Why Static Analysis?

balaji
By balaji

August 16, 2010

XYZ organization had their critical financial application tested by an information security company. The tests found that the application had adequate security controls in place for protection against hackers. Even the web server on which the application was hosted was well-protected. A week later, the application was hacked and important financial details were compromised. On analysis, it was found that the attacker gained entry into the application through a backdoor that allowed him to access the application as a high-privileged user.

why-static-analysis.jpg

XYZ organization had their critical financial application tested by an information security company. The tests found that the application had adequate security controls in place for protection against hackers. Even the web server on which the application was hosted was well-protected. A week later, the application was hacked and important financial details were compromised. On analysis, it was found that the attacker gained entry into the application through a backdoor that allowed him to access the application as a high-privileged user.

How was this possible and why did the security audit not identify this vulnerability?
This was because a dynamic application security analysis was performed on the application, which could not detect this backdoor. Such backdoors can be better identified during a Static Analysis.

More and more organizations are now opting for a Static Analysis (also called Source Code Review) of their applications. In this article, we'll discuss what Static Analysis is and how useful it is in securing your applications.

What is Static Analysis or Static Code Analysis? Static code analysis is the analysis of software code without using the software's in-built programs.

Static Analysis is generally more beneficial than a dynamic analysis because it:

  • Provides better understanding of the application and its code
  • Detects more vulnerabilities
  • Pinpoints vulnerabilities
  • Provides cost benefits

Better Understanding of the code/application

Static Analysis is the best approach to find flaws in your code. Using Static Analysis, you can trace the flow of data in an application, from the source to its destination. This is useful in finding code that is vulnerable to SQL Injection and Cross Site Scripting attacks as you can trace the flow of tainted input and check whether it reaches the destination resulting in vulnerability.

For example, consider the username entered by the user on the Login page. This input is entered at the user's browser, passed through some input validation function and then finally used in a SQL SELECT statement that gets executed at the database. During a Static Analysis, you can track the flow of tainted data entered in the username field at the browser to the point where it is finally used in the SQL statement and check whether the tainted input results in SQL Injection.

Detects more vulnerabilities

Although a dynamic analysis can identify most vulnerabilities including critical ones like SQL Injection and Cross-Site Scripting (XSS), there are a few vulnerabilities that can be identified only during a Static Code Analysis. We'll discuss a few important ones here.

  • Backdoors
  • Logging
  • Cryptography
  • Configuration Settings and Database Storage

Backdoors

In the context of a Static Analysis, backdoors refer to application backdoors. An application backdoor is a flaw in the code or a section of code that allows an attacker to bypass authentication or other security controls and gain access to the application or the application data.

Backdoor access code can be added intentionally or inadvertently to the application code. Application backdoors can be in the form of special credentials, hidden functionality or in other forms. As these vulnerabilities exist in the code and are difficult to detect during a Dynamic Analysis, such code can exist in the application and remain undetected for a long time.

Consider the case of a backdoor in the form of the userID "BackdoorAdminLogin". Whenever the user logs in with this userID, the code would check the userID and allow the user to access as a high-privilege user. Such backdoors are difficult to detect during Dynamic Analysis as the tester would have to make an infinite number of brute force attempts to know that such userIDs exist.

To identify special credentials, look for all variables and hashes in the code that could possibly be a username or password. Specifically, look for variables in the code where authentication logic is written.

Hidden functionality backdoors are the malicious functions that get executed when a specific parameter is received in the request. These functions may contain logic that invoke OS commands and perform malicious actions.

To detect such backdoors during a Static Analysis:

  • Identify all pages and functions that are not linked to the workflow and verify that they cannot be accessed directly or do not perform any malicious operations on the application. Such pages are usually added for testing purposes during development and might not be removed before moving them into production. If such pages contain code for performing critical transactions without proper authentication/authorization checks and a remote attacker finds any of these pages, it can lead to compromise of the application.
  • Look for parameters that are being processed at the server side but not present in client-side HTML forms.
  • Review all parameters used for executing system commands and verify that they are performing valid operations.
  • Look for DROP and TRUNCATE statements.

