Towards Better Static Analysis Security Testing Methodologies
Loading...
Date
2020-09-24
Authors
Aloraini, Bushra
Journal Title
Journal ISSN
Volume Title
Publisher
University of Waterloo
Abstract
Software vulnerabilities have been a significant attack surface used in cyberattacks, which
have been escalating recently. Software vulnerabilities have caused substantial damage,
and thus there are many techniques to guard against them. Nevertheless, detecting and
eliminating software vulnerabilities from the source code is the best and most effective solution
in terms of protection and cost. Static Analysis Security Testing (SAST) tools spot
vulnerabilities and help programmers to remove the vulnerabilities. The fundamental problem
is that modern software continues to evolve and shift, making detecting vulnerabilities
more difficult. Hence, this thesis takes a step toward highlighting the features required to
be present in the SAST tools to address software vulnerabilities in modern software. The
thesis’s end goal is to introduce SAST methods and tools to detect the dominant type of
software vulnerabilities in modern software. The investigation first focuses on state-of-theart
SAST tools when working with large-scale modern software. The research examines
how different state-of-the-art SAST tools react to different types of warnings over time,
and measures SAST tools precision of different types of warnings. The study presumption
is that the SAST tools’ precision can be obtained from studying real-world projects’ history
and SAST tools that generated warnings over time. The empirical analysis in this
study then takes a further step to look at the problem from a different angle, starting at
the real-world vulnerabilities detected by individuals and published in well-known vulnerabilities
databases. Android application vulnerabilities are used as an example of modern
software vulnerabilities. This study aims to measure the recall of SAST tools when they
work with modern software vulnerabilities and understand how software vulnerabilities
manifest in the real world. We find that buffer errors that belong to the input validation
and representation class of vulnerability dominate modern software. Also, we find that
studied state-of-the-art SAST tools failed to identify real-world vulnerabilities. To address
the issue of detecting vulnerabilities in modern software, we introduce two methodologies.
The first methodology is a coarse-grain method that targets helping taint static analysis
methods to tackle two aspects of the complexity of modern software. One aspect is that
one vulnerability can be scattered across different languages in a single application making
the analysis harder to achieve. The second aspect is that the number of sources and
sinks is high and increasing over time, which can be hard for taint analysis to cover such
a high number of sources and sinks. We implement the proposed methodology in a tool
called Source Sink (SoS) that filters out the source and sink pairs that do not have feasible
paths. Then, another fine-grain methodology focuses on discovering buffer errors that
occur in modern software. The method performs taint analysis to examine the reachability
between sources and sinks and looks for "validators" that validates the untrusted input.
We implemented methodology in a tool called Buffer Error Finder (BEFinder).
Description
Keywords
taint analysis, buffer errors, software security, reachability analysis, cross language analysis, software vulnerabilities, Android app security, static analysis security testing