Tuesday, October 18, 2016

Fuzzy Assessment: Part 1 - Welcome to the SWAMP

Between the DVRF series and other things in the works, I have been reading “The Art of Software Security Assessment”. I recently finished reading the fourth chapter which concludes with a case study of OpenSSH 4.3. This case study discusses review points for the reader to further explore such as reviewing SSH RFCs along with various OpenSSH C and C header files. Different issues are pointed out to the reader to investigate such as asking the reader if double free vulnerabilities and memory leaks can be identified.

As a point of reference, OpenSSH 4.3 was released in February 2006. While the book also came out in 2006, automated assessment tools have continued to mature. I wanted to know if modern tools today would help provide insight into the vulnerabilities mentioned from security assessments referenced in the book.

There are assessment tools mentioned in the book, but that was ten years ago. Looking at tools available today, there is one particular open source project called SWAMP, which provides tools to assess software available on multiple platforms and languages. Below is an excerpt from their About page:

“The Software Assurance Marketplace (SWAMP) is committed to bringing a transformative change to the national software assurance landscape by providing a national marketplace that provides continuous software assurance capabilities to researchers and developers. By providing software assurance researchers, tool developers, tool users and educators who train our workforce a suite of secure and dependable analysis services, the Software Assurance Marketplace will reduce the number of vulnerabilities deployed in software.”

Unfortunately, getting acclimated to the SWAMP can be confusing. There are a lot of things to click on and documentation is not very straightforward to walk you through the process for everything needed. However, once you play with some of the existing projects they have available to you, it becomes easier to use. I am going to walk through the process I took to get OpenSSH 4.3 evaluated by tools available in the SWAMP.

Section 1: Get OpenSSH 4.3

  1. Click on the “Linux … For other OS’s “ link on the left
  2. Under “Developers” we see a link for repositories hosted at GitHub. Click that to bring you to https://github.com/openssh/openssh-portable.
  3. We are in the “Portable” version of OpenSSH hosted on GitHub. Click on the “130 releases” link for this repository. We want to go back to version 4.3. Also, the number of releases may be different by the time you read this.
  4. Browse through the list of releases (back a few pages) to see the v4.3 P1 release:

  5. Click on “zip” to download the archived snapshot of the OpenSSH v4.3 P1 release
  6. Extract/double click on the downloaded archive to open it up
  7. Browse through the folder of OpenSSH 4.3 to the “INSTALL” file
  8. Open up “INSTALL” with a text editor
  9. To perform a basic installation, the instructions are:

    “To install OpenSSH with default options:

    make install

  10. Seems pretty straightforward to get this installed

Section 2: A nice view of the SWAMP

  1. Sign up to create an account and come back to the main page once that is done
  2. Once logged in, click on “Packages”
  3. Click “Add New Package”
  4. Fill in the required details and other parts as you’d like. Upload the OpenSSH 4.3 archive from the previous step. Click “Next” once complete. This is mine:

  5. This next step should fill in the details automatically as below:

  6. Click Next
  7. This page has a lot of options and things to add in as we can see:

  8. The “Build script” window is the most important window to focus on right now. The contents in the grey box will be executed on the virtual machine in the SWAMP. We know from the instructions that we should do a “./configure; make; make install” to get this to run. We also see the warning in the yellow box that no “makefile” can be found. Let’s see what happens!
  9. Click “Save New Package”
  10. Click “OK” to the notification window
  11. Now that our package is created, scroll to the bottom of the window and click “Run new assessment”
  12. The assessment window has many tools available to run against a variety of languages. You should be here now:

  13. We’ll let the SWAMP use all available tools with the latest version possible
  14. For the Platform, we have a variety of Linux options. As OpenSSH 4.3 came out in 2006, we should stick with a 32-bit system for better compatibility. We can see a selection of options as below:

  15. Choose “Red Hat Enterprise Linux 32-bit”
  16. At the time of this writing, there are two options of “Latest” and “RHEL 6.4 32-bit”. Both choices are the same option of “RHEL 6.4”. Leave it as “Latest” and click “Save and Run”.
  17. You can chose to let the SWAMP send you emails about the status of the assessment and if you want the software to be assessed.

  18. Click “Run Now”
  19. Click “OK” in the notification window
  20. Click the checkbox for “Auto refresh” for the status to be automatically updated

  21. The SWAMP will process OpenSSH 4.3 against the Clang Static Analyzer, cppcheck, and gcc tools. Here are the descriptions for these three tools from the “Tools” page:

    Clang Static Analyzer



  22. After a short period of time, the assessment will pass or fail
  23. Unfortunately, this assessment will fail:

  24. If we click on the exclamation point for any of the tools, we’ll get more details of the failure. Click the exclamation point for Clang to open up a failure report.

  25. In the failed assessment report, we get a lot of detail. At the bottom we can see the error of why this run failed.

  26. As we saw from earlier and now in this report, there is no makefile to run. That issue will be covered in the next post!

No comments:

Post a Comment