OWASP Conference 2008
Application Security –
The code analysis way
Maty Siman
CTO
Checkmarx
OWASP
The OWASP Foundation
http://www.owasp.org
Agenda
Algorithms and code
OWASP
Data Flow Graph
Represents the flow of data through code.
Each LOC has its own vertex.
Edge represents direct influence of data in the
source vertex on the data in the destination
vertex (therefore, assignment statements are
source vertexes)
OWASP
Data Flow Graph (cont.)
void main()
{
int j = 0;
int i = 0;
while (i < 10){
if (i == 3){
j=j*2;
}
j = j + i;
i = i + 1;
}
printf ("%d\n", j);
printf ("%d,n", i);
Enter
j=0
i=0
while (i<10)
Printf (j)
If (i==3)
i=i+1
j=j+I
j=j*2
}
OWASP
Printf (i)
Interprocedure Data Flow Graph
Void foo()
{
int a = calc(1);
++a;
int b = calc(2)
++b;
}
Int calc(int i)
{
retrurn i*2;
}
calc(1)
calc(2)
i = param
Return i * 2
a = retval
b = retval
++a
++b
OWASP
Interprocedure Data Flow Graph
Void foo()
{
int a = calc(1);
++a;
int b = calc(2)
++b;
}
Int calc(int i)
{
retrurn i*2;
}
calc(1)
calc(2)
i = param
Return i * 2
a = retval
b = retval
++a
++b
OWASP
Tainted value propagation
• Can be used for many vulnerabilities:
• SQL Injection
• XSS
Input
• Stored XSS
Data influencing on
• Second Order SQL Injection XXXX
And not sanitized by
• Log forgery
YYYY
• Some types of race condition
• LDAP Injection
• Command injection
• Directory traversal
OWASP
• …
But …
•
•
•
•
•
•
•
Parameters
Data members
Static variables
Events
Global
Generics
And many many many many many more issues
• Resolve - Code most compile?
• Direct Access to the engine?
OWASP
And again - SQL Injection
Parameterized queries
SqlConnection con = (acquire connection)
con.Open();
SqlCommand cmd = new SqlCommand
("SELECT * FROM users WHERE name = @userName", con)
cmd.Parameters.Add("@userName", userName);
SqlDataReader rdr = cmd.ExecuteReader()
OWASP
more SQL Injection
What about:
data=input()
if (isValid(data))
{
SqlCommand cmd = new SqlCommand
("SELECT * FROM users WHERE age = “ + data, con)
}
OWASP
Control Dependence Graph
Enhances CFG.
Each LOC has its own vertex
Edge B is directed by edge A iff the execution if
B depends on the execution of A
OWASP
Control Dependence Graph (cont.)
void main()
{
int j = 0;
int i = 0;
while (i < 10){
if (i == 3){
j=j*2;
}
j = j + i;
i = i + 1;
}
printf ("%d\n", j);
printf ("%d,n", i);
Enter
j=0
i=0
while (i<10)
Printf (j)
If (i==3)
i=i+1
j=j+I
j=j*2
}
OWASP
Printf (i)
What is the benefit of
super-imposing graphs?
bool b = true;
if (b)
{
ExecuteCommand(x);
}
OWASP
Slicing
Finding a relevant subset of the application
void main()
{
int sum = 0;
int i = 1;
while (i < 11)
{
sum = sum + i;
i = i + 1;
}
printf (“%d\n”, sum);
printf (“%d\n”, i);
}
OWASP
Slicing
Finding a relevant subset of the application
void main()
{
int sum = 0;
int i = 1;
while (i < 11)
{
sum = sum + i;
i = i + 1;
}
printf (“%d\n”, sum);
printf (“%d\n”, i);
}
OWASP
CDG
Sum = 0
Start
i=1
While (i<11)
Sum +=i
Printf(sum)
Printf(i)
++i
OWASP
DFG
Sum = 0
i=1
While (i<11)
Sum +=i
Printf(sum)
Printf(i)
++i
OWASP
(DFG+CDG)’
Sum = 0
i=1
While (i<11)
Sum +=i
Printf(sum)
Printf(i)
++i
OWASP
(DFG+CDG)’
Sum = 0
i=1
While (i<11)
Sum +=i
Printf(sum)
Printf(i)
++i
OWASP
Some security
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Execute(s3);
Execute(s2);
Execute(s1);
s1 = s3;
s2 = s1;
Execute(s1);
OWASP
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Execute(s3);
Execute(s2);
Execute(s1);
s1 = s3;
s2 = s1;
Execute(s1);
}
Some security
Backward slicing
Backward slicing
Backward slicing
Backward slicing
OWASP
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Execute(s3);
Execute(s2);
Execute(s1);
s1 = s3;
s2 = s1;
Execute(s1);
}
Some security
Backward slicing
Backward slicing
Backward slicing
Backward slicing
OWASP
Some security
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Execute(s3);
Execute(s2);
Execute(s1);
s1 = s3;
s2 = s1;
Execute(s1);
Forward slicing
OWASP
Some security
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Forward slicing
Execute(s3);
Execute(s2);
Execute(s1);
}
s1 = s3;
s2 = s1;
Execute(s1);
OWASP
Some security
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Chopping on “Execute”
Execute(s3);
Execute(s2);
Execute(s1);
}
s1 = s3;
s2 = s1;
Execute(s1);
OWASP
Some
security
string FixSql(string s)
{
string res = "";
if (...)
res = ...
return res;
}
void Execute(string s)
{
ExecuteReader(s);
}
void foo()
{
string s1,s2,s3;
s1 = Input();
s2 = Input();
s3 = FixSql(s1);
Chopping on “Execute”
Execute(s3);
Execute(s2);
Execute(s1);
s1 = s3;
s2 = s1;
}
Execute(s1);
OWASP
Q&A
Thank you
Maty Siman
[email protected]
OWASP
September 2008
OWASP
27