Dailydave mailing list archives
Re: Static Analysis part 5
From: "Rafal M. Los" <rafal () ishackingyou com>
Date: Tue, 28 Jul 2009 09:07:08 -0500
Halvar, all... I think it's even more complex than that. The whole problem with static analysis is the impact of the false-positive. We take for granted that Static Analysis generally makes piles of false-positives through analysis (either you're too strict, or too loose... either way is bad) and what that does goes deeper than just make that particular set of results questionable. Infosec generally has a hard enough time convincing developers (this is from experience, not anything else) that they have issues... but then dropping a 300-page report wherein you have thousands of "possible" issues (whether you use a probability scale or not) means that it's going to degrade further the *reputation* that the InfoSec folks have with the rest of the development organization. Vetting false-positives often requires a developer (or at least a compiled app to test with) meaning that there is a much deeper involvement to "get at the truth". Then there's the issue of customer-supplied sanitization and validation routines. Tainted data is one thing but how does a static analysis engine determine that data that passes through Method_X(), for example, doesn't have the right level of sanitization or validation? You simply can't account for all the creative ways that developers can come up with to scrub var's, and it gets worse... Don't get me wrong, I think there is a place for static analysis - but the truth is that there are limited use-cases for the technology. Halvar's examples illustrate a giant gaping hole in static analysis, being able to "be certain" is another huge problem... what you end up with is a report that requires a lot of further analysis, extensive vetting and a (potential) reputational hit to the InfoSec folks... that's a cost/benefit analysis that tips heavily towards the cost. __ Rafal M. Los Security & IT Risk Strategist - Blog: http://preachsecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos - Twitter: http://twitter.com/RafalLos -------------------------------------------------- From: "Halvar Flake" <halvar () gmx de> Sent: Monday, July 27, 2009 10:40 PM To: "dave" <dave () immunityinc com> Cc: <dailydave () lists immunityinc com> Subject: Re: [Dailydave] Static Analysis part 5 Tainting / untainting is generally a difficult topic. - If I calculate the length of a tainted string, is the result tainted ? - If I check some boundaries on this string, is the result untainted ? - What if the boundaries I checked for are wrong ? Can of worms, difficult to solve. Cheers, Halvar dave wrote:
If you haven't read it yet (and you like to read things), this is worth reading: http://samate.nist.gov/docs/NIST_Special_Publication_500-279.pdf There's a lot of meta-questions here, like "What sorts of vulnerabilities can automated techniques really find?" Scalability is hard too. "Can we look at 4500 buffer overflow bugs to triage them?" the paper asks. Many people don't see why it's hard to do static analysis automatically, which I think is always worth thinking about. For example, recently I was at a conference looking at a vendor's implementation of the traditional "data-flow-then-alert-on-tainted-data" algorithm. (As opposed to the "solve-massive-equation-to-understand-data-constraints" style).[1] We were looking at PHP, and I couldn't for the life of me figure out why the system was alerting on a particular code path. I will reproduce it here in python, since my PHP is weak. d={} //DEFINE dictionary d["HI"]=TAINTED_USER_DATA; //insert some tainted data to it, whole dictionary is tainted now. #stuff goes here that is not relevant (we think) os.system(d["BYE"]) //ALERT! It turns out the analysis tool tainted the whole dictionary if any tainted data was inserted into it, because all the other solutions for that are...insanely complex. Maybe one of the static analysis guru's on the list knows of the best way to solve that particular problem and wants to share. (Or maybe there isn't a solution for that problem, and no one wants to point that out either? :>) -dave [1] Scanner Pong's rules are as follows. You must use the test programs the vendor brings with them to demonstrate their static analysis tool. For each vulnerability you look at you lose 1 point. For each vulnerability you look at that you show to be a false positive, you get 2 points. For each vulnerability you look at where the tool has missed an interesting vulnerability within 30 lines of code you get 5 points.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Static Analysis part 5 dave (Jul 27)
- Re: Static Analysis part 5 nnp (Jul 27)
- Re: Static Analysis part 5 Halvar Flake (Jul 28)
- Re: Static Analysis part 5 Rafal M. Los (Jul 28)
- Re: Static Analysis part 5 Andy Steingruebl (Jul 29)
- Re: Static Analysis part 5 Adam Shostack (Jul 29)
- Re: Static Analysis part 5 Rafal M. Los (Jul 28)