Analyzing Hybrid Analysis Mapping (HAM) – Part 2

As part 2 of the Analyzing HAM series, this week I’ll try to summarize the main strategy behind HAM. Or, as one ThreadFix developer once referred to the HAM system, the Matrix.


Wake up, HAM data.

The implementation details can get rather complicated at times, but the strategy behind HAM is actually fairly simple. If it wasn’t simple, HAM probably wouldn’t work!

HAM and the Attack Surface

The central concept in HAM is the “endpoint.” This word has meanings in other settings, so I’ll define it here for the purposes of this discussion.
Simply put, each endpoint is a single point on an application’s attack surface. Endpoints are composed of:

  1. URL (path)
  2. Parameter
  3. File name
  4. Line number range (start and end lines)
  5. The HTTP verb (GET, POST)

Changing any of these data points would mean the set represents a different endpoint. In this way, they are similar to coordinates in a grid (or… a Matrix.) The HAM system attempts to construct the whole grid: a complete list of endpoints for the application. This list represents the application’s attack surface. So what can we do with that information?

Completing Vulnerability Information

Endpoints can be uniquely identified by fewer than 5 information points (for sane frameworks, anyway.)

We like this because both static and dynamic vulnerabilities have enough information to find unique endpoints. Dynamic vulnerabilities have the url, parameter, and HTTP verb, which is enough. Static vulnerabilities have the file name and line number, which is enough.

If we can find an endpoint for a vulnerability, we have both the static and dynamic information. This allows us to use the better dynamic-dynamic or static-static algorithms for merging, rather than attempting a merge between raw static and dynamic information.

Good Enough?

The stated problems with static-dynamic merging from last week were:

  • ThreadFix can’t match file names to corresponding URLs if the two differ greatly, as in MVC frameworks.
  • Static scanners usually don’t include information about HTTP parameters, but we need them to differentiate between static results.

We can address both points by looking up an endpoint for each vulnerability and copying any missing information into the vulnerability’s data structure. Hybrid Analysis Mapping: achieved.


About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.