Slide 1

The OWASP Foundation OWASP http://www.owasp.org OWASP Conference 2008 Application Security The code analysis way Maty Siman CTO Checkmarx Slide 2 OWASP Agenda Algorithms and code Slide 3 OWASP Data Flow Graph Represents the flow of data through code. Each LOC has its own vertex. Edge represents direct influence of data in the source vertex on the data in the destination vertex (therefore, assignment statements are source vertexes) Slide 4 OWASP Data Flow Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); } Slide 5 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; } Slide 6 OWASP Interprocedure Data Flow Graph Void foo() { int a = calc(1); ++a; int b = calc(2) ++b; } Int calc(int i) { retrurn i*2; } Slide 7 OWASP Tainted value propagation Can be used for many vulnerabilities: SQL Injection XSS Stored XSS Second Order SQL Injection Log forgery Some types of race condition LDAP Injection Command injection Directory traversal Input Data influencing on XXXX And not sanitized by YYYY Slide 8 OWASP But Parameters Data members Static variables Events Global Generics And many many many many many more issues Resolve - Code most compile? Direct Access to the engine? Slide 9 OWASP And again - SQL Injection Parameterized queries SqlConnection con = (acquire connection) con.Open(); SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE name = @userName", con) cmd.Parameters.Add("@userName", userName); SqlDataReader rdr = cmd.ExecuteReader() Slide 10 OWASP more SQL Injection What about: data=input() if (isValid(data)) { SqlCommand cmd = new SqlCommand ("SELECT * FROM users WHERE age = + data, con) } Slide 11 OWASP Control Dependence Graph Enhances CFG. Each LOC has its own vertex Edge B is directed by edge A iff the execution if B depends on the execution of A Slide 12 OWASP Control Dependence Graph (cont.) void main() { int j = 0; int i = 0; while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; } printf ("%d\n", j); printf ("%d,n", i); } Slide 13 OWASP What is the benefit of super-imposing graphs? bool b = true; if (b) { ExecuteCommand(x); } Slide 14 OWASP Slicing Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (%d\n, sum); printf (%d\n, i); } Slide 15 OWASP Slicing Finding a relevant subset of the application void main() { int sum = 0; int i = 1; while (i < 11) { sum = sum + i; i = i + 1; } printf (%d\n, sum); printf (%d\n, i); } Slide 16 OWASP CDG Start Sum = 0 i = 1 While (i