SlideShare a Scribd company logo

Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery [Rooted CON 2013]

RootedCON
RootedCON

La charla está enfocada en una herramienta de análisis de código estático, la cuál se encuentra en desarrollo actualmente, enfocada específicamente en la búsqueda de vulnerabilidades, en vez de centrarse en errores típicos de programación como las más populares herramientas de análisis de código tales como Coverity o Klockwork. Durante el transcurso de la misma se irá dando toda la base necesaria para entender el funcionamiento de estas herramientas, la diferencia entre herramientas para buscar bugs y vulnerabilidades así como la parte que el ponente considera fundamental de dar interactividad a este tipo de herramientas. Al final de la charla se mostrará una pequeña demo de la herramienta actual y algunos fallos/vulnerabilidades encontrados gracias a la misma.

Technology
1 of 66
Interactive Static Analysis Tools for Vulnerability Discovery (Fugue) Joxean Koret
Static Analysis Tools ● What are them? – Tools to find properties of a given piece of software without actually executing it. – The “properties” I find in this case are bugs/vulnerabilities. ● We need good static analysis tools for performing audits in software.
Why? ● Software is becoming bigger and bigger. ● As so, harder to analyze. – Examples: Firefox, Google Chrome, MS Office... ● Auditing software like this, by hand, is tedious and takes a long while. ● Fuzzing is good for finding vulnerabilities in such big products. – But is not the solution (neither is SA, I think). – Is just another useful tool. 7/04/13
Why? ● Typical old vulnerabilities easily found by quick manual code audits are almost gone, bye-bye! – strcpy, memcpy, sprintf, syslog, etc... ● No vulnerabilities like this in highly audited code bases (except maybe sudo or freetype...). – Apache, Firefox, Google Chrome... ● We need better tools. – My approach: Static analysis (Fugue). 7/04/13
7/04/13
What do we need tools for? ● For highlighting interesting possible error prone areas. – Thus, reducing the number of areas the auditor needs to focus on. ● For "automagically" finding known vulnerabilities. – For example, bad usage of API calls. ● For matching a vulnerability of type/pattern A in software B in other software C. – Vulnerability extrapolation. ● ... 7/04/13
What do we need tools for? ● For checking against specific rules or patterns for the software being audited. – Different rules applies to every different software. – Vulnerabilities specific to one product. ● For doing all of the previous things against a software in either binary or source code format. – Or even both. ● For doing all of this interactively. – Why is IDA the best disassembler out there? 7/04/13
Interactivity is key ● We need automatic tools that can be corrected by a human. – The tool will make mistakes a human can recognize. ● We need to let the human identify and correct those mistakes “somehow”. ● We need, also, a way to let the auditor decide what is (s)he interested in and what is not. 7/04/13
Bug/Vulnerability Finding Tools ● There are plenty of bug finding tools: – Coverity, Klockwork, Fortify, CodeSonar, etc... ● They all find different bugs. – There is no tool A that finds a superset of bugs found by B and/or C. ● They're good at finding bugs (and some vulnerabilities). ● But they are focused on a different audience... – In my opinion, bug and vulnerability finding tools are different because of this. 7/04/13
Bug finding tools → Developers ● They try to find any kind of software defect. ● They try to minimize the complexity of alerts. ● They try to minimize the number of false positives to the minimum possible. – Sometimes, even dropping checkers that can find awesome bugs but the false positive ratio is “high”. ● They tend to remove anything the developers cannot understand or that can be too hard to understand. – Otherwise, every bug would be, blindly, considered a false positive and the tool would be, finally, ignored. 7/04/13
Vuln finding tools → Auditors ● I'm not interested on any kind of software defects (i.e., div by zero). Only “theoretically” exploitable ones. – Or perhaps yes: vulns in exception handlers... ● I don't mind to analyze 100 false positives if for every 100 I get one awesome vulnerability. ● I don't mind having to spend a day or a week understanding what a complex checker said if it's worth it. – If it's really a vulnerability, it's even better. – The harder it's to find the lower the chances that somebody else found it. 7/04/13
How to do it? ● Steps: – Identify the source code – Parse the source code – Translate the source code – Understand the program – Run checkers against the program – Interact with the auditor – Go to “Run checkers” or “Parse the source code” again... 7/04/13
Identifying the source ● A tool like this must be able to identify the source before anything else. – The "source" can be either real source code (C/C++/...), disassembly code or decompiled code. ● If the tool cannot handle both source codes and binaries the tool will be too restricted. ● Identifying the "source" is not as easy as it may sounds at first chance... – Correct disassembly, for example, is a problem. – Auditor's interaction is required. – Complete or partial source code. ● Include paths, conditional compilation, etc... 7/04/13
Parsing the source ● Typical misconception/false statement: “Parsing source code is an already solved problem” 7/04/13
Already solved what??? 7/04/13
Parsing source code ● Writing a parser for one compiler is a big task, but can be done “easily”. ● Writing a parser for *any* compiler's accepted source code is a huge task. – You must accept and parse even malformed code. – Examples: MS Visual C++ precompiler headers. ● You can write whatever you want before the first include. ● A parser for just one compiler doesn't have this kind of problems. – You just accept what you consider OK. ● For finding vulnerabilities, your parser must accept anything you feed with. 7/04/13
Writing a parser ● You need to parse “the source” to get the AST. – Abstract Syntax Tree. More on this later... ● I don't like to reinvent the wheel and I don't recommend you. – Don't write your own parser. – No. – Really. ● Use an existing parser than can handle as many “dialects” as possible. 7/04/13
“Writing” a parser ● For my 1st prototype, I used pycparser. – OK for a quick prototype, not for the final tool. ● It would be a bad choice for many reasons, like: – It only accepts well formed C. ● I wrote “filters” to “clean” the not accepted C... – It only accepts C source for which all types are known. – If just one error happens during parsing, it stops and cannot recover from it. – I patched it to try to recover from errors. But sometimes, it is simply, not possible. 7/04/13
“Writing” a parser ● Fugue uses libclang. It accepts virtually anything. – Very good at recovering from errors. – Talking about C source code, it "swallows" almost anything. – Supports also C++ and Objective-C. ● Proved to be good in real scenarios: i.e., klockwork uses it. ● If you happen to have a rich uncle, Edison Design Group C++ frontend is, probably, the best choice. – Proved to be good in real scenarios: i.e., coverity uses it. 7/04/13
