You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

364 lines
10 KiB

\documentclass[14pt,t]{beamer}
\usepackage{fontspec}
\usepackage{color}
\usepackage{minted}
\usepackage{etoolbox}
\usepackage{amsmath}
%% These fonts are non-free.
%% Comment out the lines if you don't have them.
\setmainfont{Equity Text A}
\setsansfont{Concourse T3}
\setmonofont{Triplicate T4}
\definecolor{bgcolor}{RGB}{20,25,28}
\definecolor{codecolor}{RGB}{249,38,114}
\hypersetup{colorlinks,linkcolor=,urlcolor=codecolor}
\setbeamercolor{background canvas}{bg=bgcolor}
\setbeamercolor{normal text}{fg=white}
\setbeamercolor{itemize item}{fg=lightgray}
\setbeamercolor{itemize subitem}{fg=lightgray}
\setbeamercolor{itemize subsubitem}{fg=lightgray}
\setbeamercolor{enumerate item}{fg=lightgray}
\setbeamercolor{enumerate subitem}{fg=lightgray}
\setbeamercolor{enumerate subsubitem}{fg=lightgray}
\setbeamercolor{enumerate item}{fg=lightgray}
\setbeamercolor{page number in head/foot}{fg=lightgray}
\setbeamerfont{page number in head/foot}{size=\large}
\setbeamertemplate{itemize items}[circle]
\setbeamertemplate{navigation symbols}{}
\setbeamertemplate{footline}{
\hfill%
\usebeamercolor[fg]{page number in head/foot}%
\usebeamerfont{page number in head/foot}%
\setbeamertemplate{page number in head/foot}[framenumber]%
\usebeamertemplate*{page number in head/foot}\kern1em\vskip2pt%
}
\usemintedstyle{monokai}
\newminted[javacode]{java}{fontsize=\scriptsize}
\renewcommand{\footnotesize}{\tiny}
\def\code#1{{\color{codecolor}\texttt{#1}}}
\renewcommand{\theFancyVerbLine}{\color{darkgray}\large \oldstylenums{\arabic{FancyVerbLine}}}
\renewcommand{\title}[1]{
{\LARGE #1} \vskip 0.4cm
}
\renewcommand{\subtitle}[1]{
\vskip 0.3cm {\Large #1} \vskip 0.2cm %
}
\renewcommand{\b}[1]{\textbf{#1}}
\begin{document}
\begin{frame}
\begin{center}
\vspace{1cm}
{\LARGE Inferring Crypto API Rules \\ from Code Changes}\\
{\small Rumen Paletov, Petar Tsankov, Veselin Raychev, Martin Vechev} \\
\vspace{2cm}
{ Presented by Nicolas Hafner} \\
\vspace{0.1cm}
{\small ETH Software Engineering Seminar 2018 }
\end{center}
\end{frame}
\begin{frame}
\title{The Problem}
\begin{itemize}
\item Security APIs are difficult to use correctly
\item The APIs change and evolve
\item Old techniques become vulnerable
\item Not many tools available for automated audits
\end{itemize}
\end{frame}
\begin{frame}
\title{The Paper's Idea}
\begin{itemize}
\item Automate audits and automate rule generation!
\vspace{1cm}
\item Observe code changes in many projects
\item Look at changes in Security API uses
\item Derive security advisory rules from changes
\item Apply rules to projects to discover vulnerabilities
\end{itemize}
\end{frame}
\begin{frame}
\title{Challenges}
\begin{itemize}
\item Extracting information from source is difficult
\item Building or running projects not feasible
\item Rules might become too general or too specific
\end{itemize}
\end{frame}
\begin{frame}
\title{Technique Overview}
\vspace{1cm}
\makebox[\linewidth][c]{
\includegraphics[width=0.8\pagewidth]{overview.png}
}
\end{frame}
\begin{frame}
\title{Static Analysis Idea}
\begin{itemize}
\item Look at source code without executing it
\item Simulate source code execution
\item Determine all possible program states
\item Use state domain to reason about program
\end{itemize}
\end{frame}
\begin{frame}
\title{Static Analysis}
\begin{itemize}
\item Define possible execution states
\item Define starting state
\item Define how statements and expressions change state
\item Iterate through function statements, applying state changes
\item Continue until a steady state is reached
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\title{Static Analysis}
\begin{javacode}
class AESCipher{
Cipher cipher;
String algorithm = "AES";
void setKey(Secret key){
cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key);
}
}
\end{javacode}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{static-dag.png}
}
\end{frame}
\begin{frame}[fragile]
\title{Static Analysis}
\begin{javacode}
class AESCipher{
Cipher cipher;
String algorithm = "AES/CBC/PKCS5Padding";
void setKey(Secret key, String iv){
byte[] bytes = Hex.decodeHex(iv.toCharArray());
IVParameterSpec ivSpec = new IVParameterSpec(bytes);
cipher = Cipher.getInstance(algorithm);
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec);
}
}
\end{javacode}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{static-dag2.png}
}
\end{frame}
\begin{frame}
\title{Graph Diffs}
\makebox[\linewidth][c]{
\includegraphics[width=0.45\pagewidth]{static-dag.png}
\includegraphics[width=0.45\pagewidth]{static-dag2.png}
}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{dag-diff.png}
}
\end{frame}
\begin{frame}
\title{Change Filtering}
\begin{itemize}
\item Remove the diff if there are:
\begin{enumerate}
\item no changes
\item no removals
\item no additions
\end{enumerate}
relevant to our API, or if
\begin{enumerate}\setcounter{enumi}{3}
\item the diff is a duplicate.
