2005. Programming Languages Security - A Survey, страница 7

It uses advanced compliertechnology and a customizable software security knowledgebase. It provides a complete characterization of softwarerisks, coding faults, design defects and policy violations.The specialized compiler technology is used to parse thesource code to derive a Common Intermediate Security Language (CISL). The intermediated code is analyzed by OunceLabs’ Contextual Analysis technology to detect, confirm, andcategorize the vulnerabilities. The results are then stored in adatabase for analysis and reporting.The Contextual Analysis technology allows source codeto be automatically analyzed in detailed depth. The context in which a call is used influences whether or not it isunsafe. Vulnerabilities are determined by tracking the flowof data through an application and understanding the interrelationships between the different program elements.The security knowledge-base, with over 60,000 entries, allows Prexis/Engine to identify a wide range of vulnerabilitiesincluding buffer overflows, insecure access control, privilegeescalations, race conditions, SQL Injection etc.

The securityknowledge-base is customizable to specific security and policy criteria.Prexis uses a metric called V-Density (vulnerability density), a numeric expression computed by associating the number and criticality of vulnerabilities to the size of the application being analyzed. Once the V-Density has been determined, thresholds can be set for understanding the securitystate of critical software.Prexis supports multiple operating systems (includingLinux, Windows and Solaris) and several programming languages (including C, C++, Java and .NET languages).It is proprietary software and can be purchased for a fee.Fortify Source Code Analysis SuiteThe Fortify Source Code Analysis Suite [30] is an integrated set of static source code analysis tools, similar in manyways to Coverity’s Prevent.

It works seamlessly with existing development and audit tools and processes and allows foreffective scanning, tracking and fixing of software securityflaws.It does an effective and precise data flow analysis of sourcecode, and provides an interactive graphical view of the discovered security issues. It can efficiently processes voluminousand complex code bases.Software developers can use Fortify’s plug-and-play capabilities with popular Integrated Development Environments(IDEs) including Microsoft Visual Studio, Borland JBuilderand Eclipse to dispense security vulnerabilities early in thedevelopment lifecycle.The tools work much like a compiler.

Minor modificationsto the build script invokes Fortify’s language parser whichreads in a source code file(s) and transforms them to an intermediate format, optimized for security analysis. This intermediate format is exploited by the Analysis Engine to locatesecurity flaws.The Analysis Engine, comprises of four distinctive analyzers:• Data Flow Analyzer – discovers possibly unsafe datapaths.• Semantic Analyzer – detects use of insecure functions orprocedures and infers their context of use.• Control Flow Analyzer – tracks ordering of operations todetect unsuitable coding constructs.4.2• Configuration Analyzer – tracks vulnerable interactionsbetween configuration and code.Dynamic Analysis ToolsDynamic analyzers instrument source programs and create aversion that when run, has the same behavior as the originalprogram but generate specific events when a possible vulnerability is encountered.

As the checking is done dynamically,more accurate checking than can be done statically is possible. This is because of the precision of the information thatthey provide as compared to static analysis tools. Static analysis tools usually report errors that are only approximations ofthe properties that actually hold when the program runs [43].Hence, the high false positives and/or false negatives that aregenerated by static analyzers can be eliminated by using dynamic analyzers. However, some errors might be omitted assome execution paths might never have been followed whileanalyzing.These tools are primarily designed to be debugging toolsIt also provides a “Rules Builder” so users can extend andcustomize the capability analysis rules.It supports multiple operating systems (including Linux,Windows, Mac OS X and Solaris) and several programming languages (including C, C++, C#, Java, JSP, PL/SQL,ASP.NET, VB.NET and XML).The Analysis Suite can be purchased as an EnterpriseEdition or a perpetual license, and the prices are per CPU onthe build server.

