SAST, CWE, SEI CERT and other smart words from the information security world
Download as PPTX, PDF0 likes247 views
This document discusses static application security testing (SAST) and how it can help detect vulnerabilities in code. It provides background on how code bases and error densities are growing over time. It then discusses various standards and classifications for weaknesses and vulnerabilities, such as CWE, CVE, MISRA, and SEI CERT. It emphasizes that SAST tools can help detect vulnerabilities early and provide coverage of entire code bases, but may produce false positives. Finally, it suggests introducing SAST tools correctly through configuration, continuous integration, and addressing warnings as technical debt.
![Заголовок
31
CVE-2012-2122
typedef char my_bool;
my_bool
check_scramble(const char *scramble_arg, const char *message,
const uint8 *hash_stage2)
{
....
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}
[CWE-197] Saving the 'memcmp' function result inside the 'char' type
variable is inappropriate. The significant bits could be lost
breaking the program's logic.](https://image.slidesharecdn.com/1e-190626171032/85/SAST-CWE-SEI-CERT-and-other-smart-words-from-the-information-security-world-31-320.jpg)
![Заголовок
32
CVE-2013-4258
if (NasConfig.DoDaemon) {
openlog("nas", LOG_PID, LOG_DAEMON);
syslog(LOG_DEBUG, buf);
closelog();
} else {
errfd = stderr;
}
[CWE-134] It's dangerous to call the 'syslog' function in such
a manner, as the line being passed could contain format
specification. The example of the safe code: printf("%s", str).
Network Audio System](https://image.slidesharecdn.com/1e-190626171032/85/SAST-CWE-SEI-CERT-and-other-smart-words-from-the-information-security-world-32-320.jpg)
![Заголовок
33
CVE-2014-1266
static OSStatus
SSLVerifySignedServerKeyExchange(....)
{
....
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
....
fail:
....
}
[CWE-483] The code's operational logic does not correspond with its formatting.
[CWE-561] Unreachable code detected. It is possible that an error is present.](https://image.slidesharecdn.com/1e-190626171032/85/SAST-CWE-SEI-CERT-and-other-smart-words-from-the-information-security-world-33-320.jpg)
SAST, CWE, SEI CERT and other smart words from the information security world
- 1. Заголовок ptsecurity.com SAST, CWE, SEI CERT and other smart words from the information security world Sergey Khrenov PVS-Studio Developer
- 2. Заголовок 2 Speaker Sergey Khrenov C# developer, PVS-Studio khrenov@viva64.com www.viva64.com
- 3. Заголовок 3 Why you should listen to this talk S - security
- 4. Заголовок 4 The issue – code base growth • Linux 1.0.0 kernel: 176 250 lines of code • Linux 4.11.7 kernel: 18 373 471 lines of code • Photoshop 1.0 : 128 000 lines of code • Photoshop CS 6 : 10 000 000 lines of code • Density of errors is also growing, but nonlinearly • Everyone wants SECURE code of high quality • Old methods of quality control aren’t enough any more
- 6. Заголовок 6 Error density (per 1 KLOC) 0 20 40 60 80 100 < 2 2-16 16-64 64-512 > 512 "Estimating Software Costs: Bringing Realism to Estimating" (Capers Jones, 2007)
- 7. Заголовок 7 How to fight with errors • Do it right from the start (doesn’t work) • Follow company rules • Use “best practices” • Code Review • Couple development • Test-driven development (TDD) • Agile development • Tools
- 8. Заголовок 8 A few words about Code Review
- 9. Заголовок 9 Example from practice (Mono project)
- 10. Заголовок 10 Example from practice (Mono project)
- 11. Заголовок 11 Example from practice (Mono project)
- 12. Заголовок 12 Tools • Unit tests • Functional tests • Load tests • … • Dynamic analysers • Static analysers
- 14. Заголовок 14 Modern analysers Integration into IDE Integration into build systems and CI Incremental analysis Noise suppression mechanisms
- 15. Заголовок 15 Slow help is no help 0 1000 2000 3000 4000 5000 6000 7000 8000 Development Build QA Release Phase Cost to Fix a Security Defect ($) NIST: National Institute of Standards and Technology
- 16. Заголовок 16 Programming errors and their consequences (Therac-25) From June 1985 to January 1987 year this device has become the reason for at least 6 radiation overdoses. Some patients got tens of thousands radiation absorbed doses. At least two people died directly because of overdoses.
- 17. Заголовок 17 Programming errors and their consequences (Ariane-5) June 4, 1996, spaceport Kure. During the first launch, at the 40th second of the flight, the rocket collapsed. The reason is an error in the on-board software.
- 18. Заголовок 18 DevSecOps and SAST will help us
- 19. Заголовок 19 Increasing number of detected vulnerabilities 5632 16555 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 https://www.cvedetails.com
- 20. Заголовок 20 Search for vulnerabilities For legacy code, search for known vulnerabilities is optimal: • Analogy - antiviruses • No false positives • Only known issues are found • Especially useful in large old projects For newly written code, the method of searching code defects in order to prevent vulnerabilities is more effective.
- 21. Заголовок 21 SAST - Static Application Security Testing • Static analysis is aimed at searching and preventing vulnerabilities • Vulnerabilities are often ordinary bugs (according to the data from NIST, more than 60%) • SAST tools help to prevent vulnerabilities and provide support of development security standards: CWE, MISRA, SEI CERT and others.
