Presented at
DeepSec 2019 „Internet of Facts and Fears“,
Unknown date/time
(Unknown duration).
Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?
The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?
This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.
On a technical level, the following concepts are covered
- covert data flow
- deep call stacks
- circular calls
- source mining
- counter-encoding
- data laundering
Based on this, I will provide some code snippets as proof of concept for the audience to test at home.
This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.
Presenters:
-
Andreas Wiegenstein
- SERPENTEQ GmbH
Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. His current research is focused on malware.
Links:
Similar Presentations: