Slide title

In CAPITALS

50 pt

Slide subtitle

32 pt

Muhammad Rizwan Asghar

September 1, 2020

STATIC & DYNAMIC ANALYSIS

Lecture 16a

COMPSCI 316

Cyber Security

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

2

FOCUS OF THIS LECTURE

Learn program analysis

Understand static and dynamic analysis

Explain concolic execution

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

3

PROGRAM ANALYSIS

The process of analysing the behaviour of

programs

The main goal is to find problems in code

Program analysis can be performed

– without execution (static analysis)

– during runtime (dynamic analysis)

– by combing both (concolic execution)

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

4

STATIC ANALYSIS

Analysis without actually executing a program

Static analysis typically discover properties for

all executions

Full coverage of source or binary

Program-centric

A kind of white box testing

Scalable

Accuracy issues

Can be run before dynamic analysis

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

5

DYNAMIC ANALYSIS

Analysis made by running a program

Exposes vulnerabilities in the deployment

environment

Difficult to generate and test all possibilities

Limited coverage

More accurate

Input-centric

A kind of black box testing

Can be run after static analysis

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

6

CONTROL FLOW ANALYSIS

It is typically a static analysis technique for

determining the control flow of a program

– Note that static analysis might be insufficient if a

program loads code dynamically

The control flow is expressed as a Control Flow

Graph (CFG)

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

7

DATA FLOW ANALYSIS

A technique for gathering information about the

possible set of values at specific points

A CFG is used to determine those values

A simple way is to set up data flow equations

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

8

PROGRAM SLICING

Reducing the program to the minimum form that still

produces the selected behaviour

The reduced program is called a Slice

Generally, finding a slice is an unsolvable problem

It is possible to obtain approximate slices using a data

flow algorithm

Used by developers during debugging to locate the

source of errors

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

9

SYMBOLIC EXECUTION

Executing the program with symbolic valued

input

A static analysis technique

A path condition covers all inputs necessary to

follow the path

Program paths form an execution tree

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

10

C PROGRAM WITH CFG

void test(int x, int y)

{

if (x == 10)

{

if (x < 2*y) {

return ERROR;

}

}

}

Static analysis returns path conditions

However, no information about actual behaviour

if

x≠10

y=*

x=10

y>5x=10

y≤5

if

x≠10 x=10

x ≥ 2*y x < 2*y

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

11

C PROGRAM WITH CFG:

ISSUE WITH DYNAMIC ANALYSIS

void test(int x, int y)

{

if (x == 10)

{

if (x < 2*y) {

return ERROR;

}

}

}

Dynamic analysis can be useful

However, there are too many options for x and y

if

x≠10

y=*

x=10

y>5x=10

y≤5

if

x≠10 x=10

x ≥ 2*y x < 2*y

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

12

CONCOLIC EXECUTION

Concolic = Concrete + Symbolic

Concrete execution

– A program takes one path based on input values

– A form of dynamic analysis

Also called dynamic symbolic execution

Used for analysing complex programs

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

13

C PROGRAM WITH CFG:

CONCOLIC EXECUTION START

void test(int x, int y)

{

if (x == 10)

{

if (x < 2*y) {

return ERROR;

}

}

}

Choose x=0 and y=0

Get the trace

if

x=0

y=0

x=10

y>5x=10

y≤5

if

x≠10 x=10

x ≥ 2*y x < 2*y

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

14

C PROGRAM WITH CFG:

CONCOLIC EXECUTION CONTINUE

void test(int x, int y)

{

if (x == 10)

{

if (x < 2*y) {

return ERROR;

}

}

}

Negate the last path condition

Choose x=10 and y=0

if

x=0

y=0

x=10

y>5x=10

y=0

if

x≠10 x=10

x ≥ 2*y x < 2*y

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

15

C PROGRAM WITH CFG:

CONCOLIC EXECUTION END

void test(int x, int y)

{

if (x == 10)

{

if (x < 2*y) {

return ERROR;

}

}

}

Negate the last path condition

Choose x=10 and y=6

if

x=0

y=0

x=10

y=6x=10

y=0

if

x≠10 x=10

x ≥ 2*y x < 2*y

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

16

SAMPLE QUESTION

Which one of the following best describes

Concolic Execution?

a) It is static analysis

b) It is dynamic analysis

c) Static analysis followed by dynamic analysis

d) Dynamic analysis followed by static analysis

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

17

SAMPLE QUESTION: ANSWER

Which one of the following best describes

Concolic Execution?

a) It is static analysis

b) It is dynamic analysis

c) Static analysis followed by dynamic analysis

d) Dynamic analysis followed by static analysis

Answer) c

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

18

SUMMARY

Static analysis tools inspect programs without

executing code

Dynamic analysis tools test programs on input values

Concolic execution combines static analysis followed

by dynamic analysis

In our examples, we did not consider integer overflow

for the sake of simplicity

– Integer overflow can affect the analysis!

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

19

RESOURCES

OWASP Source Code Analysis Tools,

https://www.owasp.org/index.php/Source_Code_Analysis_Tools

Analysis Tools, https://appsecwiki.com/#/mobilesecurity

Cadar, Cristian, and Koushik Sen, Symbolic Execution for

Software Testing: Three Decades Later, Commun. ACM 56, no.

2 (2013): 82-90, available at:

https://cacm.acm.org/magazines/2013/2/160161-symbolic-

execution-for-software-testing/fulltext or

http://people.eecs.berkeley.edu/~raluca/cs261-

f15/readings/symb.pdf

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

20

Questions?

Thanks for your attention!