Information flow is fundamental to application security.
- We do not want sensitive information to reach untrusted principals (confidentiality), and
- We do not want untrusted principals to corrupt trusted information (integrity)
For example, it is unacceptable to take a string from untrusted user input, and use it as part of a SQL query, since it leads to SQL injection attacks. However, it is acceptable to first pass the untrusted user input through a trusted sanitization function, and then use the sanitized input to construct a SQL query. Similarly, confidential data needs to be cleansed, obfuscated or redacted to avoid information leaks.
The last several years have seen a proliferation of static and runtime analysis tools for finding security violations that are caused by explicit information flow in programs. Much of this interest has been caused by the increase in the number of vulnerabilities such as cross-site scripting and SQL injection.
In fact, these explicit information flow vulnerabilities commonly found in Web applications (Java, Node,js, .NET) now outnumber vulnerabilities such as buffer overruns common in type-unsafe languages such as C and C++.
Tools checking for these vulnerabilities require a specification to operate and the efficacy of these tools is only as good as the specification.
Unfortunately, writing a comprehensive specification presents a major challenge: parts of the specification are easy to miss, leading to missed vulnerabilities; similarly, incorrect specifications may lead to false positives.
The fundamental program abstraction boils down to extracting the propagation graph — a directed graph that models all inter-procedural explicit information flow in a program. The nodes of a propagation graph are methods and/or code blocks, and edges represent explicit information flow between methods.
The nodes of the propagation graph are classified as sources, sinks, and sanitizers; nodes not falling in the above categories are termed regular nodes. A source node can accept tainted data whereas it is an error to pass tainted data to a sink node. Sanitizer nodes cleanse or un-taint or endorse information to mediate across different levels of trust. Regular nodes do not taint data, and it is not an error to pass tainted data to regular nodes. If tainted data is passed to regular nodes, they merely propagate it to their successors without any mediation.
A classification of nodes in a propagation graph into sources, sinks and sanitizers is called an information flow specification or, just specification for brevity. Given a propagation graph and a specification, one can easily run a reachability algorithm to check if all paths from sources to sinks pass through a sanitizer.
The specification model should however extend beyond vulnerability discovery (faulty input based) to detect existence of business logic flaws (faulty logic based) as discussed here . Even going further, the specification should be able to extend itself to detect insider attacks and root-kits placed intentionally with malicious intent.
ShiftLeft's Ocular is a platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application's code base.
The spectrum of Ocular 's use cases include and not limited to
- Detect vulnerabilities (known/unknown) in financial, healthcare, technology domains
- Detect business logic flaws in any software domains
- Detect insider attacks and root-kits in application implementing mission critical systems
- Detect information leakage outside of trust boundaries in any software domains adhering to regulatory compliance (GDPR, HIPAA, SOC-1/2, PII, PHI)
- Detect for violations of MISRA (The Motor Industry Software Reliability Association) guidelines in software deployed in IOT, embedded devices, etc
In the following installment posts I will use examples to highlight Ocular's capability within the confines of each category specified above.
To request a free trail and demo , please signup with https://www.shiftleft.io/ocular/