The First Expert Guide to Static Analysis for Software Security!Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.Coverage includes:Why conventional bug-catching often misses security problemsHow static analysis can help programmers get security rightThe critical attributes and algorithms that make or break a static analysis tool36 techniques for making static analysis more effective on your codeMore than 70 types of serious security vulnerabilities, with specific solutionsExample vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many moreTechniques for handling untrusted inputEliminating buffer overflows: tactical and strategic approachesAvoiding errors specific to Web applications, Web services, and AjaxSecurity-aware logging, debugging, and error/exception handlingCreating, maintaining, and sharing secrets and confidential informationDetailed tutorials that walk you through the static analysis process“We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.”–Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language“'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.”–David Wagner, Associate Professor, University of California Berkeley“Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.”–Howard A. Schmidt, Former White House Cyber Security AdvisorBRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects.JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail.CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format.Part I: Software Security and Static Analysis 11 The Software Security Problem 32 Introduction to Static Analysis 213 Static Analysis as Part of the Code Review Process 474 Static Analysis Internals 71Part II: Pervasive Problems 1155 Handling Input 1176 Buffer Overflow 1757 Bride of Buffer Overflow 2358 Errors and Exceptions 265Part III: Features and Flavors 2959 Web Applications 2971011 Privacy and Secrets 37912 Privileged Programs 421Part IV: Static Analysis in Practice 45713 Source Code Analysis Exercises for Java 45914 Source Code Analysis Exercises for C 503Epilogue 541References 545Index 559
Software Security and Static Analysis 1The Software Security Problem 3Defensive Programming Is Not Enough 4Security Features != Secure Features 6The Quality Fallacy 9Static Analysis in the Big Picture 11Classifying Vulnerabilities 14The Seven Pernicious Kingdoms 15Summary 19Introduction to Static Analysis 21Capabilities and Limitations of Static Analysis 22Solving Problems with Static Analysis 24Type Checking 24Style Checking 26Program Understanding 27Program Verification and Property Checking 28Bug Finding 32Security Review 33A Little Theory, a Little Reality 35Success Criteria 36Analyzing the Source vs. Analyzing Compiled Code 42Summary 45Static Analysis as Part of the Code Review Process 47Performing a Code Review 48The Review Cycle 48Steer Clear of the Exploitability Trap 54Adding Security Review to an Existing Development Process 56Adoption Anxiety 58Start Small, Ratchet Up 62Static Analysis Metrics 62Summary 69Static Analysis Internals 71Building a Model 72Lexical Analysis 72Parsing 73Abstract Syntax 74Semantic Analysis 76Tracking Control Flow 77Tracking Dataflow 80Taint Propagation 82Pointer Aliasing 82Analysis Algorithms 83Checking Assertions 84Naive Local Analysis 85Approaches to Local Analysis 89Global Analysis 91Research Tools 94Rules 96Rule Formats 97Rules for Taint Propagation 101Rules in Print 103Reporting Results 105Grouping and Sorting Results 106Eliminating Unwanted Results 108Explaining the Significance of the Results 109Summary 113Pervasive Problems 115Handling Input 117What to Validate 119Validate All Input 120Validate Input from All Sources 121Establish Trust Boundaries 130How to Validate 132Use Strong Input Validation 133Avoid Blacklisting 137Don't Mistake Usability for Security 142Reject Bad Data 143Make Good Input Validation the Default 144Check Input Length 153Bound Numeric Input 157Preventing Metacharacter Vulnerabilities 160Use Parameterized Requests 161Path Manipulation 167Command Injection 168Log Forging 169Summary 172Buffer Overflow 175Introduction