WIXLIB

Interactive Static Analysis forEarly Detection of SoftwareVulnerabilitiesBill Chu, Jun ZhuDepartment of Software and Information SystemsUniversity of North Carolina at Charlottebillchu, jzhu16@uncc.eduWith contributions from Jing Xie and Heather Lipford10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 20121

Overviewn n Software vulnerabilities is a major contributor toinformation security problemsEducation and trainingq n Gap between conceptual understanding of secure programming and itspracticeStatic and dynamic analysis toolsq q q 10/26/12ReactiveAnalysis is performed after application is developed, which renders highercost to fix the identified issuesUsed by security professionals, who are not familiar with applicationdetails.(c) Bill Chu and Jun Zhu All rights reservedOctober 20122

Our Approach – Interactive StaticAnalysisn n n A mix-initiative developer-oriented paradigm forinteracting with developers to aid in the detectionand prevention of vulnerabilitiesDeveloper in the “security loop”Advantagesq q q 10/26/12Proactive support for developers with vulnerability detection andpreventionLeverage developer’ knowledge about application context and logic todrive customized security analysisIdentify and fix vulnerabilities at the development phase, which saves a lotof money and time cost(c) Bill Chu and Jun Zhu All rights reservedOctober 20123

Interactive Static Analysisn Interactive data flow analysis: a programmer wouldbe warned and assisted with properly handling ofuntrusted datan Interactive control flow analysis: a programmerwould be warned and assisted with properly enforcingof security policies, e.g. access control policies10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 20124

Agenda for this talkn n n Quick overview of ASIDE (part of ASIDE talk atAPPSEC 2011)New resultsCurrent research10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 20125

Prototypen n n Eclipse plug-in for Java, named ASIDEIntegrate static analysis into the IntegratedDevelopment Environment (IDE)Design rationalesq q q q 10/26/12Recognition instead of recalling, a key HCI design principleMinimize extra burden on developerCustomize security analysis by soliciting application knowledge fromdeveloper (e.g. business logic, application context)Support best secure software development practice, e.g. using trustedlibrary OWASP ESAPI(c) Bill Chu and Jun Zhu All rights reservedOctober 20126

ASIDE Demon ASIDE stands for Application Security in IntegratedDevelopment EnvironmentBased on Eclipse Java Development Tooling (JDT)n Two major featuresn q q 10/26/12Interactive data flow analysisInteractive control flow analysis(c) Bill Chu and Jun Zhu All rights reservedOctober 20127

Interactive Data Flow Analysisn n n n Policy-drivenTake advantage of existing popular data flow analysisalgorithmsRemind and assist developer to fix each taint sourcethrough automatic validation/encoding coderefactoringInstant re-analysis on its related data flow oncedeveloper fixes a tainted source10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 20128

Interactive Control Flow Analysisn Identify critical/sensitive operations codeq q n Database access functionsIdentify “use case”/transaction level routines that lead toaccessing protected data (e.g. a statement within a Servlet/Action for Java web applications)Solicit control logic checks from the developer viapoint-and-click annotations10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 20129

Point-and-click Annotationn Point-and-click fashion to minimize extra burden ondevelopersn What is a valid annotation?q q n n A set of logic tests, or assertion (e.g. Spring Security)On an execution path from web entry to data access pointLeveraged to drive customized security analysisCould be kept for code review10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201210

Security Analysis Based on Annotationn Unchecked access pathq There might be an execution path from web entry to dataaccess point without access control checkPotentialaccess bypassWeb entrypointAccess control checkData access point10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201211

Evaluation on Interactive Data FlowAnalysisn Target Project: Apache Roller 3.0.0q q n n 65K lines of codeFull featured blog server (1.8M hits on Google for “poweredby Apache Roller”)Comparison base: Fortify SCA based code reviewThis is joint work with John Melton (OWASPAppSensor)Jing Xie, Bill Chu, Heather Lipford, John Melton “IDE Support for Web ApplicationSecurity” in 27th Annual Conference on Application of Computer Security, 2011 (Acceptancerate: 18%)10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201212

Validation/Encoding of UntrustedDatan 922 Fortify issues caused by 143 taint sourcesq q q n n n Primitive data type (e.g. java.lang.String)Composite data type (e.g. java.util.Map)Variables require output encoding always result from untrusted dataASIDE identified 131 of 143 (92%) taint sourcesTaint source of composite data type is 4112 issues not detected by ASIDEq q 10/26/12JSP (not yet implemented in prototype)Framework bindingn Delayed binding (implementing the Dependency Injection designpattern)(c) Bill Chu and Jun Zhu All rights reservedOctober 201213

False Positives of ASIDEn ASIDE reported 118 more taint sources of primitivedata typesq q Potentially exploitable (94), validate to practice defensivesecurityFalse positive (24)False Positive Example 1: Untrusted input is used for logic testFalse Positive Example 2: Untrusted input is parsed into harmless Boolean value10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201214

