A new weapon for software security testing-a discussion on the Testing Technology Based on Dynamic taint Propagation

Software Security Testing is the most important way to ensure the security of software. How to conduct efficient security testing has become a topic of attention in the industry. Years of security testing experience

We are advised that the necessary conditions for doing a good job in software security testing are: first, fully understanding software security vulnerabilities, and second, having efficient software security testing technologies and testing tools.

I. Analysis of major security vulnerabilities and Test Methods
The main purpose of software security assurance is to prevent hackers or malicious internal personnel from attacking the software and ensure that the software runs properly when it is under malicious attacks. However, attackers mainly attack the software system by inputting malicious data. Therefore, the main security issues of the software come from external input data. OWASP top ten, an open web application project security organization, summarizes the top ten Global Web Application System Security Vulnerabilities each year. The most common security vulnerabilities are the verification of external input data. Fortify software, the world's largest software security vendor, has the highest security risk in the software security vulnerability category, which is also the aspect of input verification and performance. Malicious data input from outside can directly constitute serious software security vulnerabilities:
Command Injection)
Cross-Site Scripting)
Denial of Service)
HTTP Response truncation (HTTP Response Splitting)
Path manipulation)
Resource Injection)
Setting Manipulation)
SQL Injection)
Access Control: Database)
Log Forging)

Therefore, Security Testing of external input data is the most important task in software security testing. Currently, the main security testing methods include:
1. static code security testing: performs security scanning on the source code of the software system, and performs matching based on the data flow, control flow, semantics, and other information in the program and its specific software security rule repository, find potential security vulnerabilities in the code. Static source code security testing is a very useful method. It can identify all codes that may have security risks in the coding phase, so that developers can solve potential security problems in the early stage. Because of this, static code testing is more suitable for early code development, rather than testing. At the same time, as it relates to the work of multiple departments, such as the Development Department, test department, and management department, it is difficult to carry out the actual implementation work.
2. dynamic penetration testing: penetration testing is also a common security testing method. Use automated tools or manual methods to simulate hacker input, conduct an attack test on the application system, and find out the security vulnerabilities at runtime. This test is true and effective. The problems found are generally correct and serious. However, a critical disadvantage of penetration testing is that, because the simulated test data can only reach a limited test point, the coverage rate is very low. According to statistics from authoritative organizations in the United States, the penetration test coverage rate can only reach 20%-30%. The false negative rate is relatively high.

Ii. Dynamic taint Propagation Method
Analysis of the two common security testing methods has some shortcomings in testing external input data. How can we perform a better security test on external input data? Dynamic taint propagation is proposed in the industry ).
The dynamic pollution propagation method mainly analyzes whether security vulnerabilities and categories of vulnerabilities exist by tracking the propagation process of external input data in the program and the final execution. For example, 1. It does not need any special aggressive test data. It assumes that the data input from the outside is untrusted and contaminated, and marks the data as contaminated, in the process of spreading the program, if we have passed strict security verification, we can rely on it to seriously remove the pollution mark, otherwise, the pollution mark will be inherited throughout the propagation process. Once the contaminated data is sent to the Execution Code for execution, it is determined that there may be a security vulnerability. Figure 1: The propagation process diagram of contaminated data is used to test the dynamic pollution propagation method. First, static analysis of all the binary codes of the software program is required. The following information is specified:
Source: The Source of Contaminated Data. Find out the code of the program entry for all external data. For Web application systems, it mainly refers to the places where the data entered by the client is read, such as HTML form, user request parameters, client cookie information, and other external data receiving methods. When data is carried out within the program by these entry points, the data is assumed to be contaminated and marked as contaminated.
Propagation: Spread of Contaminated Data. When data is transmitted in a program, when the data is transmitted from the source point, the mark is contaminated, and the contaminated data is transmitted in the program, whether it is assigned to another data, when it is spliced into another data, the pollution mark will be inherited.
Sink: vulnerability exposure. Identify all codes that may cause security vulnerabilities. These codes are often the code that executes a specific task based on external incoming data. Such as SQL query, HTML output, and command execution. When the data is passed to the sink code, the sink first checks whether the data is contaminated. If not, there is no security problem. Otherwise, there may be security issues. Then, based on the code execution results, you can determine the type of security issues. This analysis process is illustrated as follows:

Userid = request. getparameter ("user ");
......
2
Try {
SQL = "select * from users" + "where id = '" + userid + "'";
......
Stmt.exe cutequery (SQL );
}

During static analysis, the request. getparameter () method is marked as a "Source. The stmt.exe cutequery () method is marked as an "Tipping Point": sink. When the user enters the program through request. getparameter () and assigns a value to the variable "userid", the "userid" is marked as "contaminated. When "userid" is used to construct the variable "SQL", "SQL" gets the "pollution" mark of "userid" and becomes "contaminated" data. When “SQL ”is sent to sinkw.stmt.exe cutequery () for execution, the detection mechanism of the sink function detects that" SQL "has a pollution mark, which determines that this may cause a security problem, then, based on the result of "contaminated" data "SQL" executed by the sink function, an SQL query command is executed. Therefore, it can be determined that this may cause a security problem of SQL-injection.

Iii. Fortify Tracer
Fortify software, the world's largest software security vendor, is based on the above-mentioned dynamic taint propagation based on years of research in the software security field) A new security test product, forcanctracer, was developed successfully.
Figure 2: fortify tracer Security Test Report: Based on the characteristics of the dynamic pollution propagation method, fortify tracer first analyzes the binary code of the software, finds all source and sink codes, and establishes a detection mechanism. Then, you can perform routine functional tests on the program. During the test, the tester can perform the security test without entering any aggressive test data, fortify tracer automatically identifies all security issues in the software that may result from external input data based on functional tests and reports the vulnerabilities clearly. Summary The main features of Fortify racer include:

1. No special attack test data is required, so that QA personnel can perform security tests. Solve the problem of lack of security knowledge and attack knowledge in testing.
2. Because external input data is directly tracked, the most serious and critical security problems in the system can be found very realistically and effectively.
3. Parallel functionality, fast speed, high efficiency, and easy integration with existing test processes. At the same time, the coverage rate of dynamic security testing is greatly improved by taking advantage of the high coverage rate of functional testing.
4. Clear and detailed reports. As shown in figure 2, fortify tracer clearly reports Vulnerabilities Based on the vulnerability category. Click each vulnerability that is reported, and fortify tracer can locate where the vulnerability is generated. Where is its source and sink? clear and detailed reports.

Iv. Summary:
Good testing methods and excellent testing tools will certainly help software companies to do a good job in software security testing. If a software enterprise can effectively combine Software Quality Testing with software security testing, it can not only effectively solve software security testing problems, but also make the testing team more efficient, the fortify tracer based on the dynamic taint propagation test method will be a good choice.

For software Beijing Representative Office (FORDY software) Technical Consultant Wang Hong 08.04 http://www.fortify-china.com/web/fd/c11694/w10055672.asp