Free Static Source analysis

From Noisebridge
(Difference between revisions)
Jump to: navigation, search
(Queries which need to be refined)
(Desirable featues of a static analyzer for dynamicall typed programs)
 
(One intermediate revision by one user not shown)
Line 3: Line 3:
  
 
While the idea isn't new, http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/ , but taking it to the next level.
 
While the idea isn't new, http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/ , but taking it to the next level.
 +
 +
==Goals==
 +
The Phases below seem directed toward finding exploits by analysis of 3rd party open source code. To me what is more interesting is finding errors in dynamically typed languages such as Python before runtime. For instance it's very painful live-coding a Python program with many code paths, when a typo in a variable name will not be uncovered until that block of code is reached (at which point there is a fatal error). The first thing a static analysis tool should do is trace all paths of a Python program looking for possible unbound variables. 
 +
 +
==Phases==
  
 
Phase 0:  
 
Phase 0:  
Line 76: Line 81:
 
  http://www.google.com/codesearch?q=%22getRequest().getParameter(%22
 
  http://www.google.com/codesearch?q=%22getRequest().getParameter(%22
 
  http://www.google.com/codesearch?q=%22getRequest().getRequestURI();%22
 
  http://www.google.com/codesearch?q=%22getRequest().getRequestURI();%22
 +
http://www.google.com/codesearch?q=this.getID()
 +
http://www.google.com/codesearch?q=%22.GetHtml(%22
 +
http://www.google.com/codesearch?q=%22.getParameterMap()%22
  
 
== Sources of information: ==  
 
== Sources of information: ==  

Latest revision as of 11:49, 5 July 2010

Knowledge of the masses static software analysis.


While the idea isn't new, http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/ , but taking it to the next level.

Contents

[edit] Goals

The Phases below seem directed toward finding exploits by analysis of 3rd party open source code. To me what is more interesting is finding errors in dynamically typed languages such as Python before runtime. For instance it's very painful live-coding a Python program with many code paths, when a typo in a variable name will not be uncovered until that block of code is reached (at which point there is a fatal error). The first thing a static analysis tool should do is trace all paths of a Python program looking for possible unbound variables.

[edit] Phases

Phase 0:

Find best secure programmatic practices for major languages and discover public code repository search engines.

Phase 1:

Use queries to file bugs against found culprits.
Create queries for google code search
Store the results of the query in the following form
Project url
Url to offending file
Language
Offending lines of code
Date proposed vulnerability was discovered
Database entities required for review
Manual review required
Which OWASP Top 10 offender
Which OWASP secure programming practice not followed
Reviewer
Project URL
Project contact information
Create queries for github
Create queries for koders

Phase 2:

Write up simple automation code to product daily/weekly/annum metrics.
Create site to input vulnerabilities 
Create input forms and db backend
Create pages which show vulnerability
Create cute little pie charts summarizing overall data trends from manual entry vs. search engine automation

Phase 2.5:

Steal underwear

Phase 3:

?

Phase 4: Profit



[edit] Queries which need to be refined

PHP

http://google.com/codesearch?hl=en&lr=&q=echo.*\$_(GET%7CPOST).*
http://www.google.com/codesearch?hl=en&lr=&q=SELECT+\*+FROM+'\.\$_GET

Python

http://www.google.com/codesearch?hl=en&lr=&q=eval+lang:python&sbtn=Search

Java

http://www.google.com/codesearch?hl=en&lr=&q=.*executeQuery.*getParameter.*
http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter*
http://www.google.com/codesearch?hl=en&lr=&q=%22%3C%3D+65553%22&btnG=Search

Perl

http://www.google.com/codesearch?hl=en&lr=&q=0xfffffff[^0-9a-f]&btnG=Search

C

http://google.com/codesearch?hl=en&num=0&sa=N&filter=0&q=%22strcpy(%22&ct=rr&cs_r=broken_re
http://google.com/codesearch?hl=en&num=1953392943&sa=N&filter=0&q=%22strcpy(buf%22&ct=rr&cs_r=broken_re
http://www.google.com/codesearch?hl=en&lr=&q=\[sizeof\(.*\)\]\+*%3D\+*'%3F\\%3F0'%3F;$&btnG=Search
http://www.google.com/codesearch?hl=en&lr=&q=^[\+\t]*printf\(getenv&btnG=Search
http://www.google.com/codesearch?hl=en&lr=&q=%22if+(errno+%3D+E%22&btnG=Search
http://www.google.com/codesearch?hl=en&lr=&q=getopt%20+%20%20%20argc%20%20+%20argv%20%20+%20%20%22%20%20%20%22%20%20;&btnG=Search#8402756288336228965

Javascript

http://www.google.com/codesearch?q=lang:javascript++%22alert(%22

Generic

http://www.google.com/codesearch?q=%22Response.Write(%22
http://www.google.com/codesearch?q=%22getRequest().getParameter(%22
http://www.google.com/codesearch?q=%22getRequest().getRequestURI();%22
http://www.google.com/codesearch?q=this.getID()
http://www.google.com/codesearch?q=%22.GetHtml(%22
http://www.google.com/codesearch?q=%22.getParameterMap()%22

[edit] Sources of information:

http://en.wikipedia.org/wiki/Rice's_theorem

http://en.wikipedia.org/wiki/Static_code_analysis

http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

http://www.fortify.com/vulncat/en/vulncat/

http://www.irccrew.org/~cras/security/c-guide.html http://www.gratisoft.us/todd/papers/strlcpy.html http://pintday.org/whitepapers/bugme1.shtml http://www.google.com/search?hl=en&safe=off&q=secure+programming+strcpy&aq=f&aqi=&aql=&oq=&gs_rfai= http://stackoverflow.com/questions/1149447/perl-code-security-scanner-other-than-rats-must-be-static http://docs.google.com/viewer?a=v&q=cache:WCXJlohndwEJ:www.gnucitizen.org/static/blog/2008/04/php-code-analysis-real-world-examples.pdf+static+analysis+sql+xss+fopen&hl=en&gl=us&pid=bl&srcid=ADGEESh9Sk1GchoTY5ck6SWzVswn5ATUPk33aHh7H7cGIXclbqjle-95xWqU36Zt8jXhQucTFeDc-EXi7y3X3RFaFmV8aRIikbTsCxANDUg8D-kt90f0rt73PBqmxvxtcGdMn4gEVw9t&sig=AHIEtbQ8DPTd8JLr7LY2_mmiCqgYA1Yijg http://www.arcert.gov.ar/webs/textos/secure_webdev-3.0.pdf

Personal tools