Security Dataflow - Technical details

Bytecode

The User Input Security feature incorporates a “Dataflow Engine” that uses intermediate bytecode (known as “CASTIL”) that is produced during the analysis:

JEE technology

There are two bytecode generators:

  • An extension com.castsoftware.securityforjava is available - this extension will be automatically installed when you deliver JEE source code.
  • The com.castsoftware.jee also generates intermediate bytecode “out of the box”, but is not used when the com.castsoftware.securityforjava extension is installed.

.NET technology

The bytecode is generated by the com.castsoftware.dotnet exstension.

Dataflow Engine

The Dataflow Engine uses a tainted variable mechanism to track the user input that has not been sanitized. The engine will track vulnerabilities via tainted data that flows from the user input down to the target methods, as shown in the image below showing an “SQL Injection” scenario:

The Dataflow Engine works automatically on the bytecode - it does not use any information stored in the Analysis schema. So, for example, if you are making a quick code analysis targeting only User Input Security flaw detection, it is not necessary to configure (for example) dynamic links or the database code analysis itself - you just need to correctly configure your JEE and .NET analysis, ensure the Security Dataflow feature is enabled and then generate a snapshot.

Because the best known user input vulnerability is SQL Injection, it is generally considered that the User Input Security feature requires an end-to-end analysis from the client code down to the database code, however, this is not the case. The Dataflow Engine only needs to explore the JEE or .NET code.

How does it work?

The bytecode is generated when a snapshot is generated and is then stored in the Large Intermediate Storage Area (LISA). The path to the bytecode storage folder is logged in the SecurityAnalyzer.log which logs all Security Dataflow actions. You can open the log file as explained below.

Other related files that may be of interest:

  • BuildAgent.guid - this is generated by the JEE/.NET analyzers (i.e. is not related to anything generated by the com.castsoftware.securityforjava extension). This contains method GUIDs.
  • BuildAgent.datatransfer that logs any flaws that have been found ready for transfer to the CAST Analysis Service. This is generally used by CAST Support for troubleshooting.
  • BuildAgent.flaws which can be used by the FlawExplorer to browse the Security Dataflow results without using the CAST Engineering Dashboard.

Log location

Open the structural flaws log:

Then download the Security Dataflow log in the left hand panel:

The location of the bytecode storage folder can be found by searching for “converted” - this will be in the ConvertedCastIL folder in the LISA: