Security Code Review with Microsoft's Code Analysis Tool (CAT.NET)

Exploring ASP.NET & Web Development

Security Code Review with Microsoft's Code Analysis Tool (CAT.NET)

By: Don Kiely

Microsoft recently released a new build of CAT.NET,the Code Analysis Tool from the Microsoft IT Information Security Tools Team (formerlyknown as the Connected Information Security Group). This is the same group thatworks on the AntiXSS Library that I wrote about in "FightingCross-Site Scripting with Anti-Cross Site Scripting Library 3.0." Thetool is a static analysis tool that performs security reviews on theintermediate language (IL) contained in .NET project binaries. CAT.NET uses tainted data flow analysis, sometimescalled tainted-variable analysis.This type of analysis attempts to identify what sources of untrusted inputscould affect trusted parts of an application.

CAT.NET couldn't be easier to use. It isimplemented as a Visual Studio add-in that installs a CAT.NET Code Analysisitem to the Tools menu. Select that item to open the CAT.NET window, and clickthe green arrow to start analysis. After several moments (depending, of course,on how large the project is), you get the results. The following image showsthe results of running the tool on a single-page website that has some fairlyextensive code behind it.

CAT.NET identified only two potential problems aredirection vulnerability and a single cross-site scripting possibility. Butbecause the input value from a query string is used extensively in the code,CAT.NET found 36 locations where it could cause a problem.

In a fresh installation of CAT.NET, you get eightrules that define problems that the tool looks for. The rule definitions aretransparent, consisting of easily viewed XML files in a set of folders thatcategorize the tools. The XML defines sources, sinks, and filters. The toolfinds security vulnerabilities by tracing a data-flow path from varioussources, such as user input and exceptions, to a destination in the list ofsinks. It can filter the data flow, in which case the vulnerability is ignored.Each rule lists the sources, sinks, and filters defined in XML files in theRules directory where CAT.NET is installed. You can easily add your own rulesif you take the time to figure out the proper XML structure.

In my tests, the tool didn't always identify realrisks, usually because it wasn't able to get enough code context information tosee any mitigations in the code. For example, it flagged my use of a querystring variable under the Cross-Site Scripting rule to read data from thedatabase, even though I explicitly and immediately converted the value to aninteger before using it. Further, the user is welcome to view any and everyrecord associated with valid integer values. This "problem" repeatedthroughout the code on one of my pages. Nevertheless, it was good to have thatflagged, letting me take a fresh look at the code to reassure myself that itwas not a real vulnerability.

CAT.NET doesn't have the prettiest interface, noris it a particularly fast tool. It is implemented as a dockable window inVisual Studio, but it's a wide, three-paned window that doesn't really workwell as anything but a floating window. And text wrapping is ugly. Performanceisn't a big issue because you're not likely to use the tool on every build,just at benchmarks during development. But these are minor quibbles; noteverything in life needs to be pretty or fast!

It's definitely worthwhile to check out CAT.NET andsee what it finds in your code. The results won't be pretty, but if it helpsyou find just one vulnerability in your code, it's time well spent.

Resources:

You can download the new build of CAT.NET at theseURLs:

32-bitversion of CAT.NET

64-bitversion of CAT.NET

The best place for information about CAT.NET is atMicrosoft's Connected Information Security Group's blog. They recently changedURLs, but most of the interesting CAT.NET background posts are at the oldaddress, so check out both:

Old: http://blogs.msdn.com/cisg

New: http://blogs.msdn.com/securitytools

Don Kiely([email protected]), MVP, MCSD, is a senior technology consultant, buildingcustom applications and providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office.