deepstate bringing vulnerability detection tools into the
play

DeepState : Bringing vulnerability detection tools into the - PowerPoint PPT Presentation

Oct 03, 2023 •42 likes •772 views

DeepState : Bringing vulnerability detection tools into the development lifecycle Peter Goodman (Trail of Bits) Gustavo Grieco (Trail of Bits) Alex Groce (Northern Arizona University) 1 Introductions Peter Goodman Gustavo Grieco Alex

  1. DeepState : Bringing vulnerability detection tools into the development lifecycle Peter Goodman (Trail of Bits) Gustavo Grieco (Trail of Bits) Alex Groce (Northern Arizona University) 1

  2. Introductions Peter Goodman Gustavo Grieco Alex Groce Senior Security Engineer Security Engineer Associate Professor peter@trailofbits.com gustavo.grieco@trailofbits.com alex.groce@nau.edu Trail of Bits Trail of Bits Northern Arizona University 2 Trail of Bits | IEEE SecDev 2018 | 30.09.2018 2

  3. Today’s workshop is interactive (1) Before beginning, please do one of the following in a terminal on your computers: Clone the ieee_secdev_2018 branch: git clone https://github.com/trailofbits/deepstate -b ieee_secdev_2018 OR Download and extract: https://github.com/trailofbits/deepstate/archive/ieee_secdev_2018.zip 3 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  4. Today’s workshop is interactive (2) Go into the cloned/unzipped deepstate directory, and execute the following: $ vagrant up $ vagrant ssh If successful, this is what you should see: vagrant@ubuntu-xenial $ 4 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  5. How do developers test code? Static Analysis ● Many tools available, most are commercial (e.g. Coverity) ● False positives continue to be a vexing problem ● 57% have never used one (JetBrains Survey) ● Unit Tests! ● Tooling is free ● Test for functionality and security ● Nearly everyone is familiar with the concepts ● Only 29% do not use unit tests (JetBrains Survey) ● 5 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  6. Unit testing is great! Unit tests are a software assurance methodology ● Typically test individual functions, classes, or groups of related ● functionality As code changes (e.g. improving an algorithm), unit tests help to ● ensure that expected functionality or results remain the same 6 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  7. Let’s write a unit test (1) Enter the exercises directory and open FirstTest.cpp vagrant@ubuntu-xenial $ cd exercises vagrant@ubuntu-xenial $ nano FirstTest.cpp 7 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  8. Let’s write a unit test (2) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 // Try some for yourself! } 8 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  9. Let’s write a unit test (3) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { Function that we want ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 to test // Try some for yourself! } 9 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  10. Let’s write a unit test (4) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 Test case ASSERT_NE(Pow2(2), 3); // 2^2 != 3 // Try some for yourself! } 10 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  11. Let’s write a unit test (5) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { Test case name and ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 test name // Try some for yourself! } 11 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  12. Let’s write a unit test (6) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { Assertions verifying ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 output is as expected // Try some for yourself! } 12 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  13. Let’s write a unit test (7) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 Homework!!! ASSERT_NE(Pow2(2), 3); // 2^2 != 3 // Try some for yourself! } 13 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  14. Executing your first test (1) Please save and close FirstTest.cpp, and execute the following command: vagrant@ubuntu-xenial $ make exercise_1 Now, execute the following: vagrant@ubuntu-xenial $ ./FirstTest 14 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  15. Executing your first test (2) Here is what you should see: vagrant@ubuntu-xenial $ ./FirstTest INFO: Running: Math_PowersOfTwo from FirstTest.cpp(7) INFO: Passed: Math_PowersOfTwo Our tests passed! This function must be correct, right? 15 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  16. Back to our test (1) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 What does // Try some for yourself! this do? ASSERT_EQ(Pow2(65535), 4294836225); } 16 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  17. Back to our test (2) Here is what you will see inside of FirstTest.cpp Let’s diagnose it! #include <deepstate/DeepState.hpp> We asked if this was true: uint16_t Pow2(uint16_t x) { return x * x; 65535 * 65535 = 4294836225 } TEST(Math, PowersOfTwo) { We can express this in hexadecimal as: ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 0xFFFF * 0xFFFF = 0xFFFE_0001 // Try some for yourself! ASSERT_EQ(Pow2(65535), 4294836225); And only the 0x0001 fits into a uint16_t } 17 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  18. Back to our test (3) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint16_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 // Try some for yourself! “correct” ASSERT_EQ(Pow2(65535), 1); } 18 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  19. Back to our test (4) Here is what you will see inside of FirstTest.cpp #include <deepstate/DeepState.hpp> uint32_t Pow2(uint16_t x) { return x * x; } TEST(Math, PowersOfTwo) { ASSERT_EQ(Pow2(0), 0); // 0^2 == 0 ASSERT_NE(Pow2(2), 3); // 2^2 != 3 // Try some for yourself! Fixed! ASSERT_EQ(Pow2(65535), 4294836225); } 19 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  20. Unit testing is great… right? Unit tests help you to... ● Find bugs in your code ● Experimentally verify your code on some set of inputs ● Verify that the behavior of some code on some set of inputs stays ● consistent over time and across changes But, unit tests are not a panacea ● It is up to YOU, the tester, to understand and test the boundary ● conditions, and test for them This is harder for more complex code ● 20 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  21. Can’t we just automate it? Ideally, we’d like something to figure out the best set of ● inputs for a given test so we don’t have to (think so hard) Spoiler alert! DeepState is that system ● This is a “solved” problem ● Symbolic execution (e.g. KLEE, Manticore, Angr, S2E, etc.) ● Fuzzers (e.g. libFuzzer, AFL, Dr. Fuzz, Radamsa, zzuf, Peach, etc.) ● Developers don’t use existing solutions because they ● don’t fit nicely into their existing workflow! 21 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  22. Developers don’t use security testing tools Zero* developers use symbolic executors ● Hard to learn and use ● Difficult to integrate into a build/test cycle ● Confusing and easily crash/run forever/eat up memory ● Nearly zero* developers use fuzzers ● Requires custom harnesses and build system changes ● Security tools are built for bug hunters ● Work great for auditors, CTF contests, reverse engineers ● Confusing and alien for software developers ● 22 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  23. Developers do use unit testing DeepState integrates symbolic testing and fuzz testing ● into a Google Test-like unit testing framework Fits into existing developer workflow ● Easily integrates with existing code base and build system ● Easy to learn and use, especially if you are familiar with Google Test ● Improves software quality ● Also tests for correctness, not just security ● No false positives! ● 23 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  24. Integrating DeepState is easy ● Header ● Library ● Test cases ● Executor 24 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

