code (SLOC) –Cyclomatic Complexity (CC)

ESSoS: February Leuven, Belgium7 Test Cases 35 format string vulnerabilities –Selected randomly from NVD –Open source C/C++ code that compiles on Linux. –Each case has two versions of the code One version has a format string vulnerability. Other version is same program with vulnerability fixed. Examples wu-ftpd screen stunnel gpg hylafax exim dhcpd squid Kerberos 5 cdrtools gnats cvs socat ethereal openvpn

ESSoS: February Leuven, Belgium8 Results Detections –22 of 35 (63%) flaws detected by SCA 4.5. Detections by Complexity –Divided samples into 5 complexity bins. –No significant difference between SLOC and CC. Discrimination: –Measure of how often analyzer passes fixed test cases when it also passes vulnerable case. –Results almost identical to detection results since –Only one false positive from 35 fixed samples.

ESSoS: February Leuven, Belgium9 Detections by Complexity Class 4> 25,0004> 100,000Very Large 610,000 – 25,000650,000 – 100,000Large – 10,000725,000 – 50,000Medium – – 25,000Small 10< 10009< 5000Very Small SamplesCyclomaticSamplesLines of CodeClass

ESSoS: February Leuven, Belgium10 Discrimination by Complexity Class 4> 25,0004> 100,000Very Large 610,000 – 25,000650,000 – 100,000Large – 10,000725,000 – 50,000Medium – – 25,000Small 10< 10009< 5000Very Small SamplesCyclomaticSamplesLines of CodeClass

ESSoS: February Leuven, Belgium11 Characteristics of Large Software 1.More complex control + data flow. 2.Participation of multiple developers. 3.Use of a broader set of language features. 4.Increased use of libraries that are not part of the C/C++ standard libraries.

ESSoS: February Leuven, Belgium12 Causes of 13 Failed Detections Format string functions not in rule set. –4 of 13 (31%) failed from this cause. –ex: ap_vsnprintf() from APR. –Can be fixed by adding new rules. Bug in varargs argument counting in SCA. –9 of 13 (69%) failed from this cause. –Fixed in version 5 of Fortify SCA.

ESSoS: February Leuven, Belgium13 Generalizability of Results Limits –One static analysis tool studied. –One class of vulnerabilities studied. However, both causes apply to any vuln/tool: –Rule sets can’t include every dangerous sink. –Static analysis software will have bugs. How large are those effects? –Do they vary by vulnerability type/language?

ESSoS: February Leuven, Belgium14 Future Work & Current Results How do static analysis results change with time? What happens after we remove all of the bugs that can be detected? How do code size and complexity metrics affect the number of vulnerabilities in a program over time? How does churn affect this?

ESSoS: February Leuven, Belgium15 Conclusions 35 Linux C programs with fmt string vulns. One version with a known vuln from NVD. One version where vuln was patched. Static analysis detection rate of 63%. 31% of errors resulted from missing rules. 69% of errors resulted from bug in SCA. Detection rate declines with code size/CC. Only 2 of 6 large projects had bugs detected. 0 of 4 very large projects had bugs detected.