Static Application Security Testing (SAST) plays a significant role in modern vulnerability discovery. For example, GitHub uses CodeQL to scan repositories. However, our analysis of over 100 real-world vulnerabilities has revealed that its detection performance is limited by two main factors: 1) incomplete source and sink coverage in built-in propagation rules, and 2) disruptions in data flow due to insufficient support for certain language features. In this talk, we will introduce a framework to empower SAST tools' capabilities to identify previously undetectable vulnerabilities and new CVEs. First, we will demonstrate how to leverage Large Language Models (LLMs) to automatically identify sources and sinks from open-source frameworks. Second, we will introduce the implementation principles of CodeQL's Data Flow Analysis (DFA). By developing patches for the DFA's QL language library, we have addressed language feature challenges, including Java reflection handling, partial native method support, and value passing model optimization. Our enhancements support 191 sources and sinks across 18 frameworks. Through comprehensive verification of over 5,000 repositories, we identified a more than 15% increase in data flows when utilizing existing rules, compared to results without the enhancements. Additionally, we reproduced over 50 historical CVEs that were undetectable by the original CodeQL due to a lack of language features support. Our research also uncovered 5 new CVEs (e.g., CVE-2024-45387) that the original CodeQL could not detect. We believe our work will greatly empower the detection capabilities of SAST tools. By: Yuan Luo | Senior Security Engineer, Tencent Security YunDing Lab Zhaojun Chen | Senior Security Engineer, Tencent Security YunDing Lab Yi Sun | Senior Security Engineer, Tencent Security YunDing Lab Rhettxie Rhettxie | Senior Security Engineer, Tencent Security YunDing Lab Presentation Materials Available at: https://ift.tt/Qm8jV0O
source https://www.youtube.com/watch?v=Zp0x-cfClPY
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment