Software security with static code analysis using cat net
1 / 33

Software Security with Static Code Analysis Using CAT.NET - PowerPoint PPT Presentation

  • Updated On :

Software Security with Static Code Analysis Using CAT.NET. Andreas Fuchsberger Information Security Technologist Microsoft. Agenda. Code Analysis/Code Inspection Motivation Static Code Analysis History Current technologies CAT.NET How CAT.NET works Installation Use Demo.

Related searches for Software Security with Static Code Analysis Using CAT.NET

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Software Security with Static Code Analysis Using CAT.NET' - gita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Software security with static code analysis using cat net

Software Security with Static Code Analysis Using CAT.NET

Andreas Fuchsberger

Information Security Technologist



  • Code Analysis/Code Inspection

    • Motivation

  • Static Code Analysis

    • History

    • Current technologies


    • How CAT.NET works

    • Installation

    • Use

  • Demo

Given enough eyeballs all bugs are shallow
Given Enough Eyeballs All Bugs Are Shallow

  • The Cathedral and the Bazaar by Eric S. Raymond (O'Reilly Media, 1999)

Code inspection
Code Inspection

  • Too good to be true

  • If the eyes don’t know what to look for, they are likely to miss security bugs

  • Who looks at code anyway?

  • Code inspection is tedious and error prone: Automation is needed

  • See Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press®, 2003)

Building secure software
Building Secure Software

  • Building Secure Software by John Viega and Gary McGraw (Addison-Wesley, 2001)

From building secure software
From Building Secure Software

One example to consider is the GNU Mailman project, an open-source mailing list management package originally written by one of us (Viega).

Mailman has been used at an impressive number of places during the past several years to run mailing lists.

But for three years, Mailman had a handful of obvious and glaring security problems in the code. (Note that the code was written before we knew or cared much about security!)

From building secure software1
From Building Secure Software

These problems were of the type that any person armed with grep and a single iota of security knowledge would have found in seconds.

Even though we had thousands and thousands of installs during that time period, no one reported a thing.

The horrible thing here is that the problem in Mailman persisted for four years, despite being packaged in products you’d expect to be security conscious, such as the Red Hat Secure Web Server product.

Ipsec encryption only flaw
IPsec Encryption Only Flaw

  • “Attacking IPsec Standards in Encryption-only Configurations” byJean Paul Degabriele and Kenneth G. Paterson (IEEE Symposium on Security and Privacy,2007)

  • 2007 saw the discovery of a fundamental problem in the design of IPsec ESP only configuration

  • IPsec RFC standards (2401-2406) were published in 1998

Code inspection1
Code Inspection

  • Too good to be true

  • If the eyes don’t know what to look for, they are likely to miss security bugs

  • See Writing Secure Code, Second Edition by Michael Howard and David LeBlanc (Microsoft Press, 2003)

    • Chapter 2: “Section Education Proves the More Eyes Fallacy”

  • Who looks at code anyway?

  • Code inspection is tedious and error prone: Automation is needed

Code inspection2
Code Inspection

  • C Lint preprocessor first appeared in 1979

  • “Using Programmer-Written Compiler Extensions to Catch Security Holes” by K. Ashcraft and D. Engler (IEEE Symposium on Security and Privacy, 2002)

    • Meta-compilation for C source code; ‘expert system’ incorporating rules for known issues: untrustworthy sources  sanitizing checks  trust sinks; raises alarm if untrustworthy input gets to sink without proper checks

  • Code analysis to learn new design rules: Where is the sink that belongs to the check we see?

  • Microsoft has had its own code inspection tools PreFix and PreFast for some time and these have been integrated into Microsoft® VisualStudio® as well Microsoft® FxCop

  • 2005: Microsoft® Code Analysis Tool .NET (CAT.NET)

  • 2008: CAT.NET Community Technology Preview (CTP)

Program analysis
Program Analysis

  • Area of computer science in its own right

  • Relevant for software security: Adapt methods to look for security problems

  • Objectives (for theoreticians):

    • Soundness: no false alarms

    • Completeness: finds all bugs in a given class

  • Objectives (for practitioners):