- 22. Заголовок 22 SAST - Static Application Security Testing Pros: • Early problem detection • Entire code coverage • Good at searching typos and errors of the Copy-Paste type Cons: • False positives • Exact error criticality is not defined • Weak detection of memory leaks and parallel errors
- 23. Заголовок 23 Path to a real vulnerability CWE - Common Weakness Enumeration CVE - Common Vulnerabilities and Exposures
- 24. Заголовок 24 CWE • CWE™ is a community-developed list of common software security weaknesses • https://cwe.mitre.org • List of more than 800 potential vulnerabilities, which can become real
- 25. Заголовок 25 CWE: examples of potential vulnerabilities • CWE-14: Compiler Removal of Code to Clear Buffers • CWE-20: Improper Input Validation • CWE-91: XML Injection • CWE-457: Use of Uninitialized Variable • CWE-467: Use of sizeof() on a Pointer Type • CWE-562: Return of Stack Variable Address
- 26. Заголовок 26 CWE-14 (Compiler Removal of Code to Clear Buffers) void win32_dealloc(struct event_base *_base, void *arg) { struct win32op *win32op = arg; .... memset(win32op, 0, sizeof(win32op)); free(win32op); } The compiler could delete the 'memset' function call, which is used to flush 'win32op' object.
- 27. Заголовок 27 CWE-687 (Function Call With Incorrectly Specified Argument Value) void win32_dealloc(struct event_base *_base, void *arg) { struct win32op *win32op = arg; .... memset(win32op, 0, sizeof(win32op)); free(win32op); } The memset function receives the pointer and its size as arguments. It is possibly a mistake. Inspect the third argument.
- 28. Заголовок 28 CWE-563 (Assignment to Variable without Use) public string Region { get {....} set { if (String.IsNullOrEmpty(value)) { this.linker.s3.region = "us-east-1"; } this.linker.s3.region = value; } } The 'this.linker.s3.region' variable is assigned values twice successively. Perhaps this is a mistake.
- 29. Заголовок 29 CWE-674 (Uncontrolled Recursion) OnFailure? onFailure = null; public OnFailure? OnFailure { get { return this.OnFailure; } set { this.onFailure = value; } } Possible infinite recursion inside 'OnFailure' property.
- 30. Заголовок 30 CVE • CVE® is a list of publicly known cybersecurity vulnerabilities • https://cve.mitre.org/ • List of more than 114 000 actual vulnerabilities found in applications
- 31. Заголовок 31 CVE-2012-2122 typedef char my_bool; my_bool check_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2) { .... return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE); } [CWE-197] Saving the 'memcmp' function result inside the 'char' type variable is inappropriate. The significant bits could be lost breaking the program's logic.
- 32. Заголовок 32 CVE-2013-4258 if (NasConfig.DoDaemon) { openlog("nas", LOG_PID, LOG_DAEMON); syslog(LOG_DEBUG, buf); closelog(); } else { errfd = stderr; } [CWE-134] It's dangerous to call the 'syslog' function in such a manner, as the line being passed could contain format specification. The example of the safe code: printf("%s", str). Network Audio System
- 33. Заголовок 33 CVE-2014-1266 static OSStatus SSLVerifySignedServerKeyExchange(....) { .... if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; .... fail: .... } [CWE-483] The code's operational logic does not correspond with its formatting. [CWE-561] Unreachable code detected. It is possible that an error is present.
- 34. Заголовок 34 MISRA C/C++ • Motor Industry Software Reliability Association • Coding standard, which reduces the likelihood of making an error for highly dependable embedded systems • Proprietary • MISRA C 2012 contains 143 rules • MISRA C++ 2008 contains 228 rules
- 35. Заголовок 35 MISRA C/C++ (some rules) • Don’t use octal constants • Don’t use goto • Function has to be single-exit • Don’t use functions of the standard library (atof/…/abort/exit/getenv/system/…) • Don’t use dynamic allocations • Don’t use unions • Each case has to end with break or throw
- 36. Заголовок 36 MISRA C/C++ (Toyota) • NHTSA: during 2000 - 2010 years 89 people died in accidents, 57 were injured • NHTSA and NASA made an investigation • 7 134 MISRA violations are detected • Toyota denies the guilt, but pays 16 billion dollars in the pre-trial order
- 37. Заголовок 37 SEI CERT • Coding standard • Developed by CERT (CERT Coordination Center, CERT/CC) • Meant to C, C++, Java, Perl languages • Quite similar to CWE
- 38. Заголовок 38 SEI CERT (some rules) • MSC06-C: Beware of compiler optimizations • INT33-C: Ensure that division and remainder operations do not result in divide-by-zero errors • EXP33-C, EXP53-CPP: Do not read uninitialized memory • ARR01-C: Do not apply the sizeof operator to a pointer when taking the size of an array • DCL30-C: Declare objects with appropriate storage durations
- 39. Заголовок 39 Introduce and use SAST correctly • Chose an appropriate analyser • Configure it • Check a project, consider current warnings as a technical debt • Work with new warnings • Introduce SAST in CI systems • Set SAST on the machines • …. • PROFIT!!!
- 40. Заголовок 40 Mistaken beliefs related to SAST • Expensive • Not for newbies • Difficult to introduce in a large project • Silver bullet
- 41. Заголовок 41 Decrease losses • Vulnerability occurrence • Direct and indirect losses: • Exploitation by intruders • Bug bounty • Reputation • Correction • Release update $ $ $ $ $ $ $
- 42. Заголовок 42 Decrease losses • Vulnerability occurrence • Detection using SAST, correction • Direct and indirect losses: • Exploitation by intruders • Bug bounty • Reputation • Correction • Update release $ $ $ $ $ $ $
- 43. Заголовок 43 Takeaway Security issues are expensive if they get in the final product SAST tools are one of the ways to detect vulnerabilities However, we recommend using any other available methods If your company earns money using programming code, you have to think about its security