億能測試白盒技術(shù)培訓(xùn)課程學(xué)習(xí)代碼審查fortify

1、簡介Fortify SCA 是一個靜態(tài)的、白盒的軟件源代碼安全測試工具。它通過內(nèi)置的五大主要分析引擎：數(shù)據(jù)流、語義、結(jié)構(gòu)、控制流、配置流等對應(yīng)用軟件的源代碼進(jìn)行靜態(tài)的分析，分析的過與它特有的軟件安全規(guī)則集進(jìn)行全面地匹配、查找，從而將源代碼中存在的安全掃描出來，并給予整理。掃描的結(jié)果中不但包括詳細(xì)的安全的信息，還會有相關(guān)的安全知識的說明，以及修復(fù)意見的提供。Foritfy SCA 首先通過調(diào)用語言的編譯器或者解釋器把前端的語言代碼（如 JAVA，C/C+源代碼）轉(zhuǎn)換成一種中間文件 NST（NormalSyntax Tree）將其源代碼之間的調(diào)用關(guān)系，執(zhí)行環(huán)境，上下文等分析清楚。然后再通過上述的五

2、大分析引擎從五個切面來分析這個 NST，匹配所有規(guī)則庫中的特征，一旦發(fā)現(xiàn)就抓取出來。最后形成包含詳細(xì)信息的 FPR 結(jié)果文件，用 AWB 打開查看。目前 Fortify SCA 可以掃描出約 300 種，F(xiàn)ortify 將所有安全整理分類，根據(jù)開發(fā)語言分項(xiàng)目，再細(xì)分為 8 個大類，約 300 個子類，具體詳細(xì)信息可登錄Fortifyhttp/vulncat/ 進(jìn)行查詢Fortify SCA 支持的插件：安裝windows 下安裝：Fortify-360-2.1.0-yzers_and_Apps-Windows-x86.exeWin2003 下安裝有問題，提示某個 msi 文件的簽名有問題，后來

3、換在 XP 虛擬機(jī)中安裝成功。試用版需要修改時間才能用。安裝目錄中找到 FindBugs，看來 Fortify 的 java 代碼掃描是基于 FindBugs 構(gòu)建的?？砂惭b Eclipse 或Visual Studio 的插件：安裝后可立即升級規(guī)則包基本使用打開 Audit Workbench，選擇源代碼進(jìn)行掃描。試用版似乎只提供了 java Project 的掃描功能。對 C/C+等語言的代碼1）、Translation:要通過命令行方式掃描source 2）、sourceyzer-bmybuildCL.EXEsample.cppysis:yzer-bmybuild-scan-fresul

4、t.fpr過濾分析結(jié)果Tools Audit Guide：Advanced Mode：Filter Set：重新掃描，配置規(guī)則包：指定掃描時應(yīng)用的規(guī)則包：-bWebGoat5.0 -scan-machine-output-fC:sandSettingsallenLocalSettingsApplicationData/FortifyAWB360-5.7WebGoat5.0WebGoat5.0.fpr.scan-no-default-rules -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulescore_d

5、otnet.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulescore_annoions.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulescore_java.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulescore_javascript.bin -rulesC:Program FilesFortify

6、 SoftwareFortify 360 v2.1.0Coreconfigrulescore_sql.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulesextended_config.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulesextended_content.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfi

7、grulesextended_jsp.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulesextended_java.bin -rulesC:Program FilesFortify SoftwareFortify 360 v2.1.0Coreconfigrulesextended_sql.binC/C+常見安全Buffer Overflow 緩沖溢出String Termination Error 字符錯誤的結(jié)束eger Overflow 整數(shù)溢出 Memory Leak 內(nèi)存泄漏 Null De

8、reference空指針的Uninitialized variable 變量使用前未初始化Unreleased Resource未資源Often Misused: Exception Handing ；Strings ; Authentication 誤用Unchecked Return Value 未檢查返回值Dead Code 死代碼Type Mismatch類型不匹配Resource Injection 資源注入Insecure Temporary File 不安全的臨時文件存放System Information Leak 系統(tǒng)信息泄漏d Injection 命令注入Insecure

9、Compiler Optimization 不安全的編譯器優(yōu)化數(shù)據(jù)參考：https/vulncat/index.htmlC/C+安全實(shí)例解釋實(shí)例 1#include #include using namespatd;class Spublic:S() char *cmd = newchar256;const char *safe = returnCode;while (1) cout cmd;mand;d: ;if (strncmp(cmd, safe, strlen(safe)!= 0) cout Unsafebreak;d enteredn;returnCode = system(cmd)

