Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
?
EE Times-Asia > Embedded
?
?
Embedded??

Securing open source web apps with static analysis

Posted: 11 Dec 2013 ?? ?Print Version ?Bookmark and Share

Keywords:server? OpenSSL? Secure Sockets Layer? SSL? Linux?

As you can see, the if statement implies that it is possible for qd or qg to be e1 when type is 120. But in the subsequent switch statement, always executed when type is 120, the Queue array is unconditionally indexed through the variable qg. If qg were e1, this would be an underflow. The program was not studied exhaustively to determine whether qg can indeed be e1 when type is 120 and hence reach the fault. However, if qg can't be e1 when type is 120, then the initial if check is incorrect, misleading, and/or unnecessary.

Another example of buffer underflow is found in file ssl_lib.c in OpenSSL:

p = buf;
??sk = s->session->ciphers;
??for (i = 0; i ??...
??*(p++)=':';
}
p[-1] = '\0';

The analyser informs us that the underflow occurs when this code is called from file s_server.c. From a look at the call site in s_server.c, it is clear that the analyser has detected that buf points to the beginning of a statically allocated buffer. Therefore, in the ssl_lib.c code, if there are no ciphers in the cipher stack sk, then the access p[e1] is an underflow. This demonstrates the need for an inter-module analysis, since there would be no way of knowing what buf referenced without examining the caller.

If it is the case that the number of ciphers cannot actually be 0 in practice, then the for loop should be converted to a do loop to make it clear that the loop must always be executed at least once (ensuring that p[e1] does not underflow).

Another problem is a potential buffer overflow. No check is made in the ssl_lib.c code to ensure that the number of ciphers does not exceed the size of the buf parameter. Instead of relying on convention, a better programming practice would be to pass in the length of buf and then add code to check that overflow does not occur.

Resource leaks
In file speed.c in OpenSSL:

fds=malloc(multi*sizeof *fds);

fds is a local pointer and is never used to free the allocated memory prior to return from the subroutine. Furthermore, fds is not saved in another variable where it could be later freed. Clearly, this is a memory leak. A simple denial-of-service attack on OpenSSL would be to invoke or cause to be invoked the speed command until all of memory is exhausted.

Many would argue that the code quality of such popular open source applications is expected to be relatively high. As one person puts it, "by sharing source code, open source developers make software more robust. Programs get used and tested in a wider variety of contexts than one programmer could generate, and bugs get uncovered that otherwise would not be found."

Unfortunately, in a complex software application such as Apache, it is simply not feasible for all flaws to be found by manual inspection. In addition to this case study, other commercial static code analysers have been used successfully on large open source applications, including the Linux operating system, to locate numerous latent security vulnerabilities.

Numerous mechanisms are available to help in the struggle to improve software quality, including improved testing and design paradigms. But automated source code analysers are one of the most promising technologies.

About the author
David Kleidermacher, Chief Technology Officer of Green Hills Software, joined the company in 1991 and is responsible for technology strategy, platform planning, and solutions design. He is an authority in systems software and security, including secure operating systems, virtualisation technology, and the application of high robustness security engineering principles to solve computing infrastructure problems. Mr. Kleidermacher earned his bachelor of science in computer science from Cornell University.

This article is excerpted from Embedded Systems Security by David and Mike Kleidermacher, used with permission from Newnes, a division of Elsevier. Copyright 2012. All rights reserved.

To download the PDF version of this article, click here.


?First Page?Previous Page 1???2???3



Article Comments - Securing open source web apps with s...
Comments:??
*? You can enter [0] more charecters.
*Verify code:
?
?
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

?
?
Back to Top