    • Useful results; picking the low-hanging fruit is fine; low false alarm rate

Static code analysis in the sdl
Static Code Analysis in the SDL






Intrusion Detection

Penetration Testing





Static Code Analysis

Threat Modelling

Security Requirements

From: Secure Programming with Static Analysis

The quality fallacy
The Quality Fallacy

  • Often held misconception:

    • Software Security is another case of Software Quality

  • Most testing concentrates on functionality

    • Security testing focuses on lack of functionality

  • Implementations may have functionality outside of the original requirements

  • But building secure software often improves overall quality

Source code review
Source Code Review

  • No one claims that source code review is capable of identifying all problems, but consensus is that source code review has a major part to play in any software security process

Static code analysis
Static Code Analysis

  • Static code analysis describes the process by which computer software analysis is performed without actually executing binary code that makes up the software

  • Static analysis can be performed on the original source code or the binary code produced by the compiler

Capabilities and limitations
Capabilities and Limitations

  • Checks are performed consistently and thoroughly

  • Can find cause of security problem rather than just report the symptom

  • Static analysis can find bugs before the code runs or even compiles

  • Once new class of vulnerability is discovered, old code can be rechecked

Capabilities and limitations1
Capabilities and Limitations

  • Most common complaint:

    • False positives

    • False negatives

  • Implementation limitations

    • Speed

    • Size of code base

    • Usability

Problem classes for static analysis
Problem Classes for Static Analysis

  • Type checking

  • Style checking

  • Program understanding

  • Program verification

  • Property checking

  • Bug finding

  • Security review

Static analysis techniques
Static Analysis Techniques

  • Access control

  • Information flow

    • Integrity violations

    • Confidentiality violations

  • API conformance

Cat net

  • CAT.NET is an information-flow type static analysis tool using an implementation of tainted-variable analysis

  • Tainted-variable analysis is an integrity problem in which that tries to identify whether less-trusted data obtained from the user might influence other data that the system trusts

How cat net works
How CAT.NET Works

  • CAT.NET uses a combination of Control Flow and Data Flow Graphs to build the relation for every object in every module supplied to CAT.NET

    • Control Flow Graphs

    • Data Flow Graphs

    • Data Flow Super Graphs

Cat net ctp release

  • Current release is CTP available for free by searching for CAT.NET at

  • Available as plug-in for Microsoft® VisualStudio® 2008 or VisualStudio® 2005 in 32-bit, includes a command-line version, CATNETCmd.exe

  • Available as 64-bit command-line version, only for large projects

Installing cat net

Installing CAT.NET


Installation and use
Installation and Use

  • Setup.exe install

  • Plug-in installs under the tools menu in VisualStudio

  • Starting the plug-in opens the CAT.NET user interface

  • Clicking the Play button runs the analysis across all binaries that are part of the project

Cat net rules

  • Rules are XML files stored in rules subdirectory

  • Currently they include:

    • Cross-Site Scripting

    • SQL Injection

    • Process Command Injection

    • File Canonicalization

    • Exception Information

    • LDAP Injection

    • XPATH Injection

    • Redirection to User Controlled Site

The cat net ui



Analysis results
Analysis Results

  • Analysis can take some time

    • Results are presented in as a list in the GUI

    • Includes information relating to the cause of the vulnerability

  • Allows export to Microsoft® Office Excel®

Command line use
Command-Line Use

  • Alternative method for invoking CAT.NET

    • Only available option for 64-bit implementation

  • Command-line parameters

  • Output is written to an XML file as well as an HTML


  • Secure software must be able to handle intentionally malformed inputs

  • Code therefore has to detect malformed inputs. Don’t trust your inputs!

  • Test your code to detect whether there are malformed inputs that are not detected

  • For the malformed inputs detected, pay attention to the error handlers

The cat net command line interface

The CAT.NET Command-Line Interface


Further reading and information
Further Reading and Information

  • .NET Framework Security by Brian LaMacchia, Sebastian Lange, and others (Addison-Wesley, 2002)

  • Secure Programming with Static Analysis by Brian Chess and Jacob West (Addison-Wesley, 2007)


Questions and answers
Questions and Answers

  • Submit text questions using the “Ask” button

  • Don’t forget to fill out the survey

  • For upcoming and previously live webcasts:

  • Got webcast content ideas? Contact us at: