P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PA193 - Secure coding principles and practices LABS: Static analysis of source code •Petr Švenda svenda@fi.muni.cz • D:\Documents\Obrázky\services_icon_full_bw5.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Overview - Lab •Goal: Learn how to use basic tools •Discuss false positives / false negatives • •Check C/C++ code with compiler warnings •Check C/C++ code with VS PREFast •Check C/C++ code with CppCheck •Check Java code with FindBugs • • 2 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg MS Visual Studio: Warnings and PREfast •Set project warning level to /W4 (or /Wall) –Run and compile bufferOverflowDemo.cpp –(don’t forget: new project must be created) –Fix all warnings for clean compilation in VS /W4 •Run Code analysis on bufferOverflowDemo.cpp –Analyze®Run code analysis on … –You need have Project selected inside Project explorer (otherwise Run code analysis… option will not appear) –Try difference between ‘minimum’ and ‘all rules’ •Try at home: gcc -Wall -Wextra – • 3 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 4 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 5 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions (inspect whole BODemo.cpp) •What is the difference between /W3 and PREFast analysis? •Why you should compile without warning? •Are all bugs caught by static analysis? •Which bugs are not caught? • 6 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Cppcheck 1.Download Cppcheck and unpack (or install) 2.Use Cppchcek against bufferOverflow.cpp –run command line, cppcheck bufferOverflow.cpp –cppcheck --enable=all bufferOverflow.cpp 3.Setup Cppcheck GUI viewer for Cppcheck –(Notepad++ is already predistributed on lab computers or download at http://sourceforge.net/projects/notepadpp-usb/) –Edit ® Preferences ® Applications ® Add •Executable: "C:\Program Files\Notepad++\notepad++.exe“ •Parameters: -n(line) (file) 4.Run Cppcheck GUI and analyze files or directories 7 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 8 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg FindBugs/FindSecurityBugs - Java •Download FindBugs http://findbugs.sourceforge.net/ •Download FindSecurityBugs (plugin) –https://find-sec-bugs.github.io/download.htm –copy findsecbugs-plugin-1.5.0.jar into FindBugs\plugin\ directory –List of patterns: https://h3xstream.github.io/find-sec-bugs/bugs.htm •Run FindBugs\bin\findbugs.bat (on Windows) –Or directly FindBugs\lib\findbugs.jar –Enable plugin in Edit ® Preferences ® Plugins 9 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg FindBugs/FindSecurityBugs - Java •Note: you need compiled *.jar for analysis –And source code for quick display of problems J •Extract content of crypto-java.zip •Run FindBugs •Start analysis –File ® New project –Classpath for analysis: select target *.jar file (crypto_java.jar) –Source directories: select parent dir of target package •crypto-java\src\main\java\ in our case – • 10 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 11 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 12 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions: FindBugs & FindSecurityBugs •Which issues were found? •Are all reported issues from project source code? •How you would rate severity of different issues? •How can you use FindBugs in team collaboration? • •Is FindBugs working on source code or compiled code? Compare to CppCheck. 13 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg CPPCheck + OpenSSL •Run against OpenSSL0.9.1c (1998) –https://www.openssl.org/source/old/0.9.x/ –What are the bugs? •Run against newest OpenSSL –ftp://ftp.openssl.org/source/ –Why not completely clean yet? • • • 14 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions •Which bugs are found in bufferOverflowDemo.cpp? Compare to PREFast in Visual Studio. •Which bugs are found in old OpenSSL? •Are style warnings important? 15 | PA193 - Static and dynamic checkers P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Hearthbleed bug •OpenSSL 1.0.1 through 1.0.1f •Download https://www.openssl.org/source/openssl-1.0.1e.tar.gz •Locate function dtls1_process_heartbeat(SSL *s) –Ssl\t1_lib.c •Will your static analyzers find anything? –Don’t be sad, even Coverity didn’t before bug was exposed –http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html – – – • 16 | PA193 - Static and dynamic checkers D:\heartbleed.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Homework •Nothing this week J •Focus on implementation of parser 17 | PA193 - Static and dynamic checkers