10、;cout d returned returnCode () in sample.cppine 16.2. The data is part of a stringt is executed as ad by the application.his case thed is executed by system() in sample.cppine 21.3. By executing theattacker would not otherwised, the application gives an attacker a privilege or capabilitye.t theExamp

11、le 1: The following simple program accepts a filename as ad line argument anddisplays the contents of the fiack to the user. The program is installed setuid root because it isended for use as a learning tool to allow system administratorsraining to inspect privilegedsystem files without giving them

12、the ability to modify them or damage the system.main(char* argc, char* argv) char cmdCMD_MAX = /usr/bin/cat ; strcat(cmd, argv1);system(cmd);Because the program runs with root privileges, the call to system() also executes with rootprivileges. If a user specifies a standard filename, the call works

13、as expected. However, if anattackasses a string of the form ;rm -rf /, then the call to system() fails to execute cat due to alack of arguments and then plows on to recursively delete the contents of the root partition.Example 2: The following code from a privileged program uses the environment vari

14、able$APPHOME to determine the applications installation directory and then executes aninitialization scripthat directory.char* home=getenv(APPHOME);char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD); if (cmd) strcpy(cmd,home); strcat(cmd,INITCMD); execl(cmd, NULL);.As in Example 1, the codehis exa

15、mple allows an attacker to execute arbitraryds withthe elevated privilege of the application.his example, the attacker can modify the environmentvariable $APPHOME to specify a different path containing a malicious verof INITCMD.Because the program does not validate the value read from the environmen

16、t, by controlling theenvironment variable the attacker can fool the applicationo running malicious code.The attacker is using the environment variable to control thedt the program invokes,so the effect of the environment is explicithis example. We will now turn our attention to whatcan happen when t

17、he attacker can change the way thed isreted.Example 3: The code below is from a web-based CGI utilityt allows users to change theirpasswords. The password update pros under NIS includes running makehe /var/yp directory.Notet since the program updates password records, is been installed setuid root.T

18、he program invokes make as follows:system(cd /var/yp & make & /dev/null);Unlike the previous examples, thedhis example is hardcoded, so an attacker cannotcontrol the argument passed to system(). However, since the program does not specify an absolutepath for make and does not scrub any environment v

19、ariables prior to invoking thed, theattacker can modify their $PATH variable to poto a malicious binary named make and executethe CGI script from a sprompt. And since the program has been installed setuid root, theattackers verof make now runs with root privileges.The environment plays aerful rolehe

20、 execution of systemds within programs.t calls them, andFunctions like system() and exec() use the environment of the programtherefore attackerse a potential opportunity to influence the beior of these calls.Dangerous Function（的函數(shù)）Abstract:The function operator() cannot be used safely. It should not

21、 be used.Explanation:Certain functions bee in dangerous ways regardless of how they are used. Functionshiscategory were often implemented without taking security concernso account.his case the dangerous function you are using is operator() in sample.cppine 16.The operator is unsafe to use when readi

22、ngo a character buffer because it does not performbounds checking on the size of its input. An attacker can easily send arbitrarily-sized inputto the operator and overflow the destination buffer.實(shí)例 2#include #include #ifdef _WIN32#include #else#include #endif#define MAX_SIZE 128void doMemCpy(char* b

23、uf, char* in, memcpy(buf, in, chars);chars)main() char buf64;charAX_SIZE;bytes;prf(Enter buffer contents:n);read(0, in, MAX_SIZE-1);prf(Bytes to copy:n);scanf(%d, &bytes);doMemCpy(buf, in, bytes);return 0;Buffer Overflow（緩沖區(qū)溢出）Abstract:The function doMemCpy() in stackbuffer.c might be able to write

24、outside the bounds of allocated memory on line 13, which could corrupt data, cause the program to crash, or lead to the execution of malicious code.Explanation:Buffer overflow is probably the best known form of software security vulnerability. Most software developers know what a buffer overflow vul

25、nerability is, but buffer overflow attacks against both legacy and newly-developed applications are still quite common. Part of the problem is due to the wide variety of ways buffer overflows can occur, and part is due to the error-prone techniquesoften used to prevent them.In a classic buffer overf

26、low exploit, the attacker sends dao a program, which its inan undersized stack buffer. The result ist informatiothe call stack is overwritten,including the functions return poer. The data sets the value of the return poer sotwhen the function returns, it transfers control to malicious code contained

27、he attackersdata.Although this type of stack buffer overflow is still commosome platforms and in somedevelopment communities, there are a variety of other types of buffer overflow, including heapbuffer overflows and oy-one-errors among others. There are a number of excellent bookstprovideed informat

