Inspecting source code for security vulnerabilities is an important part in any secure development process. While this can be done manually, it’s much easier to start with a static analysis tool that can scan code for known vulnerabilities. Statistics out there claim anywhere from 30-50% of coding vulnerabilities can be found with a code scanner. For .NET code, Microsoft implemented a tool called “Code Analysis Tool for .NET,” or CAT.NET. This is a free tool that leverages the FXcop static analysis framework with a set of rules designed to detect common security vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection, to name just a few. Unfortunately, Microsoft seems to have temporarily (or permanently) abandoned CAT.NET. There haven’t been any updates since version 220.127.116.11 of the tool in 2009. There was some speak of a CAT.NET v2.0 tool, but it never progressed beyond beta testing and there doesn’t appear to be a way to download it any more.
CAT.NET documentation claims to include rules for Cross-Site Scripting, SQL Injection, Process Command Injection, File Canonicalization, Exception Information, LDAP Injection, XPATH Injection, and Redirection to User Controlled Site. They also include rules for insecure exception handling where un-filtered information is displayed directly to users.
I recently had the opportunity to use CAT.NET on one of the C#/.NET web applications that we were building on my project. CAT.NET consists of a 32-bit tool that is fully integrated into Visual Studio 2008 and a another 64-bit version that can be invoked from the command line. With a few tricks, you can also make it work in Visual Studio 2010, although Microsoft does not officially support it. The 32-bit IDE version worked nicely, but tended to run out of memory and crash Visual Studio for anything larger than a small body of code. The 64-bit version works on much larger C# programs but must be run from the command line without the click-to-run interface in Visual Studio. It does, however, allow you to load the results files back into Visual Studio so you can click through your code and examine the results.
This article shows you how to:
- Download and install CAT.NET so it runs in Visual Studio 2010
- Analyze a small project within the IDE
- Scan a larger project from the command line
- Load a set of results into Visual Studio to review them
On to the good stuff…
Downloading and Installing CAT.NET with Visual Studio 2010
As I mentioned, CAT.NET was built for Visual Studio 2008, but you can make it work with Visual Studio 2010 without a lot of grief.
- Download CAT.NET from here: http://www.microsoft.com/en-us/download/details.aspx?id=19968, then run the MSI installer.
- Follow the instructions on this page to make it work with Visual Studio 2010:http://maratto.blogspot.com/2011/11/net-code-analysis.html
- Edit the file here:%APPDATA%\Microsoft\MSEnvShared\Addins\Microsoft.ACESec.CATNet.AddIn
- Add the line <Version>10.0</Version> right below <Version>9.0</Version>
Save the file and start Visual Studio. You should have a CAT.NET entry in the Tools menu.
Running CAT.NET from Visual Studio
After CAT.NET is installed, it’s easy to run it on one of your applications. I suggest starting with a very small project, such as a utility library that doesn’t have many dependencies.
- Open a C# application or library project in Visual Studio
- Go to Tools > CAT.NET to bring up the user interface for CAT.NET
- Use the Target Assemblies button to choose which parts of your project to analyze. (Remember, start small.)
- Hit the “>” analyze button
When you run it, the CAT.NET tool will read your assemblies and their dependencies, the run the analysis on all of them to produce results. The results appear in the middle panels of the Visual Studio interface. However, if it works the same way it did for me, it will run out of memory while processing the dependencies and crash Visual Studio. This actually happens during the dependency processing stage and violently dies with an exception. If you run the same job from the command line, you see that the error is either “Out of Memory” or “Stack Overflow,” leading us to believe that the 32-bit tool doesn’t have the capacity to handle the program. You can observe this by watching the memory foot print of Visual Studio as it grows well beyond the 1 GB mark. See below for more information about running the tool from the command line and using the 64-bit tool to work around this capacity problem.
Reviewing CAT.NET Results
Once CAT.NET completes, you can step through the results to examine the potential vulnerabilities in your code. I say “potential” vulnerabilities because code scanning tools are notorious for producing false positives. That is, they produce findings that look like vulnerabilities, but might not actually be exploitable due to the context of your application. For this reason, it’s important to actually review the results and determine what the real impact is. A detailed discussion of what consitutes a false positives will have to be a subject for another day. Suffice to say: you don’t have to take what the tool tells you at face values. But, I digress…
You can view your results in the two middle panels of the “CAT.NET Code Analysis” area. The left side shows the individual findings, e.g. “Cross-Site Scripting” along with the primary source files for the data flow start and end. This is relevant because CAT.NET uses data flow taint analysis to track an insecure input source (the “start”) to an output or sink location (the “end”). The right hand panel shows individual trace points of the data flow analysis as the input traverse towards the output. You can click through the individual points to see each of the locations in your source code.
Running CAT.NET 64-bit from the Command Line
If you run into problems running CAT.NET inside Visual Studio (as noted above), the first thing to try is to run it from the command line. There are both 32-bit and 64-bit versions of the command line tool that can be run by hand or incorporated into scripts. The command line version will help you (a) get a better indication of why it crashed, and (b) run the 64-bit version to get past the memory limitation problems.
- Download CAT.NET 64-bit (http://www.microsoft.com/en-us/download/details.aspx?id=5570)
- Unpack the file into C:\Program Files\Microsoft\CAT.NET to match the 32-bit directory or an equivalent directory that you can add to your command line path.
- Start CMD.EXE or Visual Studio Command Prompt
- Change directories to your project directory, e.g., C:\Projects\MyApplication.
- Add CAT.NET to your path:
set PATH=%PATH%;”C:\Program Files\Microsoft\CAT.NET”
- Make sure your project is compiled and locate the output assembly (e.g., C:\Projects\MyApplication\bin\Debug\MyApplication.DLL)
- Run CAT.NET on your assemblies:
CatNetCmd64.exe /file:bin\Debug\MyApplication.DLL /verbose:Debug
If all goes well, CAT.NET will fire up and process your project assembly to produce a pair of results files called MicrosoftACECodeAnalysisReport.xml and report.html. (The names can be controlled with options.) Once this completes, you can open the XML file inside CAT.NET user interface in Visual Studio with the “Open Existing Report” button (file folder icon). Use the instructions above for reviewing your results files. Alternately, you can view the HTML version of the results in a web browser without the interactive code linking.
The command line version of CAT.NET will only produce results for the specific assembly that you specify with the “/file” option. If you want to run it on all the dependencies, you can use the “/depends” command line option to list the dependencies, then run CAT.NET individual on each of those assemblies. Note that the “/depends” option doesn’t actually run any of the code scanning analysis.
CAT.NET is a simple, free, no frills code scanner that can get you started with inspecting your application for security vulnerabilities. It has a nice GUI for running the small (32-bit) version inside Visual Studio (including Visual Studio 2010). It also has a more powerful 64-bit version that can analyze your larger projects while still allowing you to use the IDE to review your results.
Advanced topics for CAT.NET could include scripting it into your normal build process and incorporating it into continuous build and analysis cycles.
3 thoughts to “Using CAT.NET security scanner on your .NET web application”
Pingback: Integrating CAT.NET into Hudson for Continuous Security Analysis » Coveros
NEED A TOOL FOR DATA FLOW
Unfortunately the CAT.NET tool is dead and I haven’t looked at it in years. You may have discovered this already, but searching Google points to a few Stack Overflow posts and lead to Roslyn, Microsoft’s new compiler framework which can be used to analyze code. This page talks a little bit about it’s data flow analysis capabilities: https://joshvarty.com/2015/02/05/learn-roslyn-now-part-8-data-flow-analysis/