Download presentation
Presentation is loading. Please wait.
1
ソースコードセキュリティを 自動的に向上させる方法 Ben Chelf CTO
2
Coverity Confidential: Do not distribute
10,000 フィートビュー マジック静的アナライザボックス データフロー分析、ポインタエイリアス分析、抽象的解釈、モデルチェック、フローセンシティブ、フローインセンシティブ、コンテキストセンシティブ、コンテキストインセンシティブ、インタープロシージュラル、イントラプロシージュラル、制限の解除 PHP Code セキュリティの 脆弱性 C Code Java Code C++ Code Coverity Confidential: Do not distribute
3
Coverity Confidential: Do not distribute
着目点 - What to look for? { strcpy(dest, src); } Coverity Confidential: Do not distribute
4
Coverity Confidential: Do not distribute
着目点 - What to look for? { char src[100]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute
5
Coverity Confidential: Do not distribute
着目点 - What to look for? { char src[50]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute
6
Coverity Confidential: Do not distribute
着目点 - What to look for? { char src[50]; char dest[50]; src[sizeof(dest) – 1] = 0; strcpy(dest, src); } Coverity Confidential: Do not distribute
7
システム構築ライフサイクル早期において問題発見
スタティック分析ツールの有用性 ソフトウェア開発プロセス デザイン コーディング インテグレート QA リリース Static Analysis 有用な点 システム構築ライフサイクル早期において問題発見 テストケースの必要が無い コードの行を指し示す 規則正しい動作 バグ What is Static Analysis Fits seamlessly in early part of SDLC Works on the source code You may have heard of Lint Benefits of Static Analysis Systematic Early detection in SDLC is cheaper No test cases are required Points to the root cause of the problem so faster to fix a reported bug Find Bugs as you are coding: Ideal Technology?? No, problems with most static analysis tools Hard to integrate – some solutions require weeks of integration time Requires lots of configuration to get right – spend a lot of time configuring and tuning the system to get it to work right Results were poor. - The more sophisticated the analysis, the more intractable the performance became. Scalability – can’t do a sophisticated analysis without exponential explosion in calculation time Coverage (paths) – have to usually compromise on coverage to get scalability False positives – analysis not smart enough to deal with different types of code Points to warnings or potential problems rather than bugs What’s the result: With other static analysis tools, quality of results don’t justify investment SHELFWARE. Or you need an army of developers to get the tool to work and to continue its use in your company. セキュリティの 脆弱性 Coverity Confidential: Do not distribute
8
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Coverity Confidential: Do not distribute
9
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Coverity Confidential: Do not distribute
10
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Coverity Confidential: Do not distribute
11
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004) Coverity Confidential: Do not distribute
12
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005) Coverity Confidential: Do not distribute
13
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005) Xie and Aiken (2006) Coverity Confidential: Do not distribute
14
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005) Xie and Aiken (2006) Jovanovic, Kuregel, Kirda (2006) Coverity Confidential: Do not distribute
15
リサーチテクニック (not exhaustive)
Shankar, Talwar, Foster, Wagner (2001) Ashcraft, Engler (2002) Yang, Kremenek, Xie, Engler (2003) Huang, Yu, Hang, Tsai, Lee (2004) Livshits and Lam (2005) Xie and Aiken (2006) Jovanovic, Kuregel, Kirda (2006) …他多数 Coverity Confidential: Do not distribute
16
Coverity Confidential: Do not distribute
実世界で活用する システムの構築 コード解析 分析時間 コードの構成 ノイズと誤検出 何を報告するか 結果の再確認 PHP Code C Code Java Code C++ Code Coverity Confidential: Do not distribute
17
Coverity Confidential: Do not distribute
邪悪なテトリス /* * Set times to 0 except for * high score on each level. */ for (i = MINLEVEL; i < NLEVELS; i++) levelfound[i] = 0; for (i = 0, sp = scores; i < nscores; i++, sp++) { if (levelfound[sp->hs_level]) sp->hs_time = 0; else { sp->hs_time = 1; levelfound[sp->hs_level] = 1; } } Game over indeed Coverity Confidential: Do not distribute
18
Coverity Confidential: Do not distribute
Do you use X? if (getuid() != 0 && geteuid == 0) { ErrorF(“only root”); exit(1); } 括弧が無い場合、コードはlibc内のgeteuidファンクションが、Address 0以外のところに読み込まれたかをチェックし(ほぼそうなるとと確証するが)全ユーザーに対しリスクの高いオプションを許可することが安全だと報告する為、セキュリティホールが生みだされる。 - Alan Coopersmith, Sun Developer Coverity Confidential: Do not distribute
Similar presentations
© 2024 slidesplayer.net Inc.
All rights reserved.