28、iohow buffer overflow attacks work, including Building SecureSoftware 1, Writing Secure Code 2, and The Scoders Handbook 3.At the cevel, buffer overflow vulnerabilities usually involve the violation of a programmersamptions. Many memory manipulation functions in C and C+ot perform bounds checking an

29、dcan easily overwrite the allocated bounds of the buffers they operate upon. Even bounded functions,such as strncpy(), can cause vulnerabilities when used incorrectly. The combination of memorymanipulation and mistaken amptions about the size or makeup of a piece of data is the rootcause of most buf

30、fer overflows.Buffer overflow vulnerabilities typically occur in codet:- Res on external dao control its beior.- Depends upon properties of the dacode.hat are enforced outside of the immediate scope of the- Is so complext a programmer cannot accuray predict its beior.his case we are primarily concer

31、ned with the second case, because we cannot verify the safetyof the operation performed by memcpy() in stackbuffer.cine 13.The following examples demonstrate all three of the scenarios.Example 1: This is an example of the second scenario in which the code depends on properties ofthe dahat are not ve

32、rified locally.his example a function named lccopy() takes a stringas its argument and returns a heap-allocated copy of the string will uppercase lettersconverted to lowercase. The function performs no bounds checking on its input because it expectsstr to always be smallern BUFSIZE. If an attacker b

33、ypasses checkshe codet callslccopy(), or if a changehat code makes the amption about the size of str untrue, thenlccopy() will overflow buf with the unbounded call to strcpy().char *lccopy(const char *str) char bufBUFSIZE;char *p;strcpy(buf, str);for (p = buf; *p; p+) if (isupper(*p) *p = tolower(*p

34、);return strdup(buf);Example 2.a: The following sample code demonstrates a simpuffer overflowt is often causedby thescenario in which the code res on external dao control its beior. Thecode uses the gets() function to read an arbitrary amount of datao a stack buffer. Becausethere is no way to limit

35、the amount of data read by this function, the safety of the code dependson the user to always enter fewern BUFSIZE characters.char bufBUFSIZE; gets(buf);.Example 2.b: This example shows how easy it is to mimic the unsafe beior of the gets() functionin C+ by using the operator to read inputo a char s

36、tring.char bufBUFSIZE; cin (buf);.Example 3: The codehis example also reson user input to control its beior, but itadds a level of indirection with the use of the bounded memory copy function memcpy(). This functionaccepts a destination buffer, a source buffer, and the number of bytes to copy. The i

37、nput bufferis filled by a bounded call to read(), but the user specifies the number of bytescopies.t memcpy().char buf64,AX_SIZE;prf(Enter buffer contents:n);read(0, in, MAX_SIZE-1);prf(Bytes to copy:n);scanf(%d, &bytes); memcpy(buf, in, bytes);.Note: This type of buffer overflow vulnerability (wher

38、e a program reads data and then trusts a value from the data in subsequent memory operations on the remaining data) has turned up withsome frequency in image, audio, and other file prosing libraries.Example 4: The following code demonstrates the third scenario in which the code is so complexits beio

39、r cannot be easily predicted. This code is from the popular libPNG image decoder, whichis used by a wide array of applications, including Mozilla and some vers ofernet Explorer.The code appears to safely perform bounds checking because it checks the size of the variablelength, which it later uses to

40、 control the amount of dopied by png_crc_read(). However,immediay before it tests length, the code performs a check on png_ptr-mode, and if this checkfails a warning is ied and prosing continues. Because length is tested in an else if block,length would not be tested if thepng_crc_read(), potentiall

41、y allowing acheck fails, and is used blindlystack buffer overflow.he call toAlthough the codehis example is not the most complex wee seen, it demonstrates whycomplexity should be minimized in codet performs memory operations.if (!(png_ptr-mode & PNG_E_PLTE) /* Should be an error, but we can cope wit

42、h it */ png_warning(png_ptr, Missing PLTE before tRNS);else if (length (png_u_32)png_ptr-num_palette) png_warning(png_ptr, Incorrect tRNS c png_crc_finish(png_ptr, length); return;.k length);png_crc_reng_ptr, readbuf, (png_size_t)length);Example 5: This example also demonstrates the third scenario i

43、n which the programs complexityexes it to buffer overflows.his case, the exure is due to the ambiguouserface ofone of the functions rathern the structure of the code (as was the casehe previous example).The getUserInfo() function takes a username specified as a multibyte string and a poer to astruct

44、ure for user information, and populates the structure with information about the user. SinceWindows authentication uses Unicode for usernames, the username argument isconverted froma multibyte string to a Unicode string. This function then incorrectly passes the size ofunicodeUser in bytes rathern c