Logging

Every application has to log sensitive transactions performed by a user. Logging takes place at the server side and is useful in forensics and incident analysis in case there is a security breach. Static Analysis not only helps in checking whether appropriate logging is enabled for all critical transactions, but also reveals if sensitive data is being written to the log files.

To identify such malicious logging, find all calls that send data to the log file or console and then check whether data that is being passed to those logging functions include sensitive information like passwords, credit card number, SSN, etc.

For example, ASP.NET applications use EventLog.WriteEvent and EventLog.WriteEntry methods provided by the EventLog class to write events to log files. During a Static Analysis of .NET applications, check for the presence of these methods and check whether sensitive data is being written to the logs through these methods.

Cryptography

Applications use cryptography algorithms to protect sensitive data like passwords. Cryptography algorithms could either be publicly known algorithms or a custom encryption created by the developers. It is advisable to use publicly-known algorithms that are certified as secure by cryptography experts. Publicly known algorithms like MD5 are insecure and should be avoided. Dynamic Analysis can only detect the client side encryption but a Static Analysis can detect the encryption that happens at the server side.

To detect encryption algorithms used in an application during a Static Analysis:

  • Identify the use of weak algorithms like MD5, DES and SHA1
  • Identify all custom encryption used by the application. Custom encryptions are usually created using functions like encrypt, encode, key, random, hash etc. Look for the use of these functions in the code.

Additionally, check whether the keys used for encryption are short or if the key is stored in plaintext.

Configuration Settings and Database Storage

Static Analysis also helps you find security issues in configuration files and data storage, which are difficult to detect during a Dynamic Analysis. Static Analysis can help identify such issues.

One such issue is "high privileged connection to the database". Applications that interact with a database for fetching and storing data connects to the database as a user. These database user used by the application should be a low privileged user with only limited permissions on the database as required by the application. This will prevent an attacker from performing malicious transactions on the database through the application. These connection details are stored in the server side code and cannot be identified during a Dynamic Analysis.

During a Static Analysis, review the code and check whether the application connects to the database as a high-privileged user. Also, check whether the user credentials used for connecting to the database are stored in plaintext in configuration files.

Pinpoint Vulnerability

One of the important benefits of Static Analysis is the ability to pinpoint the exact vulnerable line in the code. During a Static Analysis, as you can trace the flow of data from source to sink, you can identify the point at which the tainted data from source will result in a vulnerability. This makes it possible to identify specific lines in code that are vulnerable.

Many applications use centralized input validation or centralized output encoding for protection against threats like SQL Injection and XSS. Such validations can be better verified using static analysis and you can identify all instances of these vulnerabilities.

For example, an application might be using a specific function, say escape_xss() to escape special characters for protection against XSS. All parameters will be passed through this function before being processed or before they are displayed back to the user. During a Static Analysis, the tester has to check whether all the parameters coming from the user are passed through the escape_xss() function. Any parameter that is not being passed through this function is vulnerable and needs to be reported.

It is also possible to recommend precise solutions to mitigate the vulnerability. Precise solutions make it easier for developers to fix issues.

Cost Benefits

Dynamic Analysis is performed on running applications, which means that they cannot be used until later in the software development life cycle. Fixing the defects later also involves significant cost. Static Analysis can be performed at an earlier phase in SDLC, which makes fixing defects easier and also reduces costs involved in fixing issues.

As we have discussed in this article, Static Analysis not only discovers more vulnerabilities but also offers other benefits. Integrating Static analysis into the Software Development Life Cycle would result in vulnerabilities being discovered at an earlier stage, much before the entire software is built. This improves development and deployment of secure software applications, by helping developers to code better.

References


Tags: Best Practices

About

balaji