Automated Security Analysis

Prepared by:
Oubai Bounie
 Software Security Analysis:
 Build Secure Software Systems
 Focus on Security Throughout The SDLC
 Rely on Software to Help Us Build More Secure Software
 Automated Analysis Tools Reduce The Risk of Human Error.
 Economical Benefit (Automated Analysis Are Cheaper and
Repeatable)

 Applicable Areas
 Automated Verification of Formal Requirements
 Automated Security Analysis of Design/Architecture
 Automated Code Analysis
 Automated Security Testing
 Automated Static Bug Detection
 Network Security Analysis
 Web Security Tools
 Overview
 Formal Methods Are System Design Techniques That Use Rigorously
Specified Mathematical Models To Build Software And Hardware
Systems.
 Help With The Verification Of Software Systems By Performing
Appropriate Mathematical Analysis Which Can Contribute To Increased
Reliability And Robustness .
 Benefits
 Discipline: It Forces Engineers to Be More Specific When Defining Goals
and Specifications.
 Precision: Formal Methods by Nature are Well Defined and Generate
More Precise Specification.
 Weakness
 Expensive: Very Rigorous, Requires Big Investment Upfront.
 Limits of Computational Models: Imposes Intolerable Limitation on
Designs.
 Usability: Good Rigorous Formal Methods Are Harder To Use. Flexible
Formal Methods Have Same Problems as Natural Languages.
 Lightweight Approach
 Only Use Formal Methods When It Add Value
 Use Different Techniques for Different Components (Communication
Protocol, Data, UI, …)
 Use Rapid Prototyping instead For User Interfaces.

 Available Tools & Techniques:

 Larch: LARCH provides two levels of specification. A general high-level
modeling language, and a collection of implementation dialects designed
to work with specific programming languages.

 SML: Standard Meta-Language is a strongly typed functional

programming language originally designed for exploring ideas in type
theory. SML has become the formal methods workhorse because of its
strong typing and provability features.

 HOL: Higher Order Logic is an automated theorem proving system

(computer-aided proof tool)
 Overview
 Static Analysis: Performing Code Analysis Without Actually Executing The Program Built From
The Software.
 Inspect Code Against Various Predefined Coding Standard Violation
 Different Tools Target Different Programming Languages (C++, .NET, JAVA)
 Usually Integrated With The Check-In/Build Process (Quality Gate)

 Examples:
 FxCop: Inspect And Verify Code Compliance With Coding Standard In The Following Areas:
 Correctness
 Internationalization And Localization
 Naming Conventions
 Performance
 Security
 StyleCop: Inspect And Verify Code Compliance With Coding Standard In The Following Areas:
 Documentation
 Layout
 Naming
 Ordering
 Readability
 FindBugs:
 Enforce Correctness And Identify Security Issue
 LGPL-licensed, Java-based Static Analysis Tool
 Overview
 Dynamic Analysis: Performing Code Analysis While Running The
Executable Program.
 Inspect Code At Runtime
 Inspect For Non Fatal Errors & Problems (Different Than Debugging)
 Memory Allocation & Leaks
 Detect Potential Race Conditions and Deadlocks
 Identify Areas of Optimization.
 Execution Performance
 Verify Code Coverage

 Examples:
 Visual Studio Profiler
 IBM Rational Purify
 Intel Thread Checker/Profiler
 Overview:
 Code-based Automated Testing
 Create Coding Test Cases Using Some Test Automation Framework To
Test Public Interfaces/Classes/Methods
 Test Automation Tool Runs Test Cases And Reports Failures.
 GUI Automated Testing
 Code-driven Test Cases Using UI Test Framework
 User Interaction Recording. Record Keyboard and Mouse Events Then
The Test Automation Tool Replay Back To Verify UI Elements and
Expected Results.

 Example:
 NUnit for .NET
 JUnit for Java
 Test Automation FX for Visual Studio
 Abbot for Java
 Selenium: Record/Playback Testing Tool for Web Application
 Overview:
 Automated Penetrating Testing
 Detect Common Web Related Vulnerabilities:
 SQL Injection
 Cross-site Scripting
 Information Disclosure
 Code Execution
 Path Traversal
 Parameter Manipulation
 File Include
 Authentication Bypass
 Black/White Box Testing

 Examples:
 SANS Automated Penetrating Testing
 Core Impact Pro
 Overview:
 Secure And Protect Networking Infrastructures (Exploring and Inventorying)
 Identify Malicious Traffic Patterns
 Detect Threats And Potential Vulnerabilities

 Examples:
 Snort: Network Intrusion Analyzer
 Network Intrusion Prevention And Detection System.
 Rule Driven Configuration.
 Utilize Signature, Protocol, And Anomaly Based Inspection Methods.
 NSAT: Network Security Analysis Tool
 Utility For Network Exploration And Security Auditing
 Detect All Hosts/Services/Ports/Firewalls Available On The Network
 Nessus: Vulnerability Scanner
 High Speed Discovery, Configuration Auditing, Asset Profiling
 Sensitive Data Discovery And Vulnerability Analysis.
 WireShark: Network Traffic Analyzer
 Monitor And Analyze Network Traffic
 Formal Methods, Michael Collins, Carnegie Mellon University.
 Guidelines for Formal Verification Systems, Patrick R. Gallagher,
Jr., National Computer Security Center.
 Improving Software Security with Precise Static and Runtime Ana
lysis
, Benjamin Livshits ,Stanford University.