Secure Programming with Static Analysis by Brian Chess (PDF)

46

 

Ebook Info

  • Published: 2007
  • Number of pages: 587 pages
  • Format: PDF
  • File Size: 4.71 MB
  • Authors: Brian Chess

Description

The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers. Coverage includes: Why conventional bug-catching often misses security problems How static analysis can help programmers get security right The critical attributes and algorithms that make or break a static analysis tool 36 techniques for making static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Techniques for handling untrusted input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error/exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the static analysis process “We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.”–Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language “’Secure Programming with Static Analysis’ is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.”–David Wagner, Associate Professor, University of California Berkeley “Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.”–Howard A. Schmidt, Former White House Cyber Security Advisor BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects. JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail. CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format. Part I: Software Security and Static Analysis 11 The Software Security Problem 32 Introduction to Static Analysis 213 Static Analysis as Part of the Code Review Process 474 Static Analysis Internals 71Part II: Pervasive Problems 1155 Handling Input 1176 Buffer Overflow 1757 Bride of Buffer Overflow 2358 Errors and Exceptions 265Part III: Features and Flavors 2959 Web Applications 29710 XML and Web Services 34911 Privacy and Secrets 37912 Privileged Programs 421Part IV: Static Analysis in Practice 45713 Source Code Analysis Exercises for Java 45914 Source Code Analysis Exercises for C 503Epilogue 541References 545Index 559

