静态分析简述

静态分析技术

静态代码分析 (Static Code Analysis) 通常是 Code Review (也被称为白盒测试 White-box testing) 的一部分, 通常在安全开发周期(Security Development Lifecycle, SDL)的实现阶段执行。
静态代码分析执行分析时,只需要源代码,并且不对软件进行运行。

理想情况下,我们希望静态分析工具能够自动寻找bug,但实际使用中,主要用于快速帮助分析人员定位bug所在的代码片段,可能能自动寻找某些特定类型的简单的bug,但并不能自动寻找任意类型的。
Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

常见静态分析技术 (Techniques)

  1. 数据流分析 (Data Flow Analysis)
  2. 控制流图 (Control Flow Graph)
  3. 污点分析 (Taint Analysis)
  4. 调用图分析 (Call Graph Analysis)
  5. 词法分析 (Lexical Analysis)

数据流分析

定义
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

术语
There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes)

Basic Block
A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

控制流图

An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

不过在某些实现中,一个node不一定表示一个block,可能一个node只表示一个statement.(比如 soot 中)

污点分析

Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

调用图分析

词法分析

就是把源代码转换成一组token。

Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

1
<?php $name = "Ryan"; ?>

Post tokenised PHP source code:

1
2
3
4
5
6
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG

静态分析的优点与缺点

优势

  • Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
    可扩展性强
  • For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.
    在寻找类似 缓冲区溢出 和 SQL注入 类型的漏洞上效果不错。

劣势

  • Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
    现在还存在非常多静态分析难以自动判别的漏洞
  • High numbers of false positives.
    误报率高
  • Frequently can’t find configuration issues, since they are not represented in the code.
    并不在代码中表示的问题,例如配置错误,是无法检测的
  • Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
    难以证明,必须依赖某些手工复现测试。
  • Many of these tools have difficulty analyzing code that can’t be compiled. Analysts frequently can’t compile code because they don’t have the right libraries, all the compilation instructions, all the code, etc.
    对于无法编译的代码(由于缺少对应的library),难以分析
  • 对混淆后的代码难以分析
  • 对 加壳exe 或 加固apk 难以分析
  • 无法分析由于动态行为触发的bug

有关 Android 的常见静态分析工具

ASIACCS2017 p4 p8

  1. AndroGuard
  2. AndroBugs
  3. Mobile Security Framework (MobSF)
  4. QARK
  5. Mallodroid
  6. PermFinder
  7. FlowDroid
  8. Harvester

PHP 静态分析

https://github.com/exakat/php-static-analysis-tools

RIPS - free PHP security scanner using static code analysis

JavaScript

JSPrime
https://www.easyaq.com/newsdetail/id/410788006.shtml

malwarebenchmark

http://malwarebenchmark.org/index

Xdef 2016 http://www.xdef.org.cn/2016/speakers.html
单征,数学工程与先进计算国家重点实验室(信息工程大学),软件理论室主任,博士,教授,中国工业信息系统安全联盟理事,中国计算机学会高性能专委会委员,yocsef郑州主席,主要研究方向:网络安全、先进计算。近年来,主持国家重大专项、核高基专项、国家863课题等20余项。获省部科技进步一等奖2项,二等奖6项,CCF CNCC技术创新奖1项,出版教材2部,发表论文40余篇。

演讲议题:恶意代码基因检测与识别技术研究
议题简介:恶意代码作为网络空间安全威胁的重要源头,正呈现数目快速增长、种类日益繁杂、威胁 愈发严重的态势,对恶意代码的检测、识别一直是网络空间安全领域的重要研究课题。传统的静态或动态分析技术从认知深度、处理速度和识别效果上,难以适应恶意代码的发展趋势。 报告介绍malwarebenchmark开源项目的研究成果:
(1)通过建立基因视角的新型恶意代码认知模型,绘制基因组逻辑和物理结构图谱,从信息性和物质性相结合的视角对恶意代码进行深度认知,将对恶意代码样本的逐一认知,转化为对种群“基因”的研究;
(2)通过BASHLITE、Backdoor.Remsec、JS.Psyme等多个家族恶意代码样本的基因分析案例,讨论验证基于遗传基因的种群关系,探索解决恶意代码种群衍变与进化中的检测与识别、种群判定、同源性分析、威胁趋势分析等关键问题。

基于QEMU的跨平台静态二进制翻译系统 【作者】 卢帅兵; 庞建民; 单征; 岳峰;
http://gb.oversea.cnki.net/KCMS/detail/detail.aspx?filename=ZDZC201601023&dbcode=CJFD&dbname=CJFD2016

apk 分析平台

http://appstore.anva.org.cn/Login/default

  1. 腾讯电脑管家:哈勃 http://habo.qq.com/file/showdetail?pk=ADQGZV1uB2UIOg==
  2. 腾讯TSRC:金刚 http://service.security.tencent.com/uploadimg_dir/jingang/f5d20cef1a5889c70d4d0b5c3e8fe9ca.html
  3. 阿里聚安全:http://jaq.alibaba.com/
  4. 西安交通大学 sanddroid:http://sanddroid.xjtu.edu.cn/#home
  5. 金山火眼:http://fireeye.ijinshan.com/analyse.html?md5=f5d20cef1a5889c70d4d0b5c3e8fe9ca&sha1=a125afe40d807303fd4274b1d2154e7bcc0985bd
  6. 瀚海源文件B超:https://b-chao.com/index.php/Index/show_detail/Sha1/A125AFE40D807303FD4274B1D2154E7BCC0985BD

腾讯金刚审计系统 http://service.security.tencent.com/kingkong 免费 无限制
腾讯御安全 http://yaq.qq.com/ 免费 查看漏洞详情需认证
阿里聚安全 http://jaq.alibaba.com/ 免费 查看漏洞详情需认证
360显微镜 http://appscan.360.cn/ 免费 无限制
360APP漏洞扫描 http://dev.360.cn/html/vulscan/scanning.html 免费 无限制
百度MTC http://mtc.baidu.com 9.9元/次 无限制
梆梆 https://dev.bangcle.com 免费 无限制
爱内测 http://www.ineice.com/ 免费 无限制
通付盾 http://www.appfortify.cn/ 免费 无限制
NAGA http://www.nagain.com/appscan/ 免费 无限制
GES审计系统 http://01hackcode.com/ 免费 无限制
盘古出品的Janeushttp://appscan.io

virustotal

自定义规则筛选app,对于恶意app作者的溯源追踪比较方便
Janus http://cloud.appscan.io

Binni Shah @binitamshah[ Tools ] Trueseeing : a fast, accurate, and resilient vulnerability scanner for Android apps : https://t.co/tIl0vqjl6r“trustseeing - 快速准确的 Android 应用漏洞扫描程序︰ http://t.cn/RXWuava

sanddroid

http://sanddroid.xjtu.edu.cn/static/resources/SandDroidUserManual.pdf

Online Malware Analysis Sandboxes:

https://medium.com/@su13ym4n/15-online-sandboxes-for-malware-analysis-f8885ecb8a35#.yi97td6wf

参考资料

[1] OWASP wiki