[PDF] Secure Software Development and Code Analysis Tools

View - Download Secure Software Development and Code Analysis Tools

Previous PDF

Next PDF

Global Information Assurance Certification Paper

Copyright SANS Institute

Author Retains Full Rights

This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.Interested in learning more?

Check out the list of upcoming events offering

"Security Essentials: Network, Endpoint, and Cloud (Security 401)" at http://www.giac.org/registration/gsec

© SANS Institute 2000 - 200 5, Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 200

5

Author retains full rights.

GIAC Certification:

Practical Assignment v1.4b

Option 1

Secure Software Development and Code

Analysis Tools

Author: Thien La

Date: September 30th, 2002

© SANS Institute 2000 - 200 5, Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 200

5

Author retains full rights.2

Summary4

Code Reviews5

Secure Programming Guidelines5

General Guidelines5

Input Validation5

SQL Statements6

Commented Code6

Error Messages6

URL Contents7

Setuid Programs7

Strip Binary Files7

Perl7

Taint Checking8

The Safe Module8

The Warnings (-w) Switch9

Setting the PATH Variable9

Java9

Printing Messages to Standard Out9

Encapsulation9

Policy Files10

C/C++11

Buffer Overflows11

Format String Attacks11

Executing External Programs12

Race Conditions12

Checking for Valid Return Codes13

Source Code Analysis Tools13

PScan14

Conclusion on PScan15

Flawfinder15

Conclusion on Flawfinder16

RATS (Rough Auditing Tool for Security)16

Conclusion on RATS17

Splint (Secure Programming Lint)17

Conclusion on Splint18

ESC/Java (Extended Static Checking for Java)18

Conclusion on ESC/Java19

MOPS (MOdelchecking Programs for Security properties)19

The hello.c Example20

Conclusion on MOPS21

© SANS Institute 2000 - 200 5, Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 200

5

Author retains full rights.3

Conclusion21

Appendix A -Source Code and Scan Results23

Appendix A -Source Code and Scan Results23

Figure 1: test.c23

Figure 2: Pscan results for test.c27

Figure 3: FlawFinder results for test.c27

Figure 4: RATS results for test.c32

Figure 5:Splint Results for test.c34

Figure 6: ESC/Java results for telnet.java38

Figure 7: hello.c48

Figure 8: hello.tra48

Resources50

© SANS Institute 2000 - 200 5, Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 200

5

Author retains full rights.4

Summary

The first half of this document discusses secure coding techniques. The main languages chosen to facilitate the discussion are Perl, Java, and C/C++. These were chosen due to their popularity and extended usage in the software development community. This document does not give an elaborate overview of what makes a secure application. That is, it is assumed that the reader has an understanding of the general concepts of authentication, authorization, input validation, logging, error handling, and other application security concepts, and why they are important to the overall security of an application. These concepts instead are intrinsic to the ideas presented herein. The latter section of this document contains the results of the research and tests conducted on some freely available source code analysis tools. All these tools have a common objective: To quickly scan source code for potential security issues and to communicate them to the user in a detailed, well formatted, easy to understand report. The goal of these tools is not to replace manual reviews, but to facilitate the review process of catching common errors that could lead to security problems. Flawfinder was found to be the most useful tool in terms of the depth and breadth of its scan results, and ease of use. RATS was found to be the tool of choice for flexibility as it is able to scan not only C code, but also Perl, PHP, and Python. Also, the reports that it produced were found to be the most detailed, and easy to understand. Both of these tools offer a good first step towards conducting a manual code audit. Some of the common vulnerabilities they will find are buffer overflows, format string attacks, race conditions, and insecure system calls. For those who want a tool that enforces even tighter checking, try MOPS. MOPS is different because it exhaustively searches through programs line by line to find a path that can cause a security violation (referred to as a violation of a Temporal Safety Property). The caveat is that MOPS takes more work to set up, as it requires the user to describe violations via finite state machines.

© SANS Institute 2000 - 200 5, Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 200

5

Author retains full rights.5

Code Reviews

Developing robust, enterprise level applications, is a difficult task, and making them completely secure is an impossible task. Fortunately, in reality, security is not about creating an "impenetrable fortress". It is about managing risk (i.e. Let us build a moat around the fortress, have only one way in and out, and post guards on the perimeter day and night). Arguably, one ofthe best ways to manage risk for any application is to review its code, and review it again and again. Many times, an application is exploitable as a direct result of "lazy"programming, and an indifference to quick "spot checks"and peer reviews. It does not take much to prove this; one only needs to go to the CERT Coordination Center web site at http://www.cert.organd type in any well-known, industry recognized application in the search field (try Internet ExplorerorNetscape Navigator). Such searches may result in phrases such as "buffer overflow", "unauthorized access", "execute arbitrary code", "cross-quotesdbs_dbs7.pdfusesText_5

[PDF] raw socket python

[PDF] rayon de la terre en km

[PDF] rayon de la terre en m

[PDF] raz and dworkin

[PDF] rb digital canada

[PDF] rbdigital vs flipster

[PDF] rdm 6

[PDF] rdm flexion exercice corrigé pdf

[PDF] rdm flexion poutre

[PDF] rdm6 flexion telecharger

[PDF] reaction acide base exercices corrigés pdf

[PDF] reactions of alkyl halides

[PDF] reactions of alkyl halides pdf

[PDF] reactions of amides pdf

[PDF] read inheritance free online