Watch the stream
In this lab, we will discuss how code can be represented in a graphical format, which can then be queried interactively to find security bugs in code. We will then use the open-source project Joern (Open-Source Code Querying Engine for C/C++) to build a DIY SAST tool. Joern has been used extensively to hunt bugs in Linux Kernel, Cisco DCNM, and recent Amnesia:33 set of bugs by Forescout. It exposes a very easy to use Scala API to build custom tools around it and hence the choice!
We will begin by introducing common vulnerabilities and how to create a mental model to identify them when investigating code and binaries. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modeled and discovered using a graph representation of the source code.
The interactive portion of the lab includes an in-depth walk-through of the data and control flow of a sample program along with instruction on using the Joern framework to uncover potential vulnerabilities in that code. Lab attendees will use Joern to uncover bugs and create new build rules and scripts for future bug hunting. We will eventually create a complete custom static code analyzer for a sample use-case and see it in action.
- Introduction to graph data structures for static analysis
- How to identify patterns that indicate vulnerabilities in code
- Mapping source code to a graph database and querying the database
- Intro to the Joern framework
- Interactive bug hunting using Joern Shell
- Creating a custom SAST tool with Joern
As they finish the workshop, the attendees,
- Understand fundamentals of code analysis and how to understand code for performing "static analysis for security debugging"
- Understand how current static analysis tools are built and how they leverage graphical representations of code
- Can perform basic interactive analysis using Joern to query code and obtain security relevant insights
- Are able to build a small tool (such as a double-free detector) using Joern queries and package it for distribution
- Run their own tool on provided sample code and get results
- Gain confidence to write complex tools and run them on your own code
Intermediate developers/application security professionals with basic understanding of programs and compilers (A quick programming language structures refresher will be provided before actual hands-on sessions commence which explains various graphical representations of code and how they fit together)
Participants should prepare by:
Participants should install Joern (https://docs.joern.io/home/) in advance if possible.
Suchakra Sharma Chief Scientist, Privado Inc.
Suchakra Sharma is the Chief Scientist at Privado where he helps build code analysis tools for data privacy and data security. He completed his Ph.D. in computer engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. For the last six years, Suchakra has been working on enhancing static analysis tooling for fixing security bugs at scale. He has delivered talks and trainings at venues such as USENIX LISA, Enigma, SCALE, RSA, BlackHat Arsenal, Papers We Love, NorthSec etc. When not playing with computers, he develops film photographs and writes poems.