\end{enumerate}
\end{itemize}
\end{frame}
\begin{frame}
\title{Change Clustering}
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{dag-clustering.png}
}
% FIXME: add note for derived rule
\end{frame}
\begin{frame}
\title{Rules}
\vspace{1cm}
\makebox[\linewidth][c]{
$ \mathbf{Cipher}: \mathrm{getInstance}(X) \;\land\; (X=\mathrm{AES} \;\lor\; X=\mathrm{AES/ECB}) $
}
\begin{itemize}
\item Rule set over methods and states
\item To apply, perform static analysis on code and match logic formula on resulting DAG
\item Final rule derivation manually performed
\item Automated derivation possible, but out of scope for the paper
\end{itemize}
\end{frame}
\begin{frame}
\title{Data Set}
\begin{itemize}
\item 30'000 projects scanned
\item 461 projects selected
\item 11'551 changes collected
\item 6 target API classes analysed
\end{itemize}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\end{itemize}
\vspace{\fill}
{\small
\begin{tabular}{lrrrrr}
\b{Target API Class} & \b{Usage Changes} & \multicolumn{4}{c}{\b{After Filter}} \\
&& Same & Add & Rem & Dup \\
\hline
Cipher & 15829 & 419 & 204 & 116 & 75 \\
IVParameterSpec & 4967 & 58 & 24 & 12 & 11 \\
MessageDigest & 8277 & 116 & 78 & 27 & 17 \\
SecretKeySpec & 15543 & 226 & 120 & 55 & 45 \\
SecureRandom & 26008 & 309 & 131 & 26 & 21 \\
PBEKeySpec & 1549 & 29 & 21 & 17 & 17 \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\end{itemize}
\vspace{\fill}
{\small
\begin{tabular}{llrrrrrr}
\b{Rule} & \b{Change} & \b{Total} & \multicolumn{4}{c}{\b{Filtered Changes}} & \b{Remain.} \\
&&& Same & Add & Rem & Dup & \\
\hline
CL1 & fix & 8 & 0 & 0 & 0 & 1 & 7 \\
& bug & 1 & 0 & 0 & 0 & 0 & 1 \\
& none & 15820 & 15410 & 215 & 88 & 40 & 67 \\
CL2 & fix & 1 & 0 & 0 & 0 & 0 & 1 \\
& bugs & 0 & 0 & 0 & 0 & 0 & 0 \\
& none & 4966 & 4909 & 34 & 12 & 1 & 10 \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item 13 security rules derived, 7 of them new
\end{itemize}
\vspace{\fill}
{\scriptsize
\begin{tabular}{ll}
\b{R1} & Use SHA-256 instead of SHA-1 \\
R2 & Do not use password-based encryption with iterations count less than 1000 \\
\b{R3} & SecureRandom should be used with SHA-1PRNG \\
\b{R4} & SecureRandom with getInstanceStrong should be avoided \\
\b{R5} & Use the BouncyCastle provider for Cipher \\
\b{R6} & The underlying PRNG is vulnerable on Android v16-18 \\
R7 & Do not use Cipher in AES/ECB mode \\
\b{R8} & Do not use Cipher with DES mode \\
R9 & IvParameterSpec should not be initialized with a static byte array \\
R10 & SecretKeySpec should not be static \\
R11 & Do not use password-based encryption with static salt \\
R12 & Do not use SecureRandom static seed \\
\b{R13} & Missing integrity check after symmetric key exchange \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item 13 security rules derived, 7 of them new
\item Vulnerabilities found in 57\% of analysed projects
\end{itemize}
\end{frame}
\begin{frame}
\title{Thoughts}
\begin{itemize}
\item Paper does not discuss any future work
\item Static analysis uses rather simple grammar
\item Maybe useful to ease other API migrations
\item How to deal with languages unlike Java
\end{itemize}
\end{frame}
\begin{frame}
\title{Conclusion}
\begin{itemize}
\item Filtering out semantic changes automatically is a feasible approach
\item In a sample case, 13 security rules were derived
\item Of the analysed projects, 57\% were vulnerable to at least one of the derived rules
\item Manual intervention still required
\end{itemize}
\vspace{\fill}
\makebox[\linewidth][c]{
\scriptsize
\url{http://diffcode.ethz.ch/}
}
\makebox[\linewidth][c]{
\scriptsize
\url{https://files.sri.inf.ethz.ch/website/papers/diffcode-pldi2018.pdf}
}
\end{frame}
\begin{frame}
\end{frame}
\begin{frame}[fragile]
\title{How About This?}
\begin{javacode}
class AESCipher{
Cipher cipher;
String getAlgorithm(){
switch(Config.AESMode){
case Config.AES: return "AES";
case Config.AES_CBC: return "AES/ECB";
default: throw new RuntimeException();
}
}
void setKey(Secret key){
cipher = Cipher.getInstance(getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, key);
}
}
\end{javacode}
\end{frame}
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-command-extra-options: "-shell-escape"
%%% TeX-master: t
%%% TeX-engine: luatex
%%% End: