Automatic Detection of Security Vulnerabilities in Software Applications Using Static Analysis” Under the Guidance of Dr
Total Page:16
File Type:pdf, Size:1020Kb
INSTITUTE FOR AUTOMATIC DETECTION OF DEVELOPMENT SECURITY VULNERABILITIES IN OF RESEARCH IN BANKING SOFTWARE APPLICATIONS USING STATIC ANALYSIS TECHNOLOGY Avinash Uttav Guide : Dr. V.Radha Sophomore B.Tech. Computer Science and Engineering Indian Institute Of Technology Guwahati CERTIFICATE This is to certify that Mr. Avinash Uttav, pursuing B.Tech course at Indian Institute of Technology, Guwahati with Computer Science and Engineering as a major subject has undertaken a project as an intern at the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad from May 7th to July 9th , 2012. He was assigned the project “Automatic Detection of Security Vulnerabilities in Software Applications Using Static Analysis” under the guidance of Dr. V.Radha, Assistant Professor of IDRBT. During the course of the project he has undertaken a study of all Security Vulnerabilities prevailing, CODAN Framework in Eclipse for Building Checkers. In this project assigned to Mr. Avinash Uttav he has done excellent work. We wish him all the best in all his endeavors. Dr. V.Radha (Project Guide) Assistant Professor IDRBT, Hyderabad 2 ACKNOWLEDGEMENT I would like to express my sincere gratitude to the Institute for Development and Research in Banking Technology (IDRBT) and particularly Dr. V.RADHA,(Assistant Professor) who was my guide in this project. This opportunity of learning the security vulnerabilities which many of the good programmers don’t know about and the application of the static analysis using CODAN in Eclipse was a boon to me as one rarely gets such exposure. I would not hesitate to add that this short stint in IDRBT has added a different facet to my life as this is a unique organization being a combination of academics, research, technology, communication services, crucial applications, etc., and at the same time performing roles as an arm of regulation, spread of technology, facilitator for implementing technology in banking and non-banking systems, playing a role of an NGO (without being one) and many more varied activities. I want to express my sincere gratitude to the Shri B. Sambamurthy, Director of IDRBT, for his great support towards all the project trainees and his great enthusiasm towards achieving academic excellence in the institute. Also the support of Dr. M. V. N. K. Prasad, Project Trainees incharge, was overwhelming and worth appreciating. I am extremely grateful to Dr. V.Radha for her advice, innovative suggestions and supervision. I thank her for introducing me to an excellent sofware application and giving me the opportunity to approach diverse sections of people starting from bankers to general public. I am very thankful to Mr. Anil Kumar M.Tech. Information Technologies at IDRBT for helping me to get familiar with the application. He gave me a chance to study the application and its use from different perspective. I am thankful to my college, IIT Guwahati for giving me this golden opportunity to work in a high-end research institute like IDRBT. I am thankful for IDRBT for providing such an amazing platform for students to work in real application oriented research. Finally, I thank one and all who made this project successful either directly or indirectly. Avinash Uttav Project Trainee Department of Information Technology IDRBT, Hyderabad 3 ABSTRACT Much of the blame for security violations goes to bad software and that too at the coding level. Even the best security algorithms can be broken due to bad programming. There is a need to find the vulnerabilities like buffer overflow, format string etc in a software before it is deployed. If one can give the facility to verify the presence of these vulnerabilities at the time the program is written, that helps the developer in correcting it then and there. We developed “checkers” using codan which is a light-weight static analysis framework in CDT (Eclipse's C/C++ Development Tooling project). Our checkers perform real time analysis using Abstract Syntax Tree on the code to find some of the format string vulnerabilities, buffer overflow vulnerabilities in C language. We used regular expressions for detecting printf format string vulnerabilities. We examined many of the buffer overflow vulnerabilities. We identify three common characteristics present in these vulnerabilities: one, data is read from an untrusted source, two, untrusted data is insufficiently validated, and three, untrusted data is used in a potentially vulnerable function. We have used taint analysis technique to find buffer overflow vulnerabilities. 4 Contents: 1. Introduction …………………………….………………………………….1 2. Software Vulnerabilities…………………………………………………… 3. Illustration to Printf format String Vulnerabilities ………………………..2 4. Static Analysis……………………………………………………………... 5. Proposed Method…………………………………………………………...3 Detecting Format String Vulnerabilities Detecting Buffer Overflow Vulnerabilities for Intrafunctional use. Detecting Buffer Overflow Vulnerabilities For InterFunctionalCalls. 6. Implementation Details …………………………………………..………4-9 7. Conclusion ……………..……………………………………………........17 5 INTRODUCTION Software vulnerabilities are one of the main causes of security incidents in computer systems. In 2004, the United States Computer Emergency Readiness Tea released 27 security alerts, 25 of which reported a critical software vulnerability [31]. Software vulnerabilities arise from deficiencies in the design of computer programs or mistakes in their implementation. An example of a design flaw is the Solaris sadmin service, which allows any unprivileged user to forge their security credentials and execute arbitrary commands as root. The solution to this problem is to redesign the software and enforce the use of a stronger authentication mechanism. Vulnerabilities of this kind are harder to fix, but fortunately, they are rare. Most software vulnerabilities are a result of programming mistakes, in particular the misuse of unsafe and error-prone features of the C programming language, such as pointer arithmetic, lack of a native string type and lack of array bounds checking. Though the causes of software vulnerabilities are not much different from the causes of software defects in general, their impact is a lot more severe. A user might be willing to save their work more often in case a program crashes, but there is little they can do to lessen the consequences of a security compromise. This makes the problem of detecting existing vulnerabilities and preventing new ones very important for all software developers. The oldest approach to finding software vulnerabilities is manual source code auditing. As the name suggests, this method involves reading the source code of a program and looking for security problems. It is similar to the code review process common in the software engineering discipline, but it places additional requirements on the auditor. In addition to familiarity with the software architecture and source code, he or she should have considerable computer security expertise to be able to identify vulnerable code. A comprehensive source code audit requires a lot of time and its success depends entirely on the skills of the 6 auditor. Despite these shortcomings, many vulnerabilities have been found using this method and it is still considered one of the best approaches. A second option is the so-called fuzz testing or fuzzing. This method works by feeding invalid or malformed data to a program and monitoring its responses. A segmentation fault or an unhandled exception while processing malformed input is a good indication of a vulnerability. The fuzzing data may be randomly generated, or specifically crafted to test corner cases. It can be fed to a program as command line parameters, network packets, input files, or any other way a program accepts user input. Fuzzing frameworks such as SPIKE [1] and Peach [6] allow for rapid development of new application- or protocol-specific testing tools that can then be used for vulnerability detection. The advantage of fuzzing is that it can be easily automated and used for regression testing during software development.Runtime checking is a technique for preventing the exploitations of vulnerabilities, but it can be used for vulnerability detection, especially in combination with fuzz testing. This method involves inserting additional checks into a program to ensure that its behavior conforms to a certain set of restrictions. For example, Mudflap [7] is a pointer use checking extension to the GCC compiler. It adds instrumentation code to potentially unsafe pointer operations in C programs and detects errors such as NULL pointer dereferencing, buffer overflows and memory leaks. ProPolice [9] is another GCC extension that uses instrumentation to protect application from stack smashing attacks. The Microsoft Visual C++ compiler includes a similar feature. Runtime checking can help uncover vulnerabilities during fuzz testing, even if they do not result in a system crash. A disadvantage of both fuzz testing and runtime checking is that some vulnerabilities can be triggered only under a very specific set of circumstances, which might not arise during regular use of the program. For example, exploiting an application might require sending a long sequence of specifically crafted network packets to reach a vulnerable state. Such vulnerabilities can be found during a manual source code audit, but the process is often too time-consuming. Static source analysis tools greatly increase the efficiency of source code auditing. Tools like Flawfinder [35] and