  25. Writing unit tests with DeepState TEST, TEST_F ● TEST(UnitName, CaseName) creates a new test ● TEST_F is like TEST but with a class that performs setup and teardown ● ASSERT, CHECK ● ASSERT logs and error and stops execution if a condition fails ● CHECK is like ASSERT but logs an error and continues execution ● Examples: ● ASSERT(poly != y * z); ASSERT_NE(poly, y * z); ● 25 Trail of Bits | IEEE SecDev 2018 | 30.09.2018

Recommend

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Benchmarking Vulnerability Detection Tools for Web Services Nuno Antunes, Marco Vieira { nmsa ,

Benchmarking Vulnerability Detection Tools for Web Services Nuno Antunes, Marco Vieira { nmsa ,

Benchmarking Vulnerability Detection Tools for Web Services Nuno Antunes, Marco Vieira { nmsa , mvieira}@dei.uc.pt ICWS 2010 CISUC Department of Informatics Engineering University of Coimbra, Portugal Outline The problem Benchmarking

447 views • 25 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection

Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection

Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection Committee May 20, 2020 Outline Why use Community Vulnerability Tools? Major tools Benefits and examples of how to use them Discussion

362 views • 24 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Ants on the Grid: BiologyInspired Monitoring for Incident and Vulnerability Detection

Ants on the Grid: BiologyInspired Monitoring for Incident and Vulnerability Detection

A RIZONA S TATE U NIVERSITY CREDC Industrial Workshop 2017 Ants on the Grid: BiologyInspired Monitoring for Incident and Vulnerability Detection Josephine Lamp , Carlos E. Rubio-Medrano, Ziming Zhao and Gail-Joon Ahn 6/27/2017 1 A RIZONA S