45、haracters. The call to MultiByteToWideChar() may therefore writeup to (UNLEN+1)*sizeof(WCHAR) wide characters, or(UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes, to the unicodeUser array, which has only(UNLEN+1)*sizeof(WCHAR) bytes allocated. If the username string contains moren UNLENcharacters, the ca

46、ll to MultiByteToWideChar() will overflow the buffer unicodeUser.void getUserInfo(char *username, struct _USER_INFO_2 info) WCHAR unicodeUserUNLEN+1;MultiByteToWideChar(CP_ACP, 0, username, -1,unicodeUser, sizeof(unicodeUser); NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);mendations:Never us

47、e inherently unsafe functions, such as gets(), and avoid the use of functionst aredifficult to use safely such as strcpy(). Replace unbounded functions like strcpy() with theirbounded equivalents, such as strncpy() or the WinAPI functions defined in strsafe.h 4.Although the careful use of bounded fu

48、nctions can grey reduce the risk of buffer overflow,this migration cannot bee blindly and does not go far enough on its own to ensure security.Whenever you manipulate memory, espelly strings, remembertypically occur in codet:t buffer overflow vulnerabilities- Res on external dao control its beior- D

49、epends upon properties of the dacodehat are enforced outside of the immediate scope of the- Is so complext a programmer cannot accuray predict its beior.Additionally, consider the following principles:- Never trust an external source to provide correct control information to a memory operation.- Nev

50、er trustt properties about the data your program is manipulating will be maainedthroughout the program. Sanity check data before you operate on it.- Limit the complexity of memory manipulation and bounds-checking code. Ket simple and clearlythe checks you perform, the amptionst you test, and what th

51、e expected beiorof the program ishe caset input validation fails.- When input data is too large, be leery of truncating the data and continuing to proTruncation can change the meaning of the input.s it.-ot rely on tools, such as StackGuard, or-executable stacks to prevent buffer overflowvulnerabilit

52、ies. These approachesot address heap buffer overflows and the more subtle stackoverflowst can change the contents of variablest control the program. Additionally, manyof these approaches are easily defeated, and even when they are working properly, they addressthe symptom of the problem and not its

53、cause.Referen:1 A5 Buffer Overflow, Standards Map- OWASP Top 10 2004 - (OWASP 2004)2 APP3510 CAT I, APP3590.1 CAT I, Standards Map- Security Technical Implemenion GuideVer2 - (STIG 2)3 Buffer Overflow, Standards Map+ 2)- Web Application Security Consortium 24 + 2 - (WASC 244 Building Secure Software

54、, J. Viega, G. McGraw, Addison-Wesley, 20025 CWE ID 787, Standards Map- Common Weakness Enumeration - (CWE)6 Requirement , Standards Map- Payment Card Industry Data Security Standard Ver1.2 - (PCI 1.2)7 Requirement 6.5.5, Standards Map- Payment Card Industry Data Security Standard Ver1.1 - (PCI 1.1)

55、8 Risky Resource Management - CWE ID 119, Standards Map- SANS Top 25 2009 - (SANS 2009)9 Strsafe.h Functions, HYPERLINK http:/m/ http:/m,/library/default.asp?url=/library/en-us/winui/winui/windowsusererface/resour/strings/usingstrsafefunctions.asp10 The Scoders Handbook: Discovering and Exploiting S

56、ecurity Holes, J. Koziol et al., JohnWiley & Sons, 200411 Writing Secure Code, Second Edition, M. Howard, D.lanc,Press, 2003Java 安全實(shí)例解釋實(shí)例 1public claullPoerSample private TestClassinnerClass;public void nullPo TestClass t;t = null;if (id 0) er(id)t =new TestCla);s();public sprivateic class TestClass

57、 id;public TestClass(id) this.id = id;public void pros() Null Dereference（空）Abstract:The method nullPoer() in NullPoerSample.java can crash the program by dereferencing a nullpoer on line 11.Explanation:Null poer exceptions usually occur whee or more of the programmers amptions is violated.A derefer

58、ence-after-error occurs when a program explicitly sets an object to null anddereferenit later. This error is often the result of a programmer initializing a variableto null when it is declared.his case, the variable can be null when it is dereferenceder exception.ine 11, thereby causing a nullpoMost

59、 null poer ies result in general software reliability problems, but if attackers canentionally trigger a null poer dereference, they can use the resulting exception to bypasssecurity logic or to cause the application to reveal debugging informationt will be valuablein planning subsequentacks.Example

60、:he following code, the programmer explicitly sets the variable foo to null. Later,the programmer dereferenfoo before checking the object for a null value.Foo foo = null;.foo.setBar(val);.實(shí)例 2import java.io.FileReader;public class EightBall public schar String try ic void main(String args) throws Ex