User’s Reviews

Editorial Reviews: From the Back Cover The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers. Coverage includes: A Why conventional bug-catching often misses security problems A How static analysis can help programmers get security right A The critical attributes and algorithms that make or break a static analysis tool A 36 techniques for making static analysis more effective on your code A More than 70 types of serious security vulnerabilities, with specific solutions A Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more A Techniques for handling untrusted input A Eliminating buffer overflows: tactical and strategic approaches A Avoiding errors specific to Web applications, Web services, and Ajax A Security-aware logging, debugging, and error/exception handling A Creating, maintaining, and sharing secrets and confidential information A Detailed tutorials that walk you through the static analysis process “We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.” -Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language “‘Secure Programming with Static Analysis’ is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.” -David Wagner, Associate Professor, University of California Berkeley “Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.” -Howard A. Schmidt, Former White House Cyber Security Advisor BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects. JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail. CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format. Part I: Software Security and Static Analysis 1 1 The Software Security Problem 3 2 Introduction to Static Analysis 21 3 Static Analysis as Part of the Code Review Process 47 4 Static Analysis Internals 71 Part II: Pervasive Problems 115 5 Handling Input 117 6 Buffer Overflow 175 7 Bride of Buffer Overflow 235 8 Errors and Exceptions 265 Part III: Features and Flavors 295 9 Web Applications 297 10 XML and Web Services 349 11 Privacy and Secrets 379 12 Privileged Programs 421 Part IV: Static Analysis in Practice 457 13 Source Code Analysis Exercises for Java 459 14 Source Code Analysis Exercises for C 503 Epilogue 541 References 545 Index 559 About the Author B rian Chess is a founder of Fortify Software. He currently serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in Computer Engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. He lives in Mountain View, California. J acob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob worked with Professor David Wagner at theUniversity of California at Berkeley to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security. He lives in San Francisco, California. Excerpt. © Reprinted by permission. All rights reserved. Preface PrefaceFollowing the light of the sun, we left the Old World. —Christopher ColumbusWe live in a time of unprecedented economic growth, increasingly fueled by computer and communications technology. We use software to automate factories, streamline commerce, and put information into the hands of people who can act upon it. We live in the information age, and software is the primary means by which we tame information.But oddly enough, much of the activity that takes place under the guise of computer security isn’t really about solving security problems at all; it’s about cleaning up the mess that security problems create. Virus scanners, firewalls, patch management, and intrusion-detection systems are all means by which we make up for shortcomings in software security. The software industry puts more effort into compensating for bad security than it puts into creating secure software in the first place. Do not take this to mean that we see no value in mechanisms that compensate for security failures. Just as every ship should have lifeboats, it is both good and healthy that our industry creates ways to quickly compensate for a newly discovered vulnerability. But the state of software security is poor. New vulnerabilities are discovered every day. In a sense, we’ve come to expect that we will need to use the lifeboats every time the ship sails.Changing the state of software security requires changing the way software is built. This is not an easy task. After all, there are a limitless number of security mistakes that programmers could make! The potential for error might be limitless, but in practice, the programming community tends to repeat the same security mistakes. Almost two decades of buffer overflow vulnerabilities serve as an excellent illustration of this point. In 1988, the Morris worm made the Internet programming community aware that a buffer overflow could lead to a security breach, but as recently as 2005, buffer overflow was the number one cause of security problems cataloged by the Common Vulnerabilities and Exposures (CVE) Project CWE, 2006. This significant repetition of well-known mistakes suggests that many of the security problems we encounter today are preventable and that the software community possesses the experience necessary to avoid them.We are thrilled to be building software at the beginning of the twenty-first century. It must have felt this way to be building ships during the age of exploration. When Columbus came to America, exploration was the driving force behind economic expansion, and ships were the means by which explorers traveled the world. In Columbus’s day, being a world economic power required being a naval power because discovering a new land didn’t pay off until ships could safely travel the new trade routes. Software security has a similar role to play in today’s world. To make information technology pay off, people must trust the computer systems they use. Some pundits warn about an impending “cyber Armageddon,” but we don’t fear an electronic apocalypse nearly so much as we see software security as one of the primary factors that control the amount of trust people are willing to place in technology. Without adequate security, we cannot realize the full potential of the digital age.We believe that it is the responsibility of the people who create software to make sure that their creations are secure. Software security cannot be left to the system administrator or the end user. Network security, judicious administration, and wise use are all important, but in the long run, these endeavors cannot succeed if the software is inherently vulnerable. Although security can sometimes appear to be a black art or a matter of luck, we hope to show that it is neither. Making security sound impossible or mysterious is giving it more than its due. Given the right knowledge and the right tools, good software security can be achieved by building security in to the software-development process.We sometimes encounter programmers who question whether software security is a worthy goal. After all, if no one hacked your software yesterday, why would you believe they’ll hack it tomorrow? Security requires expending some extra thought, attention, and effort. This extra work wasn’t nearly so important in previous decades, and programmers who haven’t yet suffered security problems use their good fortune to justify continuing to ignore security. In his investigation of the loss of the space shuttle Challenger, Richard Feynman found that NASA had based its risk assessment on the fact that previous shuttle missions had been successful Feynman, 1986. They knew anomalous behavior had taken place in the past, but they used the fact that no disaster had occurred yet as a reason to believe that no disaster would ever occur. The resulting erosion of safety margins made failure almost inevitable. Feynman writes, “When playing Russian roulette, the fact that the first shot got off safely is little comfort for the next.”Security Matters: Improving Software Security with Static Source Code AnalysisTwo threads are woven throughout the book: software security and static source code analysis. We discuss a wide variety of common coding errors that lead to security problems, explain the security ramifications of each, and give advice for charting a safe course. Our most common piece of advice eventually found its way into the title of the book: Use static analysis tools to identify coding errors before they can be exploited. Our focus is on commercial software for both businesses and consumers, but our emphasis is on business systems. We won’t get into the details that are critical for building software for functions that imply special security needs. A lot could be said about the specific security requirements for building an operating system or an electronic voting machine, but we encounter many more programmers who need to know how to build a secure Web site or enterprise application.Above all else, we hope to offer practical and immediately practicable advice for avoiding software security pitfalls. We use dozens of real-world examples of vulnerable code to illustrate the pitfalls we discuss, and the book includes a static source code analysis tool on a companion CD so that readers can experiment with the detection techniques we describe.The book is not a guide to using security features, frameworks, or APIs. We do not discuss the Java Security Manager, advanced cryptographic techniques, or the right approach to identity management. Clearly, these are important topics. They are so important, in fact, that they warrant books of their own. Our goal is to focus on things unrelated to security features that put security at risk when they go wrong.In many cases, the devil is in the details. Security principles (and violations of security principles) have to be mapped to their manifestation in source code. We’ve chosen to focus on programs written in C, C++, and Java because they are the languages we most frequently encounter today. We see plenty of other languages, too. Security-sensitive work is being done in C#, Visual Basic, PHP, Perl, Python, Ruby, and COBOL, but it would be difficult to write a single book that could even scratch the surface with all these languages.In any case, many of the problems we discuss are language independent, and we hope that you will be able to look beyond the syntax of the examples to understand the ramifications for the languages you use.Who Should Read the BookThis book is written for people who have decided to make software security a priority. We hope that programmers, managers, and software architects will all benefit from reading it. Although we do not assume any detailed knowledge about software security or static analysis, we cover the subject matter in enough depth that we hope professional code reviewers and penetration testers will benefit, too. We do assume that you are comfortable programming in either C or Java, and that you won’t be too uncomfortable reading short examples in either language. Some chapters are slanted more toward one language than another. For instance, the examples in the chapters on buffer overflow are written in C.Our hope is that by giving a lot of examples of vulnerable code, we can help you do a better job of identifying potential problems in your own code.How the Book Is OrganizedThe book is divided into four parts. Part I, “Software Security and Static Analysis,” describes the big picture: the software security problem, the way static analysis can help, and options for integrating static analysis as part of the software-development process. Part II, “Pervasive Problems,” looks at pervasive security problems that can impact software, regardless of its functionality, while Part III, “Features and Flavors,” tackles security concerns that affect common flavors of programs and specific software features. Part IV, “Static Analysis in Practice,” brings together Parts I, II, and III with a set of hands-on exercises that show how static analysis can improve software security.Chapter 1, “The Software Security Problem,” outlines the software security dilemma from a programmer’s perspective: why security is easy to get wrong and why typical methods for catching bugs aren’t very effective when it comes to finding security problems.Chapter 2, “Static Analysis,” introduces static source code analysis. It looks at the variety of problems that static analysis can solve, including structure, quality, and, of course, security. We take a quick tour of open-source and commercial static analysis tools.Chapter 3, “Static Analysis as Part of Code Review,” looks at how static analysis tools can be put to work as part of a security review process. We examine the organizational decisions that are essential to making effective use of the tools. We also look at metrics based on static analysis output.Chapter 4, “Handling Input,” takes an in-depth look at how static analysis tools work. We explore the essential components involved in building a tool and consider the trade-offs that tools make to achieve good precision and still scale to analyze millions of lines of code.Part II outlines security problems that are pervasive in software. Throughout the chapters in this section and the next, we give positive guidance for secure programming and then use specific code examples (many of them from real programs) to illustrate pitfalls to be avoided. Along the way, we point out places where static analysis can help.Chapter 5, “Handling Input,” addresses the most thorny software security topic that programmers have faced in the past, and the one they are most likely to face in the future: handling the many forms and flavors of untrustworthy input.Chapter 6, “Buffer Overflow I,” and Chapter 7, “Bride of Buffer Overflow,” look at a specific input-driven software security problem that has been with us for decades: buffer overflow. Chapter 6 begins with a tactical approach: how to spot the specific coding techniques that are most likely to lead to an exploitable buffer overflow. Chapter 7 steps back and examines some of the indirect causes of buffer overflow, such as attacker-controlled format strings and integer wraparound. We then step back and take a more strategic look at buffer overflow and possible ways that the problem can be tamed.Chapter 8, “Errors and Exceptions,” addresses the way programmers think about errors and exceptions. Although errors and exceptions are only rarely the direct cause of security vulnerabilities, they are often related to vulnerabilities in an indirect manner. The connection between unexpected conditions and security problems is so strong that error handling and recovery will always be a security topic. At the end, the chapter discusses general approaches to logging and debugging, which is often integrally connected with error-handling code. Part III uses the same positive guidance and specific code examples to tackle security concerns found in common flavors of programs and related to specific software features.Chapter 9, “Web Applications,” looks at the most popular security topic of the day: the World Wide Web. We look at security problems that are specific to the Web and to the HTTP protocol. Chapter 10, “XML and Web Services,” examines a security challenge on the rise: the use of XML and Web Services to build applications out of distributed components. Although security features are not our primary focus, some security features are so error prone that they deserve special treatment. Chapter 11, “Privacy and Secrets,” looks at programs that need to protect private information and, more generally, the need to maintain secrets. Chapter 12, “Privileged Programs,” looks at the special security requirements that must be taken into account when writing a program that operates with a different set of privileges than the user who invokes it.Part IV is about gaining practical experience with static analysis. This book’s companion CD includes a static analysis tool, courtesy of our company, Fortify Software, and source code for a number of sample projects. Chapter 13, “Source Code Analysis Exercises for Java,” is a tutorial that covers static analysis from a Java perspective; Chapter 14, “Source Code Analysis Exercises for C and C++,” does the same thing, but with examples and exercises written in C.Conventions Used in the BookDiscussing security errors makes it easy to slip into a negative state of mind or to take a pessimistic outlook. We try to stay positive by focusing on what needs to be done to get security right. Specifics are important, though, so when we discuss programming errors, we try to give a working example that demonstrates the programming mistake under scrutiny. When the solution to a particular problem is far removed from our original example, we also include a rewritten version that corrects the problem. To keep the examples straight, we use one icon to denote code that intentionally contains a weakness: We use a different icon to denote code where the weakness has been corrected: Other conventions used in the book include a monospaced font for code, both in the text and in examples. © Copyright Pearson Education. All rights reserved. Read more

Reviews from Amazon users which were colected at the time this book was published on the website:

⭐I typically review systems and commercial software from a security stand point. Recently, there has been a push to review software that is developed in-house utilizing tools such as Burpsuite and Fortify SCA. The classes that have been offered to my co-workers have been best described as How-To install the Fortify software. I was hoping to find a book with an in-depth view of utilizing Fortify to analyze source code. While the main focus of the book is not on Fortify, I was hoping that the 2 Chapters (Tutorials) would be a good start as this is the only book I know of that deals with Fortify (except the proprietary HP manuals).Why not just use the proprietary manuals and play with the software at work? Simple, I do not have time to read through manuals and play at work. I need something I can work with at home. The biggest problem I have with this book is that the software included is no longer functional. To install, you have to get a license from the Fortify website which is now owned by HP. Neither the authors nor HP will provide a license so the software is useless.If you are looking for a book to aide in secure code analysis, this is not the book for you. Secure Programming with Static Analysis… I read as make your applications secure by using static code analysis to identify problems. While the authors do give a fair amount of bad code to learn from, the details are less forth coming than in other books. Rather than give examples of how to use static code analysis tools to identify and correct problems, the authors give details of how they wrote rules to identify the problematic code. So if you are a programmer wanting to write your own “Fortify” software, this is a great start. I deducted 1 star because I felt the book only lives up to the “secure programming” portion of its name. You will not be getting any hands-on with Static Analysis from this book (as I mentioned the software no longer functions).At the time the book was written, it probably was cutting edge knowledge and software security as described by the author was believed to be a job only a programmer could do. This is the way the book is written. Books like

⭐are much friendlier towards non-programmers and have way more detail than this book. In fact the WAHH describes how a non-programmer may perform secure code analysis with a little research and gives you enough information to get started. It may seem unfair to judge this book published in 2007 by information available in 2015. However, I feel it is more unfair that someone like myself will purchase it based on the reviews when better books are available. I deducted 2 stars for the limited (and old) information.To address comments about how the WAHH does not address some of the topics (in-depth) that are covered in this book such as native compiled languages, I would recommend

⭐but it not for the faint of heart.

⭐might be more in-line with my previous recommendation, however I have yet to read this book so I will reserve judgment.In all, I am giving the book 2 stars as the information contained in it may be useful to other readers but there are far better sources to go too. In fact, I hope the whole industry dumps the use of Fortify in favor of open source alternatives that the worker bees can actually get their hands on. Check out OWASP for a list of alternatives. If you are a developer looking into secure programming, after reading the previously mentioned book check out US Cert/SEI secure programming [language of choice] books. This book will likely make it into my trash very soon unless you want to buy it???