305 views • 9 slides
Bringing GENI to the Classroom: Three Sample Assignments NSF Workshop on Designing Tools and

Bringing GENI to the Classroom: Three Sample Assignments NSF Workshop on Designing Tools and

Bringing GENI to the Classroom: Three Sample Assignments NSF Workshop on Designing Tools and Curricula for Undergraduate Courses in Distributed Systems Boston, Massachusetts Mark Berman, Niky Riga July 8, 2012 www.geni.net Sponsored by the

450 views • 17 slides
Bringing State-of-the-Art GPU-Accelerated Molecular Modeling Tools to the Research Community John

Bringing State-of-the-Art GPU-Accelerated Molecular Modeling Tools to the Research Community John

Bringing State-of-the-Art GPU-Accelerated Molecular Modeling Tools to the Research Community John E. Stone Theoretical and Computational Biophysics Group Beckman Institute for Advanced Science and Technology University of Illinois at

951 views • 46 slides
Representativeness in the Benchmark for Vulnerability Analysis Tools ( B-VAT ) Kayla Afanador

Representativeness in the Benchmark for Vulnerability Analysis Tools ( B-VAT ) Kayla Afanador

Representativeness in the Benchmark for Vulnerability Analysis Tools ( B-VAT ) Kayla Afanador (Keen) Cynthia Irvine Preliminary Work Paper Naval Postgraduate School Naval Postgraduate School Length: Short Start Visualizations (CVE)

561 views • 12 slides
Bringing Data and Tools Into Classrooms Through Online Large-Scale Teacher Education Hollylynne

Bringing Data and Tools Into Classrooms Through Online Large-Scale Teacher Education Hollylynne

Bringing Data and Tools Into Classrooms Through Online Large-Scale Teacher Education Hollylynne Lee, Rick Hudson, Gemma Mojica, Christina Azmy, Kemal Akoglu Not with us today: Jennifer Lovett &amp; Stephanie Casey Work in this session

619 views • 14 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects

Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects

Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects Analysis Tools Robert Goodspeed, AICP, University of Michigan Chicago Open Heat Vulnerability Mapper Bev Wilson and Arnab Chakraborty, University of

830 views • 78 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide &amp; inform frontline workers &amp; decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Spack: Bringing Order to HPC Software Chaos Scalable Tools Workshop 2015 August 3, 2015

Spack: Bringing Order to HPC Software Chaos Scalable Tools Workshop 2015 August 3, 2015

Spack: Bringing Order to HPC Software Chaos Scalable Tools Workshop 2015 August 3, 2015 http://bit.ly/spack-git Contributors Matt Legendre Greg Lee Mike Collette Bronis de Supinski Scott Futral LLNL-PRES-675781 This work was performed

622 views • 26 slides
SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of

SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of

SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of CBRN-related Contamination Events in Drinking Water Supply Systems Thomas Bernard, Aharon Rosenberg, Helena Lucas, Adrian Rieder, J rgen M

809 views • 55 slides
Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015

Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015

Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015 Organizers: Classification Versus Detection Rogerio Feris Classification: WHAT Detection: WHAT and WHERE Slide Adapted from Ross Girshick Rogerio Feris

548 views • 15 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Cross-lingual similarity calculation for plagiarism detection and more Tools and resources

Cross-lingual similarity calculation for plagiarism detection and more Tools and resources

Cross-lingual similarity calculation for plagiarism detection and more Tools and resources Ralf Steinberger European Commission Joint Research Centre (JRC) http://langtech.jrc.ec.europa.eu/ PAN-CLEF, Rome, Italy, 19 September 2012

471 views • 17 slides
The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators (excluding Male') Highest elevation 1.5m Population: 298,968 above sea level less than 1000 97% of all inhabited 59 % Total number of

357 views • 4 slides
Electronic Tools and Resources for Multi-Word Unit detection and research in Serbian Jelena

Electronic Tools and Resources for Multi-Word Unit detection and research in Serbian Jelena

Electronic Tools and Resources for Multi-Word Unit detection and research in Serbian Jelena Mitrovic, University of Belgrade Serbian is one of the under-resourced languages when it comes to NLP many resources and tools are still being

378 views • 3 slides

More recommend