Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.

Slides:

Advertisements

Similar presentations

Locating Matching Method Calls by Mining Revision History Data Benjamin Livshits Stanford University and Thomas Zimmermann Saarland University.

Advertisements

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Moving Target Defense in Cyber Security

Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

Finding Application Errors and Security Flaws Using PQL: A Program Query Language Michael Martin, Benjamin Livshits, Monica S. Lam Stanford University.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Chapter 10 Storage Management Implementation details beyond programmer’s control Storage/CPU time trade-off Binding times to storage.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...

Computer Security and Penetration Testing

Chapter 1 What is Programming? Lecture Slides to Accompany An Introduction to Computer Science Using Java (2nd Edition) by S.N. Kamin, D. Mickunas, E.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

Attacking Applications: SQL Injection & Buffer Overflows.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Querying Business Processes Under Models of Uncertainty Daniel Deutch, Tova Milo Tel-Aviv University ERP HR System eComm CRM Logistics Customer Bank Supplier.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Basic Semantics Associating meaning with language entities.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

8 1 Chapter 8 Advanced SQL Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

1 EECS 6083 Compiler Theory Based on slides from text web site: Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

CS 440 Database Management Systems Stored procedures & OR mapping 1.

Java Programming Fifth Edition Chapter 1 Creating Your First Java Classes.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

Content Coverity Static Analysis Use cases of Coverity Examples

Object Lifetime and Pointers

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Secure Software Development: Theory and Practice

Security mechanisms and vulnerabilities in .NET

High Coverage Detection of Input-Related Security Faults

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Securing Web Applications with Information Flow Tracking

Introduction to Static Analyzer

Chapter 8 Advanced SQL.

CS5123 Software Validation and Quality Assurance

Understanding and Preventing Buffer Overflow Attacks in Unix

Presentation transcript:

Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005

 Lots of bug-finding research  Null dereferences, memory errors  Buffer overruns  Data races  Many – if not most – bugs are application-specific  Misuse of libraries  Violations of application logic

 Programmer  Knows target program, its properties and invariants  Doesn’t know analysis  Program Analysis Specialists  Knows analysis  Doesn’t know specific bugs to look for  Goal: give the programmer a usable analysis for  bug finding  debugging, and  program understanding tasks

 Queries operate on program traces  Sequence of events representing a run  Refers to object instances, not variables  Matched events may be widely spaced  Patterns resemble actual Java code  Like a small matching code snippet  No references to compiler internals

 Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

HttpServletRequest req = /*... */; java.sql.Connection conn = /*... */; String query = req.getParameter(“QUERY”); conn.execute(query); 1 CALLo 1.getParameter(o 2 ) 2 RETo 2 3 CALLo 3.execute(o 2 ) 4 RETo 4  Unvalidated user input passed to a database  If SQL in embedded in the input, attacker can take over database  One of the top Web application security flaws

private String read() { HttpServletRequest req = /*... */; return req.getParameter(“QUERY”); } java.sql.Connection conn = /*... */; conn.execute(read()); 1 CALLread() 2 CALL o 1.getParameter(o 2 ) 3 RETo 3 4 RETo 3 5 CALLo 4.execute(o 3 ) 6 RETo 5

1. CALLo 1.getParameter(o 2 ) 2. RETo 3 3. CALLo 4.execute(o 3 ) 4. RETo 5 1. CALLread() 2. CALLo 1.getParameