Using Software Maps for Security Inspections

1
Using Software Maps for Security
Inspections Thomas D. LaToza James D. Herbsleb
Goals
Approach

• Inspecting code for security exploits
• Reusing open source code
• Does it have existing security exploits?
• Will reusing it in a different environment
  introduce new exploits?
• What assumptions does it make about its
  environment?
• Fixing security bugs
• Repairing design decisions
• Should I make a new class with different
  permissions and assumptions about its use?
• Does adding a guard for this input duplicate
  checks elsewhere and reduce performance?

• Make it easy to understand dependencies
• Trace environmental dependencies through system
• Start at user input, network input, or other
  external input functions
• Check dependent methods for correct input
  assumptions
• Start at methods making privileged calls such as
  writing to filesystem
• Ensure callers make appropriate checks
• Make it easy to change design decisions
• Refactor to simplify architecture for new
  assumptions
• Move, combine, and split methods introduce
  classes

Anatomy of a security fix 3 classes modified in
fix of Drag and drop gestures can be hijacked to
load priviliged xul for Firefox 1.02
nsDragService
nsBaseDragService
nsNativeDragTarget
nsDragService
nsBaseDragService
nsDragServie
nsBaseDragServie
GetData
nsNativeDragTarget
GetDataObjCollection
IsCollectionObject
GetFrameFromNode
No dependency changes
GetSourceDocument
nsNativeDragTarget
GetNumDropItems
mSourceDocument
GetNumDropItems
DispatchDragDropEvent
AddRef
GetCurrentSession
StartDragSession
mWindow
GetData
mDoingDrag
m_cRef
mDataObject
mHWnd
EndtDragSession
Release
SetIDataObject
mTransArray
InvokeDragSession
GetGeckoDragAction
mCanMove
mSourceNode
mNativeDragTarget
Methods grouped around variable dependency
mNativeDragSrc
DragEnter
SetTargetSize
GetSourceNode
EndDragSession
Drop
mTargetSize
DragOver
StartInvokingDragSession
IsDataFlavorSupported
GetTargetSize
Legend Members -Font size small lt 10 LOC, medium
10 to 50 LOC, large gt 50 LOC -Fill solid
modified since checkin, diamond added since
checkin, none not modified color task
membership -Edge line solid public method,
dashed protected or private method, none
variable -Edge shape rectangular static,
curved instance Edges calls, called by, writes
var, reads var
mDragService
DragLeave
QueryInterface
GetDragAction
IsDataFlavorSupported
mDragAction
SetCanDrop
mCanDrop
SetDragAction
InvokeDragSession
IsKeyDown
ProcessDrag
GetCanDrop

Removed function call
Added function call
Circle sized by 403 LOC in class
No member variable references
Read variable
Read and written multiple times
Technology

• Separate design view from algorithm view
• Separate code editor view for function bodies
• Clicking on method navigates code editor
• Design view for making programming in the large
  design decisions
• Put related members together
• Position encodes relatedness to make clusters of
  functionality apparent
• Minimize distance of
• Methods with call relationships (inside and
  outside class)
• Methods with data dependencies on variables
• Variables from center of class
• Methods and variables must stay inside owning
  class
• Control flow dependency, data dependency,
  membership gt functional relationships
• Make interprocedural inspection easier

• Decorate with maximally task helpful information
• Information
• Version control last modified by, last modified
  date, modifications
• Editor visited, modified, added
• Code public / protected / private, LOC
• Connectors calls, called by, writes var, reads
  var
• Expression
• Text string, size, color
• Box shape, edge style, edge thickness, edge
  color, fill color
• Movement position over time
• Edges on/off MANUALLY enable by hover or
  click
• Directly manipulate design decisions
• Drag for move method, push down, push up
  hierarchy refactorings
• Select, click, and type for rename
• Right click to add new method, variable, class
• Modifications colored and revertable by task
• Off the shelf program analysis technology
• Might include analyses for code duplication,
  exceptions, profiling, origin
• GUI for existing analysis tool results