It also offers a free code audit to certify andprove its capabilities.Prexis: Automated Software Security AssuranceOunce Labs’ Prexis suite [67] is a set of automated software tools for static source code security analysis.13for finding memory leaks and buffer overflows. Using thesetools is simple, programs to be tested are linked against themand they generate a report detailing errors and other significant events. These tools generally have a high performanceoverhead and so are mainly used for debugging purposes.Linux (Red Hat, Enterprise) environments, but is proprietarysoftware and can be expensive to license [40].ValgrindValgrind [89] is a set of tools for automatic memory debugging and profiling of large programs.

Detection of memorybugs help make programs more stable and profiling helps inefficient memory use of programs.Valgrind is essentially a virtual machine using just-in-time(JIT) (i.e. dynamic binary translation) compilation. Thismeans that applications do not need to be modified or recompiled to use Valgrind, it can even be used on programs forwhich only binaries are available and there is no source code.Valgrind initially translates the program into an intermediate,more elementary form called ucode, which is instrumented byone of the tools. The ucode is then translated back into x86code that is run on the target machine.A significant amount of performance is lost in these transformations and by the code that the tools insert.

Programsrun considerably slower under Valgrind, the slowdown factorcan range from 5–100 depending on the tool used. Since it isintended mainly as a debugging tool, this slowdown is acceptable.Valgrind works with programs written in any language,though mainly aimed for programs written in C and C++, ithas been used on programs written in Java, Perl, Python, assembly code, Fortran, Ada, and many others as well.

UsingValgrind is straightforward, the program to be run under Valgrind is prefixed with valgrind --tool=tool name onthe usual command-line invocation.The Valgrind distribution includes five useful debuggingand profiling tools: Memcheck, Addrcheck, Cachegrind,Massif, and Helgrind. Valgrind is extensible, which meansthat new tools that add arbitrary instrumentation to programscan be written and plugged in.Valgrind is free open source software, available under theGNU General Public License. It is not distributed as binariesor RPMs, instead the source code has to be downloaded andcompiled in order to be installed on the system. It is activelymaintained and supported on x86/Linux, AMD64/Linux andPPC32/Linux platforms.PurifyPurify is a tool designed to detect memory bugs, such asleaks and access errors, which are a source of many securityvulnerabilities.

It performs verification dynamically; i.e. itdetects errors at program run-time.Purify parses and adds verification instructions into compiled object code, including third-party and operating systemlibraries. This helps the program to output the precise position of the error, the memory address affected, and other related data when a memory error occurs. The instrumentedprogram’s object code will have function calls that checkevery memory read and write for various types of access errors, including uninitialized memory reads and freed memoryreads/writes. “Purify tracks memory usage and identifies individual memory leaks using a novel adaptation of garbagecollection techniques” [38].The inserted function call instructions maintain a memorystate table, in which two bits are used to associate one of threestates with each byte of memory in the heap, stack, data andBSS sections.

The three states are:• unallocated (unwritable and unreadable),• allocated and uninitialized (writable but unreadable)• allocated and initialized (writable and readable).A read/write to unallocated bytes causes a warning message to be printed. Writing to memory marked as allocatedand-uninitialized causes it to change state and becomeallocated-and-initialized.

Heap overflows are detected by allocating “red-zones” at the start and end of memory blocksreturned by malloc(). Red-zone bytes are marked as unallocated, and so an access to these bytes will signal an error.Purify works automatically, i.e programs linked with Purify will be implicitly verified for memory errors. This is incontrast to traditional memory debuggers that essentially needto be done by hand, by stepping through the code line by line.It is beneficial to use Purify on programs written in programming languages that have manual memory management(such as C) as there is a higher probability of having memory leaks here, as compared to programs that have automaticmemory management (such as Java) where memory leaks areimplicitly avoided. As it is targeted mainly for debugging purposes, its relatively high overheads are not an issue.Purify is available for Unix (Solaris, SPARC, UltraSPARC), Windows (2000, XP Professional, NT 4.0) and4.3Sandbox SecuritySandboxing seeks to restrict the corruption that the exploitation of a vulnerability might result in.