|

Heuristic analysis of source code security

Authors: Markov A.S. , Matveev V.A. , Fadin A.A., Tsirlov V.L. Published: 19.02.2016
Published in issue: #1(106)/2016  
DOI: 10.18698/0236-3933-2016-1-98-111

 
Category: Informatics, Computer Engineering and Control | Chapter: Methods and Systems of Information Protection, Information Security  
Keywords: information security, software security, testing, static analysis, production models, heuristic analysis, vulnerabilities, defects, undeclared capabilities

The paper is devoted to the structural static analysis of source code security and the problem of ensuring the conducted inspection completeness. To detect comprehensively the source code vulnerabilities the heuristic (signature) analysis of program security is used taking into account the whole range of program defects classes. The semantic metamodel of the heuristic algorithms description to detect defects and vulnerabilities in the program security at different levels of source code representation is developed. It has been noted that the most essential program representation models for computer security are an abstract syntax tree and abstract syntax graph. The required processing speed, formal simplicity and implementation visibility of the heuristic analysis can be achieved by using a production rule system. The examples of particular semantic models for heuristics of detecting the essential program security defects as well as their advantages and limitations are given. The information about the practical implementation and approbation of the proposed solutions is provided. It was noted that 88% of critical vulnerabilities were indentified by using the heuristic analysis during certification tests of information security facilities. The conclusion was made that the heuristic analysis can be used as a base in various techniques of source code security audit.

References

[1] Markov A.S., Tsirlov V.L. Experience in Identifying Vulnerabilities in Software. Voprosy kiberbezopasnosti [Cybersecurity issues], 2013, no. 1 (1), pp. 42-48 (in Russ.).

[2] Markov A., Luchin D., Rautkin Y., Tsirlov V. Evolution of a Radio Telecommunication Hardware-Software Certification Paradigm in Accordance with Information Security Requirements, In Proceedings of the 11th International Siberian Conference on Control and Communications (Omsk, Russia, May 21-23, 2015). SIBCON-2015. IEEE, 2015, pp. 1-4. DOI = http://dx.doi.org/10.1109/SIBCON.2015.7147139

[3] Ayewah N., Hovemeyer D., Morgenthaler J.D., Penix J., Pugh W. Using Static Analysis to Find Bugs. IEEE Software, 2008, 25, 5 (Sep./Oct. 2008), pp. 22-29. DOI http://dx.doi.org/10.1109/MS.2008.130

[4] Chen H., Wagner D. MOPS: an infrastructure for examining security properties of software. Proc. of the 9th ACM conference on Computer and communications security. CCS’02. N.Y., 2002, pp. 235-244.

[5] Hovemeyer D., Spacco J., Pugh W. Evaluating and tuning a static analysis to find null pointer bugs. CM SIGSOFT Software Engineering Notes, 2006, 31,1 (Jan.), pp. 13-19. DOI http://dx.doi.org/10.1145/1108768.1108798

[6] Logozzo F., Fahndrich M. On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis. LNCS. 4959, 2008, pp. 197-212.

[7] Seoa S.-H., Guptaa A., Sallama A.M., Bertinoa E., Yimb K. 2014. Detecting mobile malware threats to homeland security through static analysis. Journal of Network and Computer Applications, 2014, 38 (Feb.), pp. 43-53. URL: http://dx.doi.org/10.1016/j.jnca.2013.05.008 DOI: 10.1016/j.jnca.2013.05.008

[8] Zhu F., Wei J. Static analysis based invariant detection for commodity operating systems. Computers and Security, 2014, no. 43, pp. 49-63. DOI http://dx.doi.org/10.1016/j.cose.2014.02.00

[9] Osovetskiy L.G. Detection Technology Undeclared Capabilities (Ndv) for the Certification of the Software Industry at the Request of Information Security. Voprosy kiberbezopasnosti [Cybersecurity issues], 2015, no. 1 (9), pp. 60-64 (in Russ.).

[10] Barabanov A.V., Markov A.S., Tsirlov V.L. The Conformity Assessment of Information Security Solutions According to the Common Criteria. Informatsionnye tekhnologii [Information technologies], 2015, vol. 21, no. 4, pp. 264-270 (in Russ.).

[11] Barabanov A., Markov A. Modern Trends in The Regulatory Framework of the Information Security Compliance Assessment in Russia Based on Common Criteria. Proc. of the 8th International Conference on Security of Information and Networks (Sochi, Russian Federation, September 8-10, 2015). Sin ’15. ACM New York, N.Y., USA, 2015, pp. 30-33. URL: http://dx.doi.org/10.1145/2799979.2799980 DOI: 10.1145/2799979.2799980

[12] Static Analysis Technologies Evaluation Criteria v1.0. Ed. by Sherif Koussa; Russian translation by Alec Shcherbakov, Alexey Markov, Web Application Security Consortium, 2013. Available at: http://projects.webappsec.org/w/page/71979863/Static%20Analysis%20Technologies%20Evaluation%20Criteria%20-%20Russian

[13] Markov A.S., Fadin A.A. Systematics of vulnerabilities and security defects of program resources. Zasita informacii. Inside, 2013, no. 3 (51), pp. 56-61 (in Russ.).

[14] Avetisyan A.I., Belevantsev A.A., Chuklyaev I.I. The Technologies of Static and Dynamic Analyses Detecting Vulnerabilities of Software. Voprosy kiberbezopasnosti [Cybersecurity issues], 2014, no. 3 (4), pp. 20-28 (in Russ.).

[15] Medvedev N.V., Markov A.S., Fadin A.A. Application of static signature analysis to detect defects in web applications security. Nauka i obrazovanie. MGTU im. N.E. Baumana [Science & Education of the Bauman MSTU. Electronic Journal], 2012, no. 9, p. 21. Available at: http://technomag.edu.ru/en/doc/461281.html DOI: 10.7463/0912.0461281

[16] Boulanger, J.L., ed. Static Analysis of Software. The Abstract Interpretation. Wiley-ISTE. 2011.

[17] Vylegzhanin V.V., Markin A.L., Markov A.S., Utochka R.A., Fadin A.A., Fambulov A.K., Tsirlov V.L. Sistema dlya opredeleniya programmnykh zakladok [The System for Determining the Software Bugs]. Patent granting for useful model no. RUS 114799. 29.12.2011.

[18] Markov A.S., Fadin A.A., Shvets V.V. Comparison of Software Code Security Static Analyzers. Zasita informacii. Inside, 2015, no. 6 (66), pp. 2-7 (in Russ.).

[19] Zhidkov I.V., Kadushkin I.V. About the Signs of Potentially Dangerous Events in Information Systems. Voprosy kiberbezopasnosti [Cybersecurity issues], 2014, no. 1 (2), pp. 40-48 (in Russ.).

[20] Barabanov A.V., Evseev A.N. Improving the Efficiency of Vulnerability Analysis during Software Certification Testing for Information Security Requirements. Tr. Mezhdunar. simpoziuma Nadezhnost’ i kachestvo [Proceedings of the International Symposium "Reliability and Quality"], 2015, vol. 1, pp. 330-333 (in Russ.).