Evaluation on Interactive Control Flow Analysisn n n n n Detected zero-day vulnerabilities on Apache Roller 5.0Seven Cross-Site Request Forgery vulnerabilities foundin Apache Roller 5.0 (CVE-2012-2380)All earlier versions are also vulnerableVerified by penetration testingAccording to our report, Apache Roller team hasreleased Apache Roller 5.0.1 with security fix (http://rollerweblogger.org/project/entry/roller 501 security fix)10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201215

CSRF in Creating Weblog EntryDeveloper is warned and instructed to find and annotatethe control logic for the database update operation10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201216

CSRF in Creating Weblog EntryThere are only authentication checks,no CSRF prevention checks. Developerwill recognize this issue after readingthe instruction attached to the warning.Developer is warned and instructed to find and annotatethe control logic for the database update operation10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201217

ASIDE for Educationn Teaching secure programming in universities is challengingq q q n Most faculty, like developers, focus on subject matters instead of codesecurityMost faculty have no experience with secure programmingSecure programming needs to be reinforced throughout the programHow about using ASIDE?q q Most universities use Java and Eclipse for many of their assignmentsASIDE can be configured as an aid to teach students about best secureprogramming practicesn n q 10/26/12Educating students about software vulnerabilities and secure programmingGrading aids to professorsASIDE for education demo(c) Bill Chu and Jun Zhu All rights reservedOctober 201218

Preliminary Resultsn 20 graduate students with no secure programming trainingq q n 10.3 increased in average scores after using ASIDEq q n n n Worked on their programming assignment in the lab using Eclipse/Javafor 3 hoursStudents were tested about their secure programming knowledge (a set oftrue/false questions)Average pre-test score: 53.03Average post-test score: 63.33The differences between pre- and post test scores are statistically significantAll students clicked on warnings, read secure programming material, and usedASIDE functions to improve code securityNone of the students used prepared SQL statements to start withAfter being warned by ASIDE, 25% of the students switched to prepared statements, eventhough doing so will not increase their gradesZhu, J., Lipford, H. R., Chu, B. “Interactive Support for Secure Programming Education”SIGCSE 2013q 10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201219

Current Research on Interactive Static AnalysisAlgorithm Developmentn Three threadsMain threadInteractive data flow analysisInteractive control flow analysisq q q Interactive Data FlowAnalysisInteractive Control FlowAnalysisMain ThreadEclipse Jobs FrameworkEclipse JDT Framework10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201220

ASIDE Main Threadn Main thread (UI thread) rationalesq q q n Creates the event loop for the user interface (UI)The only thread that is allowed to interact with the UIAll events in the user interface will be executed one after anotherTo make UI responsive, analysis work are put in twoother separate threads (jobs)10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201221

ASIDE Analysis Jobsn n n n Interactive data flow analysisInteractive control flow analysisBackground runningCould be scheduled and synchronized with the mainthread10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201222

UI EventsMake changes tothe code or interactwith warningsDeveloperMain ThreadCompilationParticipantRequestto updatewarningsDefined ASTChanges?Requestto updatewarningsYesInteractive ControlFlow Analysis10/26/12Interactive DataFlow Analysis(c) Bill Chu and Jun Zhu All rights reservedOctober 201223

Path Coverage Analysisn n Interactive control flow analysis are designed to detect codevulnerability resulting from failure to check for security policy(invariants)Once annotations are provided by developers, path coverageanalysis can be performed to detect additional vulnerabilitiesJing Xie, Bill Chu, Heather Lipford, John Melton “IDE Support for WebApplication Security” in 27th Annual Conference on Application of Computer Security,2011 (Acceptance rate: 18%)10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201224

Example of Path Coverage Analysisn thenticator is vulnerable to authenticationbypass.10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201225

ASIDE raises question atLine 5310/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201226

10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201227

Developer annotates controlchecks for the data access point10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201228

Security Analysis Based on Annotationn Unchecked access pathq There might be an execution path from web entry to dataaccess point without access control checkPotentialaccess bypassWeb entrypointAccess control checkData access point10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201229

Applicability to OWASP Top 10Type of AnalysisInteractive Data FlowAnalysisInteractive Control FlowAnalysis10/26/12OWASP Top 10Injection(1), XSS (2),Unvalidated Redirects andForwards (10)Broken Authentication (3),Insecure Direct ObjectReference (4), CSRF (5),Unvalidated Redirects andForwards (10)(c) Bill Chu and Jun Zhu All rights reservedOctober 201230

Conclusionsn Interactive Static Analysis could discover common webapplication vulnerabilitiesn Interactive Static Analysis could significantly reduce the effort offinding and fixing vulnerabilities.n Interactive Static Analysis could find vulnerabilities not foundeasily by current static analysis toolsn Interactive Static Analysis could assist professional developers/students write more secure code10/26/12(c) Bill Chu and Jun Zhu All rights reservedOctober 201231