Workshop Title: Static Analysis
Clint Gibler (@clintgibler
) and Daniel DeFreez (@defreez
- Quick intro to threat modeling - when given a new application, where should you focus your time?
- Outside in vs inside out testing - tips on what's useful to test dynamically and confirm via source review vs locating an issue through source review and PoC-ing via dynamic testing
- Looking for common issues via source review - present some issues whose origin cannot be expressed with grep (e.g. a controller method not calling an authz method, ordering of methods being called, missing annotations, etc.)
- These issues motivate the usefulness of being able to search code in a way that has some syntactic understanding of the underlying language (i.e. not just string searching)
- Overview of static and dynamic analysis - strengths and limitations
- Static analysis - the big picture, taint analysis-type problems: sources, sinks, and transfer and cleanse functions
- Static analysis fundamentals - lexing, parsing, building Abstract Syntax Trees (ASTs), ...
- Challenges when performing static analysis - supporting many languages, dynamic typing, eval/reflection constructs, container types, precision vs. memory and speed trade-offs
- A brief tour of other types of program analysis - fuzzing, symbolic execution, model checking, etc. - basically, what are all the ways you can build tools to find bugs?
- Hands-on exercise of doing some lightweight static analysis
- Laptop with VirtualBox or VMware capable of running a Linux VM
- Basic understanding of Linux command line
- Basic Programming skills in 1 language
- InfoSec vocabulary (OWASP Top 10)