WHY MOST STATIC ANALYSIS FAILED?

Static analysis technique was introduced by King in 1974 as a way to understand and debug program rather than to find vulnerabilities in the program. Static analysis emerges as a major security subject in the year of 2000 after a dissertation by Wagner. Since then, there are more than 40 tools, open-source or commodity, and 11 techniques introduced to the system security world. However, as reported by major security advisors and experts; such as Microsoft Security Advisor, Secania, SANS Institute, and Symantec; vulnerabilities still exist and exploitations are still at large. To this date, there are numerous possibilities and reasons as to why the community is still facing software security issues. One of it is the effectiveness and efficacy of static analysis in preventing these issues.

I'd wrote a paper which discussed on those issues and had proposed ways to overcome the limitation of previous solutions with title "PREVENTING EXPLOITATION ON SOFTWARE VULNERABILITIES – WHY MOST STATIC ANALYSIS IS INEFFECTIVE?" which had been presented in WEC 2010

Tags: Analysis, Static, Vulnerability

Views: 11

Attachments:

Replies to This Discussion

Permalink Reply by Najmi on January 16, 2012 at 9:04am

Your suggestion on the alternative? dynamic analysis?

Permalink Reply by Nurul Haszeli on January 16, 2012 at 1:26pm

Nope.. dynamic analysis also suffer many false alarm. In addition, it is dependent on test suite or the path of the analysis, plus additional cost required to modified application if vulnerabilities detected in the application.

However, for the mean time, both method should be implemented; static and dynamic. Once static produce list of vulnerabilities or programming errors, dynamic analysis should then be used to verified the vulnerabilities.

This is the only way, at the moment. Until a good technique introduced.

Btw, I'm keeping that for my PhD next year :)

Permalink Reply by Najmi on January 16, 2012 at 1:32pm

Need formal method then.

For vulnerabilities usually "fuzzing" being used . So fuzzy is in what kind of analysis, dynamic or static?

http://www.fuzz-test.com/presentations/

Permalink Reply by Nurul Haszeli on January 16, 2012 at 2:51pm

Formal method has been used in both static and dynamic analysis. It was started by David Wagner via Integer Range Analysis and then continue by others such as Wang, etc. 

It actually depends on how it was implemented either for both static and dynamic and to what extend is was implemented. For example, IRA by Wagner only focuses on vulnerabilities related to string manipulation and yet to be tested with other kind of vulnerabilities that does not relate to string manipulation such as pointer and arithmetic/mathematical process.

Fuzzy was also implemented in both static and dynamic analysis. Check out ASTREE and abstract interpretation technique by the Cousot's and their students. :)

RSS

LEADERSHIP

Julian Vincent - Chair
AhmadRazif Ramli - Vice Chair
Dr Suhaidi Hassan - Vice Chair
Jagdish Singh - Secretary
Tan Tze Meng - Treasurer
Adil Hidayat - EC Member
Amir Haris Ahmad - EC Member
Selvakumar Manickam - EC Member

FOUNDING MEMBERS

Dr Osman Ghazali
Dr Suhaidi Hassan
Yong Yoon Kit
Doreen Sim
Dr Sureswaran Ramadas
Raja Kumar
Gopinath Rao Sinniah
Kamal Hisham Kamaruddin
Suhaimi Napis
Syahril Aziz
Shariq Haseeb
Jagdish Singh
Julian Vincent
Tahrizi Tahreb
Ami Azrul b. Abdullah @ Awang
Justin Tan
Zairil Ibrahim
Sharina Puteh
Lai Heng Choong
Ahilan Sumander
Ng Chun Seong
Dr Wafaa A. H. Ali
Zaharin Mohd Nadzier
Muhammad Firdaus Abdul Monir
AhmadRazif Ramli

WORLD IPV6 LAUNCH is 6 June 2012 – The Future is Forever

ONLINE SURVEY

Click here to take IPv6 survey

COLLABORATION PARTNERS

WHAT IS ISOC ?

The Internet Society (ISOC) is the global leader in addressing issues that confront the future of the Internet and was founded in 1992 as a nonprofit organization.

The ISOC provides leadership in Internet related standards, education, and policy, as such example, it coordinates between various working groups in charge of Internet operations such as the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB).

The Internet Society is the main advocate for Internet stakeholders and as such is the moral and technological global authority on the Internet, The Internet Society has more than 80 organisational and more than 28,000 individual members (from 170 countries) in over 80 chapters worldwide.

ISOC holds headquarters in Reston Virginia and Geneva Switzerland.

For information about the ISOC, please visit http://www.isoc.org/isoc/

MALAYSIA STATISTICS - Q4 2009

Population - 28610000
Households - 6220000
Direct Exhange Lines per 100 households - 43.6
Broadband per 100 households - 34.2
Cellular phone per 100 inhabitants - 106.1
ADSL Subscribers - 1513500
SDSL Subscribers - 10200
Satellite Subscribers - 5300
Wireless Subscribers - Mobile - 927800
Wireless Subscribers - Others 1- 57100

Source MCMC - www.skmm.gov.my

© 2012   Created by Julian Vincent.

Badges  |  Report an Issue  |  Terms of Service