Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis:...
Transcript of Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis:...
![Page 1: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/1.jpg)
Sound Static Analysis: 5-point seat belts for your code
1
Paul E. [email protected]
Certain trade names and company products are mentioned. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology (NIST) nor that the products are necessarily the best available.
27 June 2018
![Page 2: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/2.jpg)
28 June 2018 Paul E. Black
2
What is NIST?l U.S. National Institute of Standards and Technologyl A non-regulatory agency in Dept. of Commercel 3,000 employees + adjunctsl Gaithersburg, Maryland and Boulder, Coloradol Primarily research, not fundingl Over 100 years in standards and measurements:
from dental ceramics to microspheres, from quantum computers to fire codes, from body armor to DNA forensics, from biometrics to text retrieval
![Page 3: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/3.jpg)
Who Cares About Good Software?l The White House Office of
Science and Technology Policy (OSTP) asked NIST to compile a list of approaches to dramatically reduce software vulnerabilities.
3
![Page 4: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/4.jpg)
What DRSV Covers
l Vulnerabilitiesl New and existing codel Approaches in 5 areas that may have
dramatic impact in three to seven years.l Other stuff
– Software measures– Education, contracts, and other non-technical
matters
4
![Page 5: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/5.jpg)
2.1 Formal Methods
l Assertions, Pre- and Postconditions, Invariants, Aspects, and Contracts
l Correct-by-Construction & Model-Based
l Directory of Verified Tools and Code
l Cyber Retrofitting
l Sound Static Analysis
l Model Checkers, SAT Solvers, and Other
“Light Weight” Decision Algorithms
5
![Page 6: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/6.jpg)
Cyber Retrofitting
l Can’t rework all existing code.l Instead, identify key components.l One approach is to
recompile with built-in hardening.
6
![Page 7: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/7.jpg)
Model Checkers, SAT Solvers, etc.
7
((a /\ b /\ d) ⌵ (g /\ f /\ d) ⌵ • • •• • • • • • •
• • • ⌵ (k /\ m /\ q))
SAT Solver
Attack path: a → g → f → q
![Page 8: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/8.jpg)
I will return to formal methods and sound static analysis later. For now, on with DRSV …
8
![Page 9: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/9.jpg)
2.2 System Level Security
l Containersl Microservices
9
![Page 10: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/10.jpg)
2.3 Additive Software Analysis
l Software Information Exchange Standardsl Tool Analysis Exchange Frameworkl Strategy and Technology to Combine
Analysis
10
![Page 11: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/11.jpg)
2.4 Domain-Specific Software Development Frameworksl Finding and Learning New Frameworksl Resolving Dependencies, Conflicts, and
Incompatibilitiesl Rapid Framework Adoptionl Advanced Test Methods
11
![Page 12: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/12.jpg)
2.5 Moving Target Defenses and Automatic Software Diversityl Compile-Time Techniquesl System or Network
Techniques
12
![Page 13: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/13.jpg)
Section 3. Measures & Metrics
l Deals with software product, not processl Four dimensions of software measures
– Level, e.g. high or low
– Static or dynamic
– Point of view: exterior (blackbox) or interior
– Property: Buginess, Quality, Corectness
l In the “Metric System”, counted quantities are all dimensionless.
13
![Page 14: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/14.jpg)
l Quote DRSV to support the use of formal methods.– “The absence of flaws does not indicate the
presence of excellence.” Sect. 3, page 30– “While previously deemed too time-
consuming, formal methods have become mainstream in many behind-the-scenes applications and show significant promise for both building better software and for supporting better testing.” Sect. 4.4, page 43
14
![Page 15: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/15.jpg)
What are Formal Methods?
15
![Page 16: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/16.jpg)
16
Romans and medieval Europeans built great structures,
… but expertise passed haphazardly from master to apprentice.
![Page 17: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/17.jpg)
17
l Formal Methods are “techniques based on mathematical foundations and analysis.”†
– Program model,– Specifications, and– Rules to analyze their relations.
l Chief benefit: 100% coverage of design space
l Chief drawback: difficulty building models and reasoning
† Black, Hall, Jones, Larson, and Windley, �A Brief Introduction to Formal Methods,� IEEE CICC 96, pp. 377-380
![Page 18: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/18.jpg)
The Specification
l Unambiguous statements of desired behaviors, properties, etc.
l May be comprehensive or may be just a few critical requirements
l Choose level of abstraction
18
![Page 19: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/19.jpg)
Use Assertions, Pre- and Post-conditions, Invariants, etc.l Programmers think the software is right –
write down why!l Disadvantage (?): It takes extra thought to
express exactly what is happening.l Benefits:
– Generate tests automatically– Detect faults earlier– Enable proofs– Stay consistent with code
19
![Page 20: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/20.jpg)
Ariane 5: A Striking Examplel 1996 first flight of Ariane 5 failed.l If the code had a precondition, “Any team worth its salt
would have checked … [preconditions, which] would have immediately revealed that the Ariane 5 calling software did not meet the expectation of theAriane 4 routines that it called.”
20
![Page 21: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/21.jpg)
Reasoning & Rules for Analysis
l Some methods (�logics�) are– model checking– theorem proving– equivalence checking– stress analysis
l Some methods are automatic.l Other methods are interactive.
21
![Page 22: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/22.jpg)
23
Use Formal Methods Wisely
l Be sure that assumptions, limitations, and sensitivities are justified.
l Remember: it does not answer questions you don�t ask.
![Page 23: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/23.jpg)
How Do I Get Good Software?
24
Assurance in the Software
Construction Analysis
ResilientExecution
![Page 24: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/24.jpg)
Construction
l Code should be analyzable.l Limits: Halting Problem, Rice’s Theoreml Good tools are vital to safely
use languages.
25
![Page 25: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/25.jpg)
Two Approaches to Analysis: Static and DynamicStatic Analysisl Code reviewl Binary, byte, or source
code scannersl Model checkers & property
proofsl Assurance case
Dynamic Analysisl Execute codel Simulate designl Fuzzing, coverage, MC/DC,
use casesl Penetration testingl Field tests
![Page 26: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/26.jpg)
Static and Dynamic Analysis Complement Each OtherStatic Analysisl Handles unfinished
codel Higher level artifactsl Can find backdoors,
e.g., full access for user name “JoshuaCaleb”
l Potentially complete
Dynamic Analysisl Code not needed, e.g.,
embedded systemsl Has few(er)
assumptionsl Covers end-to-end or
system testsl Assess as-installed
![Page 27: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/27.jpg)
Dimensions of Analysis
Syntactic Heuristic Analytic Formal
General(implicit)
Application(explicit)
SourceByte code
Binary
Level of Rigor
Prop
ertie
s
SubjectDesign
![Page 28: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/28.jpg)
Different Static Analyzers Exist For Different Purposesl To check intellectual property violationl For developers to decide what needs to be
fixed (and learn better practices)l For auditors or reviewer to decide if it is
good enough for use
![Page 29: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/29.jpg)
What do I Mean by ”Sound”?
l Based on mathematical concepts; amenable to provable reasoning; yielding guaranteed results.
l “A deductive system is sound if and only if every statement that can be deduced is true.” [Ockham]
30
![Page 30: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/30.jpg)
Sound Does Not Mean Perfectdata = Float.parseFloat(stringNumber.trim());
if (Math.abs(data) > 0) {
int result = (int)(100.0 / data);
IO.writeLine(result);
}
31
data: [MIN_VALUE, MAX_VALUE]
data: [MIN_VALUE, MAX_VALUE]
![Page 31: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/31.jpg)
Sound Static Analysis
l Guarantee that no bug escapes.
32
Program
• • •
• • •
• • •
• • •
![Page 32: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/32.jpg)
Sound Static Analysis
33Used by permission 2018 Emma Gilmour, Gilmour Motors
![Page 33: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/33.jpg)
“The best way to prevent BOF is to reduce the use of C.”
35
— A colleague and me, just a year and a half ago
![Page 34: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/34.jpg)
Higher-Level Languages
l Correct-by-construction– Model-based development– Design by refinement– Domain-specific languages
l Developer rarely touches low level code.l May generate test suites, UI with help, etc.l Systematic concerns can be built-in.l Disadvantages: requires huge effort to
design, build, and prove language suites.
36
![Page 35: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/35.jpg)
Society has 3 options:
l Accept failing software
l Limit size or authority of software
l Learn how to make software that works
38
![Page 36: Sound Static Analysis: 5-point seat belts for your code · 2018-07-02 · Sound Static Analysis: 5-point seat belts for your code 1 Paul E. Black paul.black@nist.go v Certain trade](https://reader034.fdocuments.net/reader034/viewer/2022042304/5ecf3f22fc81594a3559586c/html5/thumbnails/36.jpg)
Buckle Up, Buttercup
39
Used by permission Emma Gilmour, Gilmour Motors 2018