Modeling and Visualizing Security Properties of Code using Dependence Graphs

This thesis contributes to three research areas in software security, namely security requirements and intrusion prevention via static analysis and runtime detection.We have investigated current practice in security requirements by doing a field study of eleven requirement specifications on IT systems. The conclusion is that security requirements are poorly specified due to three things: inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions. A follow-up interview study addressed the reasons for the inconsistencies and the impact of poor security requirements. It shows that the projects had relied heavily on in-house security competence and that mature producers of software compensate for poor requirements in general but not in the case of security and privacy requirements specific to the customer domain.Further, we have investigated the effectiveness of five publicly available static analysis tools for security. The test results show high rates of false positives for the tools building on lexical analysis and low rates of true positives for the tools building on syntactical and semantical analysis. As a first step toward a more effective and generic solution we propose decorated dependence graphs as a way of modeling and pattern matching security properties of code. The models can be used to characterize both good and bad programming practice as well as visually explain code properties to programmers. We have implemented a prototype tool that demonstrates how such models can be used to detect integer input validation flaws.Finally, we investigated the effectiveness of publicly available tools for runtime prevention of buffer overflow attacks. Our initial comparison showed that the best tool as of 2003 was effective against only 50 % of the attacks and there were six attack forms which none of the tools could handle. A follow-up study includes the release of a buffer overflow testbed which covers 850 attack forms. Our evaluation results show that the most popular, publicly available countermeasures cannot prevent all of these buffer overflow attack forms.

[1]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[2]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[3]  Thomas W. Reps,et al.  Precise interprocedural chopping , 1995, SIGSOFT FSE.

[4]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[5]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[7]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[8]  Michael Howard,et al.  Reviewing Code for Integer Manipulation Vulnerabilities , 2003 .

[9]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[10]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  Dawson R. Engler,et al.  Some Lessons from Using Static Analysis and Software Model Checking for Bug Finding , 2003, SoftMC@CAV.

[12]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[13]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[14]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[15]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[16]  Pia Fåk,et al.  Modeling and Pattern Matching Security Properties with Dependence Graphs , 2005 .

[17]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984, SDE 1.

[18]  M. Weber,et al.  A case study in detecting software security vulnerabilities using constraint optimization , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[19]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.