Watch the stream
In this lab, we will discuss how code can be represented in a graphical format, which can then be queried interactively to find security bugs in code. We will then use the open-source project Joern (Open-Source Code Querying Engine for C/C++) to build a DIY SAST tool. Joern has been used extensively to hunt bugs in Linux Kernel, Cisco DCNM, and recent Amnesia:33 set of bugs by Forescout. It exposes a very easy to use Scala API to build custom tools around it and hence the choice!
We will begin by introducing common vulnerabilities and how to create a mental model to identify them when investigating code and binaries. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modeled and discovered using a graph representation of the source code.
The interactive portion of the lab includes an in-depth walk-through of the data and control flow of a sample program along with instruction on using the Joern framework to uncover potential vulnerabilities in that code. Lab attendees will use Joern to uncover bugs and create new build rules and scripts for future bug hunting. We will eventually create a complete custom static code analyzer for a sample use-case and see it in action.
Lab Outline
- Introduction to graph data structures for static analysis
- How to identify patterns that indicate vulnerabilities in code
- Mapping source code to a graph database and querying the database
- Intro to the Joern framework
- Interactive bug hunting using Joern Shell
- Creating a custom SAST tool with Joern
Goals
As they finish the workshop, the attendees,
- Understand fundamentals of code analysis and how to understand code for performing "static analysis for security debugging"
- Understand how current static analysis tools are built and how they leverage graphical representations of code
- Can perform basic interactive analysis using Joern to query code and obtain security relevant insights
- Are able to build a small tool (such as a double-free detector) using Joern queries and package it for distribution
- Run their own tool on provided sample code and get results
- Gain confidence to write complex tools and run them on your own code
Pre-requisites/assumed knowledge:
Intermediate developers/application security professionals with basic understanding of programs and compilers (A quick programming language structures refresher will be provided before actual hands-on sessions commence which explains various graphical representations of code and how they fit together)
Participants should prepare by:
Participants should install Joern (https://docs.joern.io/home/) in advance if possible.