A “parser” for binaries ● You need to parse "disassembly" to get the AST (Abstract Syntax Tree). ● Parsing disassembly is, in my opinion, far easier than parsing real source code. – The code is not that flexible. ● But there are problems: – Many different assemblies: ARM, 8086, 8087, AMD64, MIPS, PPC, etc... 7/04/13
A “parser” for binaries ● What do? Intermediate representations. – Translators of assembly. – Examples: ● REIL (Zynamics). 7/04/13
A “parser” for binaries ● My idea: instead of writing a translator for the processors you want, use existing tools. – Decompilers. [Public] decompilers for x86 and ARM exists (Hex-Rays). ● Using them "could be" a good idea. – Hex-Rays decompilers export an API to get the AST for a function. – Just what I want. ● Problems: – The decompilers are writen for humans to understand the code. – Not writen for programs to find vulnerabilities. – A bad decompiler assumption may generate a lot of false positives. ● Example: GCC. 7/04/13
GCC and decompiled code ● Given this example C source code, my prototype found (only) 3 errors. 7/04/13
GCC and decompiled code ● However, running my tool against the decompiled code for this toy program, 4 appeared. ● Notice the warning for “init_proc” function. 7/04/13
GCC and decompiled code ● Why this false positive? Because of a bad decompiler assumption: ● The function “init_proc” returns void, not int. 7/04/13
More problems with decompilers ● This problem is easy to identify and fix. ● What about this one? Source Code Decompiled Code 7/04/13
Problems with decompiled code ● It isn't a bug in the decompiler neither a bad assumption. ● It is a compiler optimization. ● It is only noticeable in real source code. – Having source code is very easy to identify: Dead code. ● NOTE: Having both source code and binaries this (and others optimizations) can be detected and used. 7/04/13
Translating the “source” ● No matter how, we have the AST (Abstract Syntax Tree). – What is this? 7/04/13
Abstract Syntax Tree ● Extracted from Wikipedia: “In computer science, an abstract syntax tree (AST), or just syntax tree, is a tree representation of the abstract syntactic structure of source code written in a programming language. Each node of the tree denotes a construct occurring in the source code. The syntax is 'abstract' in the sense that it does not represent every detail that appears in the real syntax.” 7/04/13
Example AST ● An AST for the following code: while b != 0   if a > b     a = a – b   else     b = b – a return a 7/04/13
Translating the source ● Every tool I use will have a different AST. – Example: libclang and Hex-Rays decompiler. ● Need to translate the different ASTs supported to an internal AST format. – Not hard. But though. ● We have it! What's next? Typical error: – Why do anything else? Just use the AST for finding bugs! Let's do write checkers now! 7/04/13
Using the AST for finding bugs 7/04/13
Using the AST for finding bugs ● Do not use the AST for finding bugs. – You're using the wrong tool for this task. ● Use the AST to build the CFG. – Control Flow Graph, more on this later. ● However, ASTs are good for: – Finding and enforcing specific code styles. – Indenting source code. – Writing source-to-source translators – ... 7/04/13
Using the AST ● You have the AST for every function in either the binary or the code base you want to audit. ● With the internal representation of the AST many other things are still needed: – The call graph of the program. Sort of easy, but not always: function pointers, virtual functions, constructors/destructors, etc... – The control flow graph (CFG) of every function. ● Identify basic blocks and relationships between them. – ... 7/04/13
More things... ● More things still needed… – The super control flow graph of the program. ● A call graph where every called function's CFG is expanded in the call graph. – The data dependency graph of the program. ● How argument A in function B travels over function C and affects var D of function E... ● IMO, the hardest task. ● Those task aren't easy at all. – I'll explain some of them in the next slides... 7/04/13
Understanding the program ● The Call Graph of the program is needed. – Why? To know every possible function path in the program. ● To build it we can, simply: – Visit every node in every function's AST. – Save a list of all functions referenced from every function visited. ● That's is. The easiest way. – Is not complete... But is “good enough” to start. 7/04/13
Understanding the program ● Next thing needed: The CFG (Control Flow Graph). ● What is this? Wikipedia to the rescue: – “A control flow graph (CFG) in computer science is a representation, using graph notation, of all paths that might be traversed through a program during its execution.“ 7/04/13
Control Flow Graph ● A CFG for the following code: while b != 0   if a > b     a = a – b   else     b = b – a return a 7/04/13
Understanding the program ● Let's say, no matter how, that our tool “understands” the program: – We know every possible path in the program. – We know how a variable X in function Y travels and is used in the complete program. ● The next step is to convert the code from the AST of every basic block of the CFG to another form easier for analysing code. – Why? 7/04/13
The AST, again... ● We “could” write simple checkers with the CFG and the AST of every instruction of every basic block, but I do not recommend it. – An AST can be very complex even for not so complex expressions. – Example: ● signed int u = (float)x * y + func() ● VarDecl → Assignment → Cast → VarRef → BinaryOperator → VarRef → BinaryOperator → CallExpr. 7/04/13
Understanding the program ● It's needed something that makes the analysis easier. ● Typical forms of code aimed to make analysis easier: – 3AC: Three Address Code. – SSA: Static Single Assingment form. ● What are them? 7/04/13
Three Address Code ● Definition by Wikipedia: – “In computer science, three-address code (often abbreviated to TAC or 3AC) is a form of representing intermediate code used by compilers to aid in the implementation of code-improving transformations. Each instruction in three-address code can be described as a 4-tuple: (operator, operand1, operand2, result).“ ● Basically, we have every instruction represented in “more instructions” but all of them will only have one operator, 2 operands at most and a result. 7/04/13
Three Address Code 7/04/13
Static Single Assignment form ● What is SSA? – “Static single assignment form (often abbreviated as SSA form or simply SSA) is a property of an intermediate representation (IR), which says that each variable is assigned exactly once. Existing variables in the original IR are split into versions, new variables typically indicated by the original name with a subscript in textbooks, so that every definition gets its own version.” ● Pretty similar to 3AC but creating different versions of the variables, instead of temporary ones. – There are more differences, though... 7/04/13
Understanding the program ● In my opinion, it doesn't matter what form do you use: – Both are great enough for the task. ● We just need that: – Every instruction does one and *only* one action. ● No side effects. – And every instruction have, as most, 2 operands, 1 operator and a result. 7/04/13
Writing checkers to find vulns ● A bug finding tool finds software defects in any part of the source. – The most code you check, the better. ● A vulnerability finding tool should not, in my opinion... – Client side code: I'm not interested in stack overflows reading configuration files that I cannot influence from remote. – Server side: I'm not interested in bugs related to parsing configuration files, environment variables, etc... 7/04/13
Writing checkers to find vulns ● ...however, I may be interested on such bugs if I'm auditing privileged local applications. – For example: any suid tool, like sudo. ● In short: – It will depend on the kind of application (or which part of the application) we're auditing. – It changes from application to application. – The tool must interact with the auditor. ● Not the checker itself, but must know “where”. 7/04/13
Writing checkers to find vulns ● In a vulnerability finding tool we need to say to the tool what areas we're interested on. – Is this a remote application? Only focus on what can be influenced from remote. – Is this a local SUID binary? Focus on whatever area the user can feed input to. ● So, what we need? First of all, a way to say to the tool: this is the area I'm interested on. – Interactivity with the auditor. 7/04/13
Writing checkers to find vulns ● One example with Evince, a document viewer. ● Running some prior versions of my tool a curious bug was found: 7/04/13
Writing checkers to find vulns ● Big mistake as "n" comes from a font file and, instead of using Min the developer used Max. – So great. Bravo! ● However, we cannot forge a DVI file with an embeded font (this code parses fonts) so, while an obvious bug, unfortunately, it isn't a vulnerability. ● My tool wasted time finding non remotely exploitable bugs. This is bad. ● Interactivity is needed. 7/04/13
Writing checkers to find vulns ● For this, the auditor needs to identify the program's entry point(s). – Example: Find vulnerabilities starting from function "recv_data" in the call graph. – “Oh, BTW, I only control arg1 and arg3, not arg2”. ● We need a way to say: Analyze all functions called from this "data entry point". – And not those completely uninteresting functions that deals with parsing local fonts, environment variables, etc... As with the Evince example. 7/04/13
Writing checkers to find vulns ● Also, we need a way to let the auditor determine what an external function/function pointer does. – Example: It reserves/frees memory, executes code, loads a library, etc... ● If not, our tool will fail to find even the simplest bugs in real world scenarios. – In Infiltrate 2011, Halvar Flake (Thomas Dullien) showed a bug that in his opinion cannot bet handled by today's static analysis tools (because of machine states handling). – I'll show you even easier examples of what cannot be handled by any current static analysis tool. 7/04/13
7/04/13
External function pointers 7/04/13
More problems writing checkers 7/04/13
Problems writing checkers ● There are 2 types of checkers: intraprocedurals and interprocedurals. ● Intraprocedural ones only checks what happens inside one function. ● Interprocedural ones checks what happens when var A travels to function B and is assigned to var C, and so on, and so on... 7/04/13
“Hello World” checker ● Writing a "hello world" like checker: finding uninitiliazed variable usages (intraprocedural). ● Seems to be easy at first. Happens to be not so easy. ● Why? – One of the many problems: Path explosion. ● Suppose we have a function F0 with 10 basic blocks and 20 edges. Analyzing all possible paths is possible in not so many time. ● Now let's see a “short of complex” function... 7/04/13
Some Acrobat Reader function... 7/04/13
The Acrobat Reader function ● The number of possible paths in this function is so big we cannot traverse all of them in an acceptable time. – Probably, impossible. ● We have to find solutions. One of them is “Sensitive analysis”. – Flow-Sensitive, path-sensitive, context-sensitive. – Simply, we need to make the number of paths we need to traverse smaller. ● For this type of analysis to be possible we need to abstract all predicates in the function (remember 3AC/SSA?). 7/04/13
Sensitive analysis ● How to do it? Just my opinion, one idea: – Find in what basic blocks "local variables" are used and what predicates depends on them. ● I'm not even talking at this point about interprocedural analysis. – Find the paths between the entry point, the basic blocks where the local vars are used and the function's exit points. – Then, remove all the other nodes to generate a smaller CFG. If there are unconnected nodes add the basic blocks and relations needed to connect them. – Hopefully, we will have a shorter version of the CFG with only what you need. 7/04/13
And even more problems... ● Suppose that we have, finally, our "hello world" intraprocedural checker. – Finally! My first one took me a lot... ● Now, we should make it interprocedural. ● Very often, a variable is declared in a function A, travels over function B, C, ..., until it's used in function Y. ● We need to control "the machine state". – There is no “state” but “many possible states”. 7/04/13
Problems, problems, problems... ● Do you remember the path explossion problem? Think about it in intraprocedural analysis. – Horrible. ● Think about it controlling “the state”. – Terrible. ● Let's talk a bit more about the state... 7/04/13
Problems, problems, problems... ● How many possible machine states we may have? – We cannot control all of them. Impossible. – Possible paths depends on machine states so, again, we cannot control all the possible paths. – We may guess the limits and try partial solutions. ● Predicate's abstraction, opaque predicates, etc..., and symbolic execution. 7/04/13
Symbolic execution ● During symbolic execution we try to find if a particular state S0 is possible for function F0 (let's say we're only talking about intraprocedural analysis). ● We can abstract the predicates, the computational operations that affects them and generate phormulaes to prove satisfiability using a SAT/SMT solver. – Some people says it isn't the way to go... (i.e. Coverity). – Others do use this way (Goanna, for example). – I really don't know. 7/04/13
Fugue: Current state, future directions and goals ● Current state: far from finished. ● I don't really know when I'll finish it, if at all. Really. – But... I would like to release “something” in one year. ● Anyway, even if finish it... I can't be sure it will find awesome bugs. – But it amazes me that even the most rudimentary (current & past) versions of the tool, actually, finds real bugs. 7/04/13
Questions? 7/04/13

