Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS

1
Static Analysis of the VoteHere VHTi Reference
Implementation Using Flawfinder and RATS

• Markus Dale
• December 2005

2
Outline

• Results
• New and Significant
• Static Analysis and Limitations
• Previous Work
• Flawfinder/RATS
• VoteHere Sentinel and VHTi Reference
  Implementation
• Static Analysis Results
• Future Work
• References

3
Results

• Static analysis with Flawfinder and RATS found
  only 19 potential security problems in over
  10,000 lines of source code.
• The security problems must be mitigated from
  within the system that uses the VHTi Reference
  Implementation API.
• Different static analysis tools have different
  trade-offs. Use as many tools as possible.
• False positives can consume a large amount of
  time.

4
New and Significant

• Applies Flawfinder and RATS open source static
  analysis tools to the VoteHere VHTi Reference
  Implementation.
• Compares performance of Flawfinder and RATS
  against VHTi Reference Implementation.

5
Static Analysis

• Compiled from Michael/Lavenhar paper
• Potentially Insecure Library Functions
• Database of vulnerabilities
• Type confusion between references and pointers
• Detect memory allocation errors
• Double free, write to freed memory, buffer
  overflow
• Temporal Safety constraints (ordered steps)
• Data Flow Analysis tainted variables
• Pointer Aliasing Analysis two pointers to same
  memory loc

6
Limitations of Static Analysis

• Problem bounded by Rices Theorem
• there exists no automatic method that decides
  with generality non-trivial questions on the
  black-box behavior of computer programs
  (Wikipedia)
• False positives vs. false negatives trade-offs
• Local, module, program analysis

7
Previous Work

• Static Analysis Best Practice by DHS Build In
  Security Site (also overview of tools)
• Microsoft SLAM project Static Driver Verifier
  uses Specification Language for Interface
  Checking to encode temporal safety constraints
  (Ball/Rajamani)
• MOPS Model Checking Programs for Security
  Properties (Chen/Wagner)

8
More Previous Work

• Flanagan et al. ESC/Java
• Automated theorem prover null references, array
  error bounds, type cast errors, race conditions
• Livshits DynaMine
• Add revision history information
• Blanchet et al. Static Analyzer for Large
  Safety-Critical Software refinements and
  parameterization

9
Flawfinder

• David Wheeler, author of Secure Programming for
  Linux and Unix HOWTO, latest 2004
• Use lexical analysis and database for C/C
• buffer overflow risks
• e.g., strcpy(), strcat(), gets(), sprintf(),
  scanf()
• format string problems
• vfprintf(), vsnprintf(), and syslog()
• Time Of Check to Time of Use (TOCTOU) race
  conditions
• poor random number acquisition

10
Rough Auditing Tool for Security (RATS)

• Secure Software, latest 2002
• Commercial offering CodeAssure
• Lexical analysis and database for
• C/C
• Perl, PHP, Python
• Buffer overflow problems
• TOCTOU race conditions

11
VoteHere Sentinel

• Add on to Diebold AccuVote-TS to independently
  verify election results
• Based on Neffs E-Voting secure shuffle
  implemented as VHTi Reference Implementation
• Reference Implementation freely downloadable

12
VHTi Reference Implementation Docs

• API Developers Guide
• How to build, third-party libs, usage, security
  concerns, DTDs for XML data structures
• Known Issues doc
• Results from reviews
• VHTi Threat Analysis Doc
• Attack tree and mitigation techniques

13
VHTi Reference Implemenation
14
RATS getenv warning
./util/result.cpp625 High getenv ./util/vh_cout
.cpp123 High getenv Environment variables are
highly untrustable input. They may be of any
length, and contain any data. Do not make any
assumptions regarding content or length. If at
all possible avoid using them, and if it is
necessary, sanitize them and truncate them to a
reasonable length.
15
Flawfinder Warning about memcpy
./pki/crypt.cpp244 2 (buffer) memcpy Does
not check for buffer overflows when copying to
destination. Make sure destination can always
hold the source data.
16
Memcpy Mitigation
if (sizeof (iv) ! initialization_vector.siz
e ()) ... throw
VHUtilException (...) memcpy
(iv, initialization_vector.data (),
initialization_vector.size ())
17
(No Transcript)
18
(No Transcript)
19
Results from Static Analysis

• Flawfinder 64 total/9 actual (71)
• RATS 41 total/14 actual (31)
• Overlapping problems found 4
• Unique problems 19
• Statically declared arrays
• 36 unique declaration
• Flawfinder 32 RATS 20

20
Findings

• The 19 potential problems are not problems by
  themselves
• Defensive Programming
• Library code greatest reusability
• Must implement mitigation techniques and correct
  usage of API in implemented system

21
Future Work

• Use commercial static analysis tool such as
  Klocwork K7, Ounce Labs Prexis or Secure Software
  CodeAssure
• Analyze complete source code for VoteHere
  Sentinel system

22
Selected References

• Chess, B. McGraw, G. (2004), 'Static analysis
  for security', Security Privacy Magazine, IEEE
  2(6), 7679.
• Flanagan, C. Leino, K.R.M. Lillibridge, M.
  Nelson, G. Saxe, J.B. Stata, R.
  (2002),Extended static checking for Java, in
  'PLDI '02 Proceedings of the ACM SIGPLAN 2002
  Conference on Programming language design and
  implementation', ACM Press, New York, NY, USA,
  pp. 234245.
• Martin, M. Livshits, B. Lam, M.S.
  (2005),Finding application errors and security
  flaws using PQL a program query language, in
  'OOPSLA '05 Proceedings of the 20th annual ACM
  SIGPLAN conference on Object oriented programming
  systems languages and applications', ACM Press,
  New York, NY, USA, pp. 365--383.

23
More Selected References

• Neff, C.A. (2001),A verifiable secret shuffle and
  its application to e-voting, in 'CCS '01
  Proceedings of the 8th ACM conference on Computer
  and Communications Security', ACM Press, New
  York, NY, USA, pp. 116125.
• RABA (2004),'Trusted Agent Report Diebold
  AccuVote-TS Voting System', http//www.raba.com/pr
  ess/TA_Report_AccuVote.pdf.
• Michael, C. Lavenhar, S.R. (2005),'Source Code
  Analysis Tools -- Overview', https//buildsecurity
  in.us-cert.gov/portal/article/tools/code_analysis/
  overview.xml, Published via the U.S. Department
  of Homeland Security Build Security In website.