DeepSec 2019 Talk: S.C.A.R.E. – Static Code Analysis Recognition Evasion – Andreas Wiegenstein
Andreas Wiegenstein has expert advise for software security:
Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?
The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?
This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.
On a technical level, the following concepts are covered
- covert data flow
- deep call stacks
- circular calls
- source mining
- data laundering
Based on this, I will provide some code snippets as proof of concept for the audience to test at home.
This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.
We asked Andreas a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- The talk explains how SCA tools technically work and which compromises vendors have to make.
- The talk points out general weaknesses in SCA algorithms.
- The talk does not intend to point the finger at specific vendors.
- I will show multiple code examples in different languages that trick scanner logic.
- I will also show how to trick human code reviewers.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I am engaged in malware research in SAP environments. Since most code in SAP is source code, I came up with the challenge to hide malware from code scanners. Later I expended these techniques to other programming languages.
Why do you think this is an important topic?
Many companies have to deal with vast amounts of source code and limited security budget. They rely on automated code analysis and are therefore vulnerable to SCA evasion techniques.
Is there something you want everybody to know – some good advice for our readers maybe?
If your application security defenses are based on Static Code Analysis alone, you have a problem.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Next generation malware will be able to trick / bypass code scanners.
Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. His current research is focused on malware.