Recommended

Static code analysis
Static code analysisStatic code analysis
Static code analysisRushana Bandara
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Atlassian
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
How to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingHow to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingTechWell
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisObika Gellineau
 

Recommended

Static code analysis
Static code analysisStatic code analysis
Static code analysisRushana Bandara
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Atlassian
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
How to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingHow to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingTechWell
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisObika Gellineau
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Random testing
Random testingRandom testing
Random testingCan KAYA
 
Random testing & prototyping
Random testing & prototypingRandom testing & prototyping
Random testing & prototypingVipul Rastogi
 
iOS Test-Driven Development
iOS Test-Driven DevelopmentiOS Test-Driven Development
iOS Test-Driven DevelopmentPablo Villar
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Random testing
Random testingRandom testing
Random testingLocaweb
 
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...QAFest
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopCoverity
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...dcieslak
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...TechTalks
 
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in FlexassertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flexmichael.labriola
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Manual Testing.
Manual Testing.Manual Testing.
Manual Testing.Dhanasekaran Nagarajan
 
Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)Babul Mirdha
 
Unit Testing Your Application
Unit Testing Your ApplicationUnit Testing Your Application
Unit Testing Your ApplicationPaladin Web Services
 
Dependency Injection in iOS
Dependency Injection in iOSDependency Injection in iOS
Dependency Injection in iOSPablo Villar
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueTechWell
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
debugging (1).ppt
debugging (1).pptdebugging (1).ppt
debugging (1).pptjerlinS1
 

More Related Content

What's hot

Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Random testing
Random testingRandom testing
Random testingCan KAYA
 
Random testing & prototyping
Random testing & prototypingRandom testing & prototyping
Random testing & prototypingVipul Rastogi
 
iOS Test-Driven Development
iOS Test-Driven DevelopmentiOS Test-Driven Development
iOS Test-Driven DevelopmentPablo Villar
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Random testing
Random testingRandom testing
Random testingLocaweb
 
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...QAFest
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopCoverity
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...dcieslak
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...TechTalks
 
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in FlexassertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flexmichael.labriola
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)Babul Mirdha
 
Dependency Injection in iOS
Dependency Injection in iOSDependency Injection in iOS
Dependency Injection in iOSPablo Villar
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueTechWell
 

What's hot (20)

Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Random testing
Random testingRandom testing
Random testing
 
Random testing & prototyping
Random testing & prototypingRandom testing & prototyping
Random testing & prototyping
 
iOS Test-Driven Development
iOS Test-Driven DevelopmentiOS Test-Driven Development
iOS Test-Driven Development
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
Random testing
Random testingRandom testing
Random testing
 
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
QA Fest 2017. Владимир Примаков. QA метрики. Взгляд на качество с разных стор...
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCop
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting Agile
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
RandomTest - Random Software Integration Tests That Just Work for C/C++, Java...
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
 
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in FlexassertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
assertYourself - Breaking the Theories and Assumptions of Unit Testing in Flex
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)
 
Manual Testing.
Manual Testing.Manual Testing.
Manual Testing.
 
Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)Test Driven iOS Development (TDD)
Test Driven iOS Development (TDD)
 
Unit Testing Your Application
Unit Testing Your ApplicationUnit Testing Your Application
Unit Testing Your Application
 
Dependency Injection in iOS
Dependency Injection in iOSDependency Injection in iOS
Dependency Injection in iOS
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the Rescue
 

Similar to Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery [Rooted CON 2013]

Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
debugging (1).ppt
debugging (1).pptdebugging (1).ppt
debugging (1).pptjerlinS1
 
An important characteristic of a test suite that is computed by a dynamic ana...
An important characteristic of a test suite that is computed by a dynamic ana...An important characteristic of a test suite that is computed by a dynamic ana...
An important characteristic of a test suite that is computed by a dynamic ana...jeyasrig
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxShivashankarHR1
 
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...Andrey Karpov
 
Are 64-bit errors real?
Are 64-bit errors real?Are 64-bit errors real?
Are 64-bit errors real?PVS-Studio
 
An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievablePVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzerPVS-Studio
 
Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!PVS-Studio
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Krzysztof (Chris) Ozog
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpAhmed Abdou
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...Sławomir Zborowski
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowPVS-Studio
 

Similar to Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery [Rooted CON 2013] (20)

Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
debugging (1).ppt
debugging (1).pptdebugging (1).ppt
debugging (1).ppt
 
An important characteristic of a test suite that is computed by a dynamic ana...
An important characteristic of a test suite that is computed by a dynamic ana...An important characteristic of a test suite that is computed by a dynamic ana...
An important characteristic of a test suite that is computed by a dynamic ana...
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
 
Spaghetti gate
Spaghetti gateSpaghetti gate
Spaghetti gate
 
PHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - Debugging
 
Static-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptxStatic-Analysis-in-Industry.pptx
Static-Analysis-in-Industry.pptx
 
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...
 
Are 64-bit errors real?
Are 64-bit errors real?Are 64-bit errors real?
Are 64-bit errors real?
 
An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievable
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzer
 
Debugging
DebuggingDebugging
Debugging
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from aside
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in php
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...
 
Good programming
Good programmingGood programming
Good programming
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlow
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery [Rooted CON 2013]

  • 1. Interactive Static Analysis Tools for Vulnerability Discovery (Fugue) Joxean Koret
  • 2. Static Analysis Tools ● What are them? – Tools to find properties of a given piece of software without actually executing it. – The “properties” I find in this case are bugs/vulnerabilities. ● We need good static analysis tools for performing audits in software.
  • 3. Why? ● Software is becoming bigger and bigger. ● As so, harder to analyze. – Examples: Firefox, Google Chrome, MS Office... ● Auditing software like this, by hand, is tedious and takes a long while. ● Fuzzing is good for finding vulnerabilities in such big products. – But is not the solution (neither is SA, I think). – Is just another useful tool. 7/04/13
  • 4. Why? ● Typical old vulnerabilities easily found by quick manual code audits are almost gone, bye-bye! – strcpy, memcpy, sprintf, syslog, etc... ● No vulnerabilities like this in highly audited code bases (except maybe sudo or freetype...). – Apache, Firefox, Google Chrome... ● We need better tools. – My approach: Static analysis (Fugue). 7/04/13
  • 6. What do we need tools for? ● For highlighting interesting possible error prone areas. – Thus, reducing the number of areas the auditor needs to focus on. ● For "automagically" finding known vulnerabilities. – For example, bad usage of API calls. ● For matching a vulnerability of type/pattern A in software B in other software C. – Vulnerability extrapolation. ● ... 7/04/13
  • 7. What do we need tools for? ● For checking against specific rules or patterns for the software being audited. – Different rules applies to every different software. – Vulnerabilities specific to one product. ● For doing all of the previous things against a software in either binary or source code format. – Or even both. ● For doing all of this interactively. – Why is IDA the best disassembler out there? 7/04/13
  • 8. Interactivity is key ● We need automatic tools that can be corrected by a human. – The tool will make mistakes a human can recognize. ● We need to let the human identify and correct those mistakes “somehow”. ● We need, also, a way to let the auditor decide what is (s)he interested in and what is not. 7/04/13
  • 9. Bug/Vulnerability Finding Tools ● There are plenty of bug finding tools: – Coverity, Klockwork, Fortify, CodeSonar, etc... ● They all find different bugs. – There is no tool A that finds a superset of bugs found by B and/or C. ● They're good at finding bugs (and some vulnerabilities). ● But they are focused on a different audience... – In my opinion, bug and vulnerability finding tools are different because of this. 7/04/13
  • 10. Bug finding tools → Developers ● They try to find any kind of software defect. ● They try to minimize the complexity of alerts. ● They try to minimize the number of false positives to the minimum possible. – Sometimes, even dropping checkers that can find awesome bugs but the false positive ratio is “high”. ● They tend to remove anything the developers cannot understand or that can be too hard to understand. – Otherwise, every bug would be, blindly, considered a false positive and the tool would be, finally, ignored. 7/04/13
  • 11. Vuln finding tools → Auditors ● I'm not interested on any kind of software defects (i.e., div by zero). Only “theoretically” exploitable ones. – Or perhaps yes: vulns in exception handlers... ● I don't mind to analyze 100 false positives if for every 100 I get one awesome vulnerability. ● I don't mind having to spend a day or a week understanding what a complex checker said if it's worth it. – If it's really a vulnerability, it's even better. – The harder it's to find the lower the chances that somebody else found it. 7/04/13
  • 12. How to do it? ● Steps: – Identify the source code – Parse the source code – Translate the source code – Understand the program – Run checkers against the program – Interact with the auditor – Go to “Run checkers” or “Parse the source code” again... 7/04/13
  • 13. Identifying the source ● A tool like this must be able to identify the source before anything else. – The "source" can be either real source code (C/C++/...), disassembly code or decompiled code. ● If the tool cannot handle both source codes and binaries the tool will be too restricted. ● Identifying the "source" is not as easy as it may sounds at first chance... – Correct disassembly, for example, is a problem. – Auditor's interaction is required. – Complete or partial source code. ● Include paths, conditional compilation, etc... 7/04/13
  • 14. Parsing the source ● Typical misconception/false statement: “Parsing source code is an already solved problem” 7/04/13
  • 16. Parsing source code ● Writing a parser for one compiler is a big task, but can be done “easily”. ● Writing a parser for *any* compiler's accepted source code is a huge task. – You must accept and parse even malformed code. – Examples: MS Visual C++ precompiler headers. ● You can write whatever you want before the first include. ● A parser for just one compiler doesn't have this kind of problems. – You just accept what you consider OK. ● For finding vulnerabilities, your parser must accept anything you feed with. 7/04/13
  • 17. Writing a parser ● You need to parse “the source” to get the AST. – Abstract Syntax Tree. More on this later... ● I don't like to reinvent the wheel and I don't recommend you. – Don't write your own parser. – No. – Really. ● Use an existing parser than can handle as many “dialects” as possible. 7/04/13
  • 18. “Writing” a parser ● For my 1st prototype, I used pycparser. – OK for a quick prototype, not for the final tool. ● It would be a bad choice for many reasons, like: – It only accepts well formed C. ● I wrote “filters” to “clean” the not accepted C... – It only accepts C source for which all types are known. – If just one error happens during parsing, it stops and cannot recover from it. – I patched it to try to recover from errors. But sometimes, it is simply, not possible. 7/04/13
  • 19. “Writing” a parser ● Fugue uses libclang. It accepts virtually anything. – Very good at recovering from errors. – Talking about C source code, it "swallows" almost anything. – Supports also C++ and Objective-C. ● Proved to be good in real scenarios: i.e., klockwork uses it. ● If you happen to have a rich uncle, Edison Design Group C++ frontend is, probably, the best choice. – Proved to be good in real scenarios: i.e., coverity uses it. 7/04/13
  • 20. A “parser” for binaries ● You need to parse "disassembly" to get the AST (Abstract Syntax Tree). ● Parsing disassembly is, in my opinion, far easier than parsing real source code. – The code is not that flexible. ● But there are problems: – Many different assemblies: ARM, 8086, 8087, AMD64, MIPS, PPC, etc... 7/04/13
  • 21. A “parser” for binaries ● What do? Intermediate representations. – Translators of assembly. – Examples: ● REIL (Zynamics). 7/04/13
  • 22. A “parser” for binaries ● My idea: instead of writing a translator for the processors you want, use existing tools. – Decompilers. [Public] decompilers for x86 and ARM exists (Hex-Rays). ● Using them "could be" a good idea. – Hex-Rays decompilers export an API to get the AST for a function. – Just what I want. ● Problems: – The decompilers are writen for humans to understand the code. – Not writen for programs to find vulnerabilities. – A bad decompiler assumption may generate a lot of false positives. ● Example: GCC. 7/04/13
  • 23. GCC and decompiled code ● Given this example C source code, my prototype found (only) 3 errors. 7/04/13
  • 24. GCC and decompiled code ● However, running my tool against the decompiled code for this toy program, 4 appeared. ● Notice the warning for “init_proc” function. 7/04/13
  • 25. GCC and decompiled code ● Why this false positive? Because of a bad decompiler assumption: ● The function “init_proc” returns void, not int. 7/04/13
  • 26. More problems with decompilers ● This problem is easy to identify and fix. ● What about this one? Source Code Decompiled Code 7/04/13
  • 27. Problems with decompiled code ● It isn't a bug in the decompiler neither a bad assumption. ● It is a compiler optimization. ● It is only noticeable in real source code. – Having source code is very easy to identify: Dead code. ● NOTE: Having both source code and binaries this (and others optimizations) can be detected and used. 7/04/13
  • 28. Translating the “source” ● No matter how, we have the AST (Abstract Syntax Tree). – What is this? 7/04/13
  • 29. Abstract Syntax Tree ● Extracted from Wikipedia: “In computer science, an abstract syntax tree (AST), or just syntax tree, is a tree representation of the abstract syntactic structure of source code written in a programming language. Each node of the tree denotes a construct occurring in the source code. The syntax is 'abstract' in the sense that it does not represent every detail that appears in the real syntax.” 7/04/13
  • 30. Example AST ● An AST for the following code: while b != 0   if a > b     a = a – b   else     b = b – a return a 7/04/13
  • 31. Translating the source ● Every tool I use will have a different AST. – Example: libclang and Hex-Rays decompiler. ● Need to translate the different ASTs supported to an internal AST format. – Not hard. But though. ● We have it! What's next? Typical error: – Why do anything else? Just use the AST for finding bugs! Let's do write checkers now! 7/04/13
  • 32. Using the AST for finding bugs 7/04/13
  • 33. Using the AST for finding bugs ● Do not use the AST for finding bugs. – You're using the wrong tool for this task. ● Use the AST to build the CFG. – Control Flow Graph, more on this later. ● However, ASTs are good for: – Finding and enforcing specific code styles. – Indenting source code. – Writing source-to-source translators – ... 7/04/13
  • 34. Using the AST ● You have the AST for every function in either the binary or the code base you want to audit. ● With the internal representation of the AST many other things are still needed: – The call graph of the program. Sort of easy, but not always: function pointers, virtual functions, constructors/destructors, etc... – The control flow graph (CFG) of every function. ● Identify basic blocks and relationships between them. – ... 7/04/13
  • 35. More things... ● More things still needed… – The super control flow graph of the program. ● A call graph where every called function's CFG is expanded in the call graph. – The data dependency graph of the program. ● How argument A in function B travels over function C and affects var D of function E... ● IMO, the hardest task. ● Those task aren't easy at all. – I'll explain some of them in the next slides... 7/04/13
  • 36. Understanding the program ● The Call Graph of the program is needed. – Why? To know every possible function path in the program. ● To build it we can, simply: – Visit every node in every function's AST. – Save a list of all functions referenced from every function visited. ● That's is. The easiest way. – Is not complete... But is “good enough” to start. 7/04/13
  • 37. Understanding the program ● Next thing needed: The CFG (Control Flow Graph). ● What is this? Wikipedia to the rescue: – “A control flow graph (CFG) in computer science is a representation, using graph notation, of all paths that might be traversed through a program during its execution.“ 7/04/13
  • 38. Control Flow Graph ● A CFG for the following code: while b != 0   if a > b     a = a – b   else     b = b – a return a 7/04/13
  • 39. Understanding the program ● Let's say, no matter how, that our tool “understands” the program: – We know every possible path in the program. – We know how a variable X in function Y travels and is used in the complete program. ● The next step is to convert the code from the AST of every basic block of the CFG to another form easier for analysing code. – Why? 7/04/13
  • 40. The AST, again... ● We “could” write simple checkers with the CFG and the AST of every instruction of every basic block, but I do not recommend it. – An AST can be very complex even for not so complex expressions. – Example: ● signed int u = (float)x * y + func() ● VarDecl → Assignment → Cast → VarRef → BinaryOperator → VarRef → BinaryOperator → CallExpr. 7/04/13
  • 41. Understanding the program ● It's needed something that makes the analysis easier. ● Typical forms of code aimed to make analysis easier: – 3AC: Three Address Code. – SSA: Static Single Assingment form. ● What are them? 7/04/13
  • 42. Three Address Code ● Definition by Wikipedia: – “In computer science, three-address code (often abbreviated to TAC or 3AC) is a form of representing intermediate code used by compilers to aid in the implementation of code-improving transformations. Each instruction in three-address code can be described as a 4-tuple: (operator, operand1, operand2, result).“ ● Basically, we have every instruction represented in “more instructions” but all of them will only have one operator, 2 operands at most and a result. 7/04/13
  • 44. Static Single Assignment form ● What is SSA? – “Static single assignment form (often abbreviated as SSA form or simply SSA) is a property of an intermediate representation (IR), which says that each variable is assigned exactly once. Existing variables in the original IR are split into versions, new variables typically indicated by the original name with a subscript in textbooks, so that every definition gets its own version.” ● Pretty similar to 3AC but creating different versions of the variables, instead of temporary ones. – There are more differences, though... 7/04/13
  • 45. Understanding the program ● In my opinion, it doesn't matter what form do you use: – Both are great enough for the task. ● We just need that: – Every instruction does one and *only* one action. ● No side effects. – And every instruction have, as most, 2 operands, 1 operator and a result. 7/04/13
  • 46. Writing checkers to find vulns ● A bug finding tool finds software defects in any part of the source. – The most code you check, the better. ● A vulnerability finding tool should not, in my opinion... – Client side code: I'm not interested in stack overflows reading configuration files that I cannot influence from remote. – Server side: I'm not interested in bugs related to parsing configuration files, environment variables, etc... 7/04/13
  • 47. Writing checkers to find vulns ● ...however, I may be interested on such bugs if I'm auditing privileged local applications. – For example: any suid tool, like sudo. ● In short: – It will depend on the kind of application (or which part of the application) we're auditing. – It changes from application to application. – The tool must interact with the auditor. ● Not the checker itself, but must know “where”. 7/04/13
  • 48. Writing checkers to find vulns ● In a vulnerability finding tool we need to say to the tool what areas we're interested on. – Is this a remote application? Only focus on what can be influenced from remote. – Is this a local SUID binary? Focus on whatever area the user can feed input to. ● So, what we need? First of all, a way to say to the tool: this is the area I'm interested on. – Interactivity with the auditor. 7/04/13
  • 49. Writing checkers to find vulns ● One example with Evince, a document viewer. ● Running some prior versions of my tool a curious bug was found: 7/04/13
  • 50. Writing checkers to find vulns ● Big mistake as "n" comes from a font file and, instead of using Min the developer used Max. – So great. Bravo! ● However, we cannot forge a DVI file with an embeded font (this code parses fonts) so, while an obvious bug, unfortunately, it isn't a vulnerability. ● My tool wasted time finding non remotely exploitable bugs. This is bad. ● Interactivity is needed. 7/04/13
  • 51. Writing checkers to find vulns ● For this, the auditor needs to identify the program's entry point(s). – Example: Find vulnerabilities starting from function "recv_data" in the call graph. – “Oh, BTW, I only control arg1 and arg3, not arg2”. ● We need a way to say: Analyze all functions called from this "data entry point". – And not those completely uninteresting functions that deals with parsing local fonts, environment variables, etc... As with the Evince example. 7/04/13
  • 52. Writing checkers to find vulns ● Also, we need a way to let the auditor determine what an external function/function pointer does. – Example: It reserves/frees memory, executes code, loads a library, etc... ● If not, our tool will fail to find even the simplest bugs in real world scenarios. – In Infiltrate 2011, Halvar Flake (Thomas Dullien) showed a bug that in his opinion cannot bet handled by today's static analysis tools (because of machine states handling). – I'll show you even easier examples of what cannot be handled by any current static analysis tool. 7/04/13
  • 55. More problems writing checkers 7/04/13
  • 56. Problems writing checkers ● There are 2 types of checkers: intraprocedurals and interprocedurals. ● Intraprocedural ones only checks what happens inside one function. ● Interprocedural ones checks what happens when var A travels to function B and is assigned to var C, and so on, and so on... 7/04/13
  • 57. “Hello World” checker ● Writing a "hello world" like checker: finding uninitiliazed variable usages (intraprocedural). ● Seems to be easy at first. Happens to be not so easy. ● Why? – One of the many problems: Path explosion. ● Suppose we have a function F0 with 10 basic blocks and 20 edges. Analyzing all possible paths is possible in not so many time. ● Now let's see a “short of complex” function... 7/04/13
  • 58. Some Acrobat Reader function... 7/04/13
  • 59. The Acrobat Reader function ● The number of possible paths in this function is so big we cannot traverse all of them in an acceptable time. – Probably, impossible. ● We have to find solutions. One of them is “Sensitive analysis”. – Flow-Sensitive, path-sensitive, context-sensitive. – Simply, we need to make the number of paths we need to traverse smaller. ● For this type of analysis to be possible we need to abstract all predicates in the function (remember 3AC/SSA?). 7/04/13
  • 60. Sensitive analysis ● How to do it? Just my opinion, one idea: – Find in what basic blocks "local variables" are used and what predicates depends on them. ● I'm not even talking at this point about interprocedural analysis. – Find the paths between the entry point, the basic blocks where the local vars are used and the function's exit points. – Then, remove all the other nodes to generate a smaller CFG. If there are unconnected nodes add the basic blocks and relations needed to connect them. – Hopefully, we will have a shorter version of the CFG with only what you need. 7/04/13
  • 61. And even more problems... ● Suppose that we have, finally, our "hello world" intraprocedural checker. – Finally! My first one took me a lot... ● Now, we should make it interprocedural. ● Very often, a variable is declared in a function A, travels over function B, C, ..., until it's used in function Y. ● We need to control "the machine state". – There is no “state” but “many possible states”. 7/04/13
  • 62. Problems, problems, problems... ● Do you remember the path explossion problem? Think about it in intraprocedural analysis. – Horrible. ● Think about it controlling “the state”. – Terrible. ● Let's talk a bit more about the state... 7/04/13
  • 63. Problems, problems, problems... ● How many possible machine states we may have? – We cannot control all of them. Impossible. – Possible paths depends on machine states so, again, we cannot control all the possible paths. – We may guess the limits and try partial solutions. ● Predicate's abstraction, opaque predicates, etc..., and symbolic execution. 7/04/13
  • 64. Symbolic execution ● During symbolic execution we try to find if a particular state S0 is possible for function F0 (let's say we're only talking about intraprocedural analysis). ● We can abstract the predicates, the computational operations that affects them and generate phormulaes to prove satisfiability using a SAT/SMT solver. – Some people says it isn't the way to go... (i.e. Coverity). – Others do use this way (Goanna, for example). – I really don't know. 7/04/13
  • 65. Fugue: Current state, future directions and goals ● Current state: far from finished. ● I don't really know when I'll finish it, if at all. Really. – But... I would like to release “something” in one year. ● Anyway, even if finish it... I can't be sure it will find awesome bugs. – But it amazes me that even the most rudimentary (current & past) versions of the tool, actually, finds real bugs. 7/04/13