Eindhoven University of Technology MASTER Automated Security
Total Page:16
File Type:pdf, Size:1020Kb
Eindhoven University of Technology MASTER Automated security review of Java card applets with static code analysis Lie, Roberto E.A. Award date: 2012 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Automated Security Review of Java Card Applets with Static Code Analysis Roberto Eliantono Adiseputra Lie August 2012 Abstract Code review is a tedious and error-prone process that can be expensive when manually done. Various tools have been developed to aid this process, mainly by using static analysis. Specific application domains such as smartcards have different unique characteristics that are not yet handled by available tools. The main idea of this study is to bring the knowledge formalized in various knowledge catalogs into the static analysis tools. In order to do so, several static analysis tools have been evaluated and two knowledge catalogs have been analyzed. From the study it was found that in general it is feasible to utilize the knowledge from the catalogs for the tools. This can be done by either creating new rulesets and/or modifying the code of the tools, depending on the tools capabilities. For knowledge catalogs that are more abstract such as principles or guidelines, the knowledge has to be translated first into more concrete rules. iii Acknowledgements My heartfelt thanks to my supervisors: Alexander Serebrenik, Cees-Bart Breunesse, Erik Poll and Marc Witteman for all their support, guidance and feedback during the course of my master’s project. Also, to the other members of the assessment committee: Ruurd Kuiper and Sandro Etalle, for their time and effort to review this work. I would also like to thank Alec Moss, Joy Marie Forsythe and Matias Madou from HP Fortify; Dirk Giesen from Parasoft; and, Maty Siman, Moni Stern and Asaph Schulman from Checkmarx for helping me obtain the appropriate permissions to use their products. I am grateful of all the information I received from many researchers across the information security, program analysis and Java Card communities. Special thanks to Eric Vétillard and Jean-Louis Lanet who have kindly answered my questions about their projects. Last but not least, I would like to thank my friends and family, whose love and support have made it possible for me to come to this point. v Contents Contents vii List of Tables x List of Figures xi List of Listings xii 1 Introduction 1 1.1 Background and Problem Description . 1 1.2 Project Goal and Scope . 2 1.3 Methodology . 2 1.4 Related Work . 2 1.5 Organization of this Report . 3 2 Preliminaries 5 2.1 Information Security . 5 2.2 Software Security . 6 2.2.1 Bugs vs Flaws . 6 2.2.2 The Three Pillars of Software Security . 7 2.3 Program Verification and Analysis . 8 2.3.1 Theorem Proving . 10 2.3.2 Model Checking . 12 2.3.3 Static Code Analysis . 12 2.4 Bug Finding . 15 2.4.1 Bug Finding Tools . 16 2.5 Verification and Bug Finding in Software Security . 16 2.6 Smartcards . 17 2.6.1 Hardware . 17 2.6.2 Communication . 19 2.6.3 Software . 21 2.7 Java Card . 22 2.7.1 GlobalPlatform . 24 2.7.2 SIM Toolkit . 24 2.8 Attacks on Smartcards . 25 2.9 Knowledge Catalogs . 26 3 Survey of Static Code Analysis Tools 27 3.1 Commercial Tools . 28 3.1.1 HP Fortify Static Code Analyzer . 28 3.1.2 Parasoft Jtest . 30 vii viii CONTENTS 3.1.3 Checkmarx CxSuite . 30 3.1.4 Other Commercial Tools . 31 3.2 Open Source Tools . 32 3.2.1 PMD . 32 3.2.2 FindBugs . 32 3.2.3 JLint . 33 3.3 Discussion . 33 4 Analysis of AFSCM’s Rules 35 4.1 Overview . 35 4.2 Analysis of the Rules . 40 4.2.1 Management Rules . 40 4.2.2 Usage of APIs and SIM Toolkit Commands and Events . 42 4.2.3 Memory Management . 45 4.2.4 Handset Resources Management . 46 4.2.5 System Management . 48 4.2.6 Exception and Error Management . 50 4.2.7 Robustness and Interoperability . 50 4.2.8 Interactions . 51 4.2.9 Developments Rules . 51 4.3 Rules–Tools Capabilities Mapping . 53 5 Analysis of Riscure Secure Application Programming Patterns 55 5.1 Overview . 55 5.2 Basic Components . 55 5.2.1 Detecting Sensitive Data . 56 5.2.2 Detecting Sensitive Operations . 56 5.2.3 Putting Everything Together: An Example . 58 5.2.4 Sensitivity Propagation . 60 5.3 Analysis of the Patterns . 63 5.4 Pattern–Tools Capabilities Mapping . 65 6 Conclusions 67 6.1 Summary . 67 6.2 Result . 67 6.3 Future Work . 69 A Code Example 71 B Java Grammar 75 B.1 Grammar Notation . 75 B.2 Lexical Grammar . 78 B.3 Syntactic Grammar . 83 B.3.1 Types and Values . 83 B.3.2 Names . 84 B.3.3 Packages . 85 B.3.4 Classes . 85 B.3.5 Interfaces . 89 B.3.6 Arrays . 91 B.3.7 Blocks and statements . 92 B.3.8 Expressions . 95 CONTENTS ix Glossary 101 Abbreviations 107 Bibliography 109 List of Tables 2.1 Examples of Bugs and Flaws . 6 2.2 Function description of smartcard electrical contacts . 18 2.3 Summary of smartcard transmission protocols . 20 3.1 Overview of the surveyed SCA Tools . 28 4.1 Overview of AFSCM rules . ..