making your own static analyzer using freud dsl. marat vyshegorodtsev
DESCRIPTION
—TRANSCRIPT
![Page 1: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/1.jpg)
The power of development-driven security testingMarat Vyshegorodtsev System Security Office Rakuten, Inc. https://global.rakuten.com
![Page 2: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/2.jpg)
About Rakuten
![Page 3: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/3.jpg)
World coverageE-commerce in 14 countries and regions All services and businesses in 27 countries
2011200920082005 201320122010
INVESTMENT
2014
![Page 4: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/4.jpg)
Bio & DisclaimerTechnical Program Manager “Group Core Services” at Rakuten
University of Tokyo graduate
Member of the world-famous CTF team “More Smoked Leet Chicken”
The Russian hacker of Japan :-)
!
I’m not a Java developer. In fact, I’m not a developer at all.
![Page 5: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/5.jpg)
Security & Quality Assurance• Regular QA tests cover “intended” functionality
• Security QA tests try to find all other unintended behavior
![Page 6: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/6.jpg)
Security & Quality Assurance• Regular QA tests cover “intended” functionality
• Security QA tests try to find all other unintended behavior
![Page 7: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/7.jpg)
QA is hard, Security QA is harder
Main reasons why security tests are hard:
1. Big scope: number of methods times number of tests
2. Hard to hook in
3. Halting problem
![Page 8: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/8.jpg)
QA is hard, Security QA is harder
Main reasons why security tests are hard:
1. Big scope: number of methods times number of tests
2. Hard to hook in
3. Halting problem
![Page 9: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/9.jpg)
QA is hard, Security QA is harder
Main reasons why security tests are hard:
1. Big scope: number of methods times number of tests
2. Hard to hook in
3. Halting problem
![Page 10: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/10.jpg)
QA is hard, Security QA is harder
Main reasons why security tests are hard:
1. Big scope: number of methods times number of tests
2. Hard to hook in
3. Halting problem
![Page 11: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/11.jpg)
Halting problem in one slide
It is impossible to determine if program will halt or not on given inputs
Hence, it is impossible to perform all possible security tests
Give it up.
xkcd.com/1266
![Page 12: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/12.jpg)
Problem 1: Traversing the codeGiven:A service that has 70,000+ lines of code, a build system, and some tests
Find:
• All classes and their methods that use unsafe or deprecated calls
• Classes that must implement certain methods, but didn’t
• Classes that call certain dangerous APIs to fuzz them later
![Page 13: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/13.jpg)
Freud — a framework for writing static analysis tests
LMAX-Exchange/freud
![Page 14: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/14.jpg)
Freud
• Enables iteration over source code and byte code files’ contents
• Supports custom hamcrest matchers to write rules
• Implements DSL-like syntax for writing tests with JUnit or Groovy
![Page 15: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/15.jpg)
Unsafe and deprecated callsBan all direct input/output trough files:
@Test!public void noDirectFileInput() throws Exception {!!
Freud.iterateOver(ImportDeclaration.class).!!!assertThat(no(importDeclarationPathAsString(), containsString("java.io.File"))).analyse(listener);!!
}
![Page 16: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/16.jpg)
Mandatory implementation
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
![Page 17: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/17.jpg)
Mandatory implementation
Freud.iterateOver(CodeBlock.class). forEach(method(publicMethod())). assertThat(hasDeclaredAnnotation(“RolesAllowed”)) !
.in(codeBlocksWithin(methodDeclarationsWithin(classDeclarationsWithin(javaSourceOf(asList( // list of class files URLs here )))))).analyse(listener);
![Page 18: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/18.jpg)
Finding bad apples
Freud.iterateOver(CodeBlock.class). forEach(method(hasMethodCall(“Session.createSQLQuery”))) !
// find out who calls unsafe APIs and try to fuzz it
![Page 19: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/19.jpg)
Fuzzing
// this.function is a iterator for forEach!!
public T next(){! for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {! return function(f.next());! }!}
![Page 20: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/20.jpg)
Problem 2. Going deep
![Page 21: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/21.jpg)
Problem 2. Going deep
![Page 22: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/22.jpg)
Problem 2: Going deepGiven
• Big application with full code coverage
• No security checks implemented
Find
• Certain method is called with a certain parameter
• Some parameters should never be passed to a method
![Page 23: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/23.jpg)
Power of mocking with PowerMock
PowerMock is a custom class-loader and byte-code manipulator allowing to mock static methods
Extends Mockito and JUnit perfectly
![Page 24: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/24.jpg)
Deprecating MD5Problem: MessageDigest.getInstance(“MD5”) must not be used
Solution: Let’s just grep for a string getInstance(“MD5”)!
!
But… remember the halting problem?
MessageDigest.getInstance(Config.getConfiguredHashAlgorithm())
↑ is it MD5?
![Page 25: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/25.jpg)
@RunWith(PowerMockRunner.class) @PrepareForTest({MyClass.class, MessageDigest.class}) public class md5Test extends PowerMockTestCase { !
@Test public void testDoHash() throws Exception { PowerMockito.mockStatic(MessageDigest.class); when(MessageDigest.getInstance("MD5")).thenReturn(null); PowerMockito.verifyStatic(); !
assertEquals(“acbd18db4cc2f85cedef654fccc4a4d8", MyClass.doHash("foo")); } !
}
![Page 26: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/26.jpg)
PowerMock + Hamcrest
• Problem: See if Log function never accepts credit card number-looking strings, given that a developer wrote a test that triggers this behavior
• Solution: Mock Log class, when its functions are called, there is no argThat is a 16 digit string (as an easy example)
![Page 27: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/27.jpg)
@RunWith(PowerMockRunner.class) @PrepareForTest({MyClass.class, Log.class}) public class logTest extends PowerMockTestCase { !
@Test public void testSomeFunction() throws Exception { PowerMockito.mockStatic(Log.class); when(Log.i(new IsCreditCard())).thenReturn(null); PowerMockito.verifyStatic(); !
// continue test } !
}
![Page 28: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/28.jpg)
class IsCreditCard extends ArgumentMatcher<String> {! public boolean matches(String message) {! return RegExp.matches(message,”[0-9]{16}”);! }! }
![Page 29: Making Your Own Static Analyzer Using Freud DSL. Marat Vyshegorodtsev](https://reader033.vdocuments.site/reader033/viewer/2022052621/5589307cd8b42a3e608b4678/html5/thumbnails/29.jpg)
SummaryIn most of the languages running on VMs it is possible to test certain weaknesses using unit tests
Security engineers working together with TDD/BDD dev teams can write many business logic-aware tests easily using the frameworks I have described
BDD is for intended behavior, security-driven development is for unintended one