¾²€µ¼µ½½‹µ...

download ¾²€µ¼µ½½‹µ ¾´…¾´‹  SAST

of 77

  • date post

    17-Jan-2017
  • Category

    Technology

  • view

    495
  • download

    2

Embed Size (px)

Transcript of ¾²€µ¼µ½½‹µ...

PowerPoint

SAST Compilable Applications Analyzers Development / Team LeadPositive Technologies

Disclaimer SAST , PT AI, , , / .

SAST :

;

;

;

;

SAST : SAST, - , ?AST, SAST, , ;

, ;

, .

SAST , - -

SAST , - -==

SAST , - -==

!=

() : TM(k,l): k=2,l=3 ; k=2,l=2 ; k=3,l=2 ; k=4,l=2 , k - , l ;

() : TM(k,l): k=2,l=3 ; k=2,l=2 ; k=3,l=2 ; k=4,l=2 , k - , l ;

: Sn*x , S , n , x ;

() : TM(k,l): k=2,l=3 ; k=2,l=2 ; k=3,l=2 ; k=4,l=2 , k - , l ;

: Sn*x , S , n , x ;

.

, ,

-> ;

, -> ;

, , -> ;

> ( , ).

"Modeling Computer Insecurity" (Sophie Engle, Sean Whalen and Matt Bishop):

, .

DAST

, , . , ,

14

, - , ?

,

AST ( );

CFG ( );

DFG ( );

PDG ( );

CPG ( );

???

AST ( )

CFG ( )

DFG ( )

DFG ( )

DFG ( )

DFG ( )

DFG ( )

DFG ( )

DFG ( )

PDG ( )

CPG ( )

CPG

CPG , /

( AST, ):, ; ; taint- ( CPG, ): ; , ; ( CPG DFG, ): , ; .

( )

Taint-

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

35

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

36

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

37

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

38

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

39

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

40

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

41

Taint-var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];

var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; }

Response.Write(str1);}

42

;

;

;

, . taint-

43

:

AI, SE PE

(AI) .

(SE) .

(PE) .

45

SE

(x , sqrt )

2x^2 + 4 = 122x^2 = 12 - 42x^2 = 12 - 4x^2 = (12 - 4) / 2x = sqrt((12 - 4) / 2)x = sqrt((8) / 2)x = sqrt(4)x = 2

46

PT SE (SECG).

SECG CPG, .

.

, .

47

Symbolic Execution Context Graph

Symbolic Execution Context Graph

Symbolic Execution Context Graph

Symbolic Execution Context Graph

Symbolic Execution Context Graph

Symbolic Execution Context Graph

Symbolic Execution Context Graph

, . ? ?

PVO(text): text

text = transform(argument), argument EP, transform

EP, text, PVO

InjectionsAccess ControlBuffer OverflowSession ManagementHeap OverflowCSRFInteger OverflowConcurrency Memory ManagementDomain(Logical)

Symbolic Execution Context Graph SECG PVO

Request.Params["cond1"] != "true"

Response.Write( "" )

Request.Params["cond1"] != "true"

Response.Write( "" )

Request.Params["cond1"] != "true"&&Request.Params["cond2"] == "true"

Response.Write( "" )

Request.Params["cond1"] != "true"&&Request.Params["cond2"] == "true"

Response.Write( "" )

Request.Params["parm2"], ,

Request.Params["cond1"] != "true"&&Request.Params["cond2"] == "true" &&(Request.Params["parm2"] == "\">alert(0)" || Request.Params["parm2"] == "\"onmouseover=\"alert(0)")

Response.Write( "" )

Request.Params["cond1"] != "true"&&Request.Params["cond2"] == "true" &&(Request.Params["parm2"] == "\">alert(0)" || Request.Params["parm2"] == "\"onmouseover=\"alert(0)")

Response.Write( "" ) ,

:""

:HTML: 2-quoted attribute value

:Request.Params["parm2"] = "\">alert(0)"

:Request.Params["cond1"] = "__AI_akhivldp"Request.Params["cond2"] = "true"

?

var name = Request.Params["name"];var key1 = Request.Params["key1"];var parm = Request.Params["parm"];var data = string.IsNullOrEmpty(parm) ? new char[0]: Convert.FromBase64String(parm);

string str1;if (name + "in" == "admin"){ if (key1 == "validkey") { str1 = Encoding.UTF8.GetString(data); } else { str1 = "Wrong key!"; } Response.Write(str1);}

68

string.IsNullOrEmpty("alert(/XSS/)