Static Security Analysis Based on Input-Related Software Faults

It is important to focus on security aspects during the development cycle to deliver reliable software. However, locating security faults in complex systems is difficult and there are only a few effective automatic tools available to help developers. In this paper we present an approach to help developers locate vulnerabilities by marking parts of the source code that involve user input. We focus on input-related code, since an attacker can usually take advantage of vulnerabilities by passing malformed input to the application. The main contributions of this work are two metrics to help locate faults during a code review, and algorithms to locate buffer overflow and format string vulnerabilities in C source code. We implemented our approach as a plugin to the Grammatech CodeSurfer tool. We tested and validated our technique on open source projects and we found faults in software that includes Pidgin and cyrus-imapd.

[1]  Thomas W. Reps,et al.  The use of program dependence graphs in software engineering , 1992, International Conference on Software Engineering.

[2]  Jens Krinke,et al.  Intransitive Noninterference in Dependence Graphs , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[3]  Paul Anderson,et al.  Flow insensitive points-to sets , 2001, Proceedings First IEEE International Workshop on Source Code Analysis and Manipulation.

[4]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[5]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[6]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[7]  John A. Hamilton,et al.  Methods for the prevention, detection and removal of software security vulnerabilities , 2004, ACM-SE 42.

[8]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[9]  Jacob West,et al.  Secure Programming with Static Analysis , 2007 .

[10]  Yoichi Muraoka,et al.  On the Number of Operations Simultaneously Executable in Fortran-Like Programs and Their Resulting Speedup , 1972, IEEE Transactions on Computers.

[11]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[13]  Paul Anderson CodeSurfer/Path Inspector , 2004, 20th IEEE International Conference on Software Maintenance, 2004. Proceedings..

[14]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[15]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[16]  Bala Sivagurunathan,et al.  Slice-Based Measurement of Function CouplingPosition , 2007 .

[17]  Paul Anderson,et al.  Software Inspection Using CodeSurfer , 2001 .

[18]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[19]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[20]  Huiyang Zhou,et al.  Improving software security via runtime instruction-level taint checking , 2006, ASID '06.

[21]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[22]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[23]  Mark Harman,et al.  An empirical study of static program slice size , 2007, TSEM.

[24]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[25]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[26]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[27]  Kyung-Suk Lhee,et al.  Buffer overflow and format string overflow vulnerabilities , 2003, Softw. Pract. Exp..

[28]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[29]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[30]  Susan Horwitz,et al.  Incremental program testing using program dependence graphs , 1993, POPL '93.

[31]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.