Workshop: Findings Stranger Things in Code


Coding without debugging is like riding a bike, blind, downhill, in the dead of night without any 'breaks'. It may be dangerous, but it's also unheard of ;-) The rigor we apply to runtime debugging of applications can also be applied before or after compile-time using static analysis tools. Not knowing what your application does is a recepie for disaster. The only recourse a modern developer has is to sift through gazillion lines of code manually searching for a dangerous pattern or an exotic coding blunder that may have seeped in. 

In this workshop, we discover how code can be represented in a graphical format, which can then be queried interactively to find common security or performance bugs in code. We will use Joern as the framework for writing a querying the code to hunt bugs interactively. The focus of the workshop would be on uncovering and identifying accidental data leaks, uncovering memory allocation bugs and development of rules to identify such bugs. We will begin by introducing common vulnerabilities and then share code samples for these vulnerabilities and how to create a mental model when investigating code and binaries to uncover them. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modelled/discovered in our interactive investigations.

Things you will learn

1 Introduction to Interactive Static Analysis
  1.1 Vulnerability models in your head - how to identify patterns
  1.2 Mapping code to a graph and asking questions
  1.3 Use-Case: Exotic memory allocation bugs
  1.4 Joern Static Analysis Framework

2 Hunting Security Bugs Interactively in Joern Shell
  2.1 Quick compiler internals
  2.2 Building a graph of your code
  2.3 Using Joern queries to investigate code
  2.2 Identifying interesting sources and sinks
  2.4 Identifying control and data flows
  2.5 Hunting memory allocation bugs
3. Creating Automation Scripts for Code Analysis
  3.1 Scripts for finding sensitive literals in code
  3.2 Scripts to detect blacklisted data types used in code 
  3.3 Scripts to detect double-free bugs


1. Java 8
2. Joern-CLI
3. Willingness to learn about programming languages and security

Room 212
Thursday, March 5, 2020 - 14:00 to 16:30