to Buffer Overflow 176Exploiting Buffer Overflow Vulnerabilities 176Buffer Allocation Strategies 179Tracking Buffer Sizes 186Strings 189Inherently Dangerous Functions 189Bounded String Operations 195Common Pitfalls with Bounded Functions 203Maintaining the Null Terminator 213Character Sets, Representations, and Encodings 218Format Strings 224Better String Classes and Libraries 229Summary 233Bride of Buffer Overflow 235Integers 236Wrap-Around Errors 236Truncation and Sign Extension 239Conversion between Signed and Unsigned 241Methods to Detect and Prevent Integer Overflow 242Runtime Protection 251Safer Programming Languages 251Safer C Dialects 255Dynamic Buffer Overflow Protections 258Dynamic Protection Benchmark Results 263Summary 263Errors and Exceptions 265Handling Errors with Return Codes 266Checking Return Values in C 266Checking Return Values in Java 269Managing Exceptions 271Catch Everything at the Top Level 272The Vanishing Exception 273Catch Only What You're Prepared to Consume 274Keep Checked Exceptions in Check 276Preventing Resource Leaks 278C and C++ 279Java 283Logging and Debugging 286Centralize Logging 286Keep Debugging Aids and Back-Door Access Code out of Production 289Clean Out Backup Files 292Do Not Tolerate Easter Eggs 293Summary 294Features and Flavors 295Web Applications 297Input and Output Validation for the Web 298Expect That the Browser Has Been Subverted 299Assume That the Browser Is an Open Book 302Protect the Browser from Malicious Content 303HTTP Considerations 319Use POST, Not GET 319Request Ordering 322Error Handling 322Request Provenance 327Maintaining Session State 328Use Strong Session Identifiers 329Enforce a Session Idle Timeout and a Maximum Session Lifetime 331Begin a New Session upon Authentication 333Using the Struts Framework for Input Validation 336Setting Up the Struts Validator 338Use the Struts Validator for All Actions 338Validate Every Parameter 342Maintain the Validation Logic 343Summary 346XML and Web Services 349Working with XML 350Use a Standards-Compliant XML Parser 350Turn on Validation 352Be Cautious about External References 358Keep Control of Document Queries 362Using Web Services 366Input Validation 366WSDL Worries 368Over Exposure 369New Opportunities for Old Errors 370JavaScript Hijacking: A New Frontier 370Summary 376Privacy and Secrets 379Privacy and Regulation 380Identifying Private Information 380Handling Private Information 383Outbound Passwords 388Keep Passwords out of Source Code 389Don't Store Clear-Text Passwords 391Random Numbers 397Generating Random Numbers in Java 398Generating Random Numbers in C and C++ 401Cryptography 407Choose a Good Algorithm 407Don't Roll Your Own 409Secrets in Memory 412Minimize Time Spent Holding Secrets 414Share Secrets Sparingly 415Erase Secrets Securely 416Prevent Unnecessary Duplication of Secrets 418Summary 420Privileged Programs 421Implications of Privilege 423Principle of Least Privilege 423This Time We Mean It: Distrust Everything 426Managing Privilege 427Putting Least Privilege into Practice 427Restrict Privilege on the Filesystem 433Beware of Unexpected Events 436Privilege Escalation Attacks 439File Access Race Conditions 440Insecure Temporary Files 446Command Injection 450Standard File Descriptors 452Summary 454Static Analysis in Practice 457Source Code Analysis Exercises for Java 459Installation 460Begin with the End in Mind 461Auditing Source Code Manually 469Running Fortify SCA 471Understanding Raw Analysis Results 472Analyzing a Full Application 478Tuning Results with Audit Workbench 479Auditing One Issue 483Performing a Complete Audit 487Writing Custom Rules 491Answers to Questions in Exercise 13.2 499Source Code Analysis Exercises for C 503Installation 504Begin with the End in Mind 505Auditing Source Code Manually 513Running Fortify SCA 514Understanding Raw Analysis Results 515Analyzing a Full Application 520Tuning Results with Audit Workbench 521Auditing One Issue 525Performing a Complete Audit 529Writing Custom Rules 531Answers to Questions in Exercise 14.2 537Epilogue 541References 545Index 559