⭐OK book, but I purchased it for the practice software for HP Fortify – which doesn’t work. HP no longer supports it, and it won’t run without HP support.. I sent the book back.

⭐Must read for anyone adopting SAST

⭐I brought this book as a course requirement and it has been much more than that. This book enlightens you with situations which you would have encountered previously but never realized how an adversary could exploit the situation to either break into your system or just cause havoc from outside. The authors have shared their company Software named Fortify which helps us analyze programs using static analysis. The only drawback is that the software is an out of date one which refuses to configure with windows 7 system and requires XP compatibility. Also understandably it is a demo version which has extreme constrains on the size of code being analyzed. Wish the authors would have looked into these minor details.

⭐Book has a lot of very useful information. The code examples are very useful. Uses Java Servlet code for many examples.

⭐If you’re looking to get into jacking instruction pointers and doing some serious bug hunting, this book is a must read!

⭐“Secure Programming with Static Analysis” walks through many programming security issues and how to protect against them and mitigate them.It focuses mainly on static analysis and low-level languages but still covers topics in higher-level languages and even web-based systems.Although most of the material is always at the back of mind for many security-conscious programmers, very few will finish the book without one or two surprises.The book is quite dated but still very much relevant today. So for areas like web-security, “The Tangled Web: A Guide to Securing Modern Web Applications” is an excellent book to complement this one.

⭐First. Full disclosure. I am an ex-employee of Fortify Software. Second. I was a reviewer of this book. That said… I’d say the target audience for this book is 50% of developers and all the tire-kickers who don’t think static analysis is possible (let alone accurate).Why only 50% of developers? This is based upon one of my own heuristics when putting together (or working in large) development teams. i.e. 50% of the developers in the world shouldn’t even be writing code, and, the world would be safer place if they weren’t. Unfortunately they are. And, they need tools. And, one of those tools should be a static analysis tool focused on software security. I’ve only scanned a few hundred million lines of code at Fortune 500 companies over the past 5 years. And, the vast majority of that code proves to me that 50% of developers couldn’t even write (compilation error free) a `Hello World’ from scratch let alone find all of the cross-site scripting or buffer overflows in their own production code.The tire-kickers are the other 50% of developers (architects, lead developers, etc). They need to try; findbugs, FxCop, splint, and the tool on the accompanying CD of this book. Some will be too smart to use a tool like the one in the accompanying CD. They won’t see the value in giving their developers a tool that simply checks for the obvious. They have the policies in place that completely eliminate the possibility of the other developers `introducing vulnerabilities’ into the code base and/or `checking in code that breaks the the build’. Wow! … Other tire-kickers are not so smart. (Again, full disclosure. I’d fit into that category.) The only question that I would hope to answer from reading this book is; If I give a tool as described in this book to my dumbest developer… will they be able to produce better code. I know the answer. YOU have to read this book.

⭐The book handles the topic in a good and comprehensive way.But my intention was to work through the tutorials which are provided in a CD that is delivered together with the book.This CD is also advertised in the book’s abstract.When installing the software from the CD I have been asked to visit a web page from a company named “Fortify” to register and receive the required license key. However, the given web link is not working – even the entire domain is not existing anymore and the company itself seems not to exist anymore.Has anyone a hint how I could receive a license key for the book’s CD ?I believe it is not OK to sell a book, where the digital part is not useable any more.

⭐Buena compra

Keywords

Free Download Secure Programming with Static Analysis in PDF format
Secure Programming with Static Analysis PDF Free Download
Download Secure Programming with Static Analysis 2007 PDF Free
Secure Programming with Static Analysis 2007 PDF Free Download
Download Secure Programming with Static Analysis PDF
Free Download Ebook Secure Programming with Static Analysis

Previous articleProfessional Oracle Programming by Rick Greenwald (2005-06-17) by (PDF)
Next articleWireless and Mobile All-IP Networks 1st Edition by Yi-Bing Lin (PDF)