You are on page 1of 27

OWASP Conference 2008

Application Security The code analysis way

Maty Siman CTO Checkmarx

OWASP

The OWASP Foundation


http://www.owasp.org

Agenda Algorithms and code

OWASP

Data Flow Graph Represents the flow of data through code. Each LOC has its own vertex. Edge represents direct influence of data in the source vertex on the data in the destination vertex (therefore, assignment statements are source vertexes)

OWASP

Data Flow Graph (cont.)


void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }
OWASP
j=0 i=0

Enter

while (i<10)

Printf (j)

Printf (i)

If (i==3)

i=i+1

j=j+I

j=j*2

Interprocedure Data Flow Graph


Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; }

calc(1)

calc(2)

i = param

Int calc(int i) { retrurn i*2; }

Return i * 2

a = retval

b = retval

++a

++b

OWASP

Interprocedure Data Flow Graph


Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; }

calc(1)

calc(2)

i = param

Int calc(int i) { retrurn i*2; }

Return i * 2

a = retval

b = retval

++a

++b

OWASP

Tainted value propagation Can be used for many vulnerabilities: SQL Injection XSS Input Stored XSS Data influencing on Second Order SQL Injection XXXX And not sanitized by Log forgery YYYY Some types of race condition LDAP Injection Command injection Directory traversal OWASP

But
Parameters Data members Static variables Events Global Generics And many many many many many more issues

Resolve - Code most compile? Direct Access to the engine?


OWASP

And again - SQL Injection Parameterized queries


SqlConnection con = (acquire connection) con.Open(); SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE name = @userName", con) cmd.Parameters.Add("@userName", userName); SqlDataReader rdr = cmd.ExecuteReader()

OWASP

more SQL Injection What about:


data=input() if (isValid(data)) { SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE age = + data, con) }

OWASP

Control Dependence Graph Enhances CFG. Each LOC has its own vertex Edge B is directed by edge A iff the execution if B depends on the execution of A

OWASP

Control Dependence Graph (cont.)

void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); }
j=0 i=0

Enter

while (i<10)

Printf (j)

Printf (i)

If (i==3)

i=i+1

j=j+I

j=j*2

OWASP

What is the benefit of super-imposing graphs?


bool b = true; if (b) { ExecuteCommand(x); }

OWASP

Slicing Finding a relevant subset of the application

void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (%d\n, sum); printf (%d\n, i); }

OWASP

Slicing Finding a relevant subset of the application

void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (%d\n, sum); printf (%d\n, i); }

OWASP

CDG

Sum = 0 Start i=1 While (i<11) Printf(sum) Printf(i)

Sum +=i

++i

OWASP

DFG

Sum = 0 i=1 While (i<11) Printf(sum) Printf(i)

Sum +=i

++i

OWASP

(DFG+CDG)

Sum = 0 i=1 While (i<11) Printf(sum) Printf(i)

Sum +=i

++i

OWASP

(DFG+CDG)

Sum = 0 i=1 While (i<11) Printf(sum) Printf(i)

Sum +=i

++i

OWASP

Some security
string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1);

OWASP

string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); }

Some security

Backward slicing Backward slicing Backward slicing Backward slicing


OWASP

string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1); }

Some security

Backward slicing Backward slicing Backward slicing Backward slicing


OWASP

Some security
string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1); Execute(s3); Execute(s2); Execute(s1); s1 = s3; s2 = s1; Execute(s1);

Forward slicing

OWASP

Some security
string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1);

Forward slicing

Execute(s3);
Execute(s2); Execute(s1);

s1 = s3; s2 = s1; Execute(s1);

OWASP

Some security
string FixSql(string s) { string res = ""; if (...) res = ... return res; } void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1);

Chopping on Execute

Execute(s3);
Execute(s2); Execute(s1);

s1 = s3; s2 = s1; Execute(s1);

OWASP

Some security string FixSql(string s)


{ string res = ""; if (...) res = ... return res;

} void Execute(string s) { ExecuteReader(s); } void foo() { string s1,s2,s3; s1 = Input(); s2 = Input(); s3 = FixSql(s1);

Chopping on Execute

Execute(s3);
Execute(s2); Execute(s1); s1 = s3; s2 = s1;

Execute(s1);

OWASP

Q&A

Thank you Maty Siman maty@checkmarx.com

OWASP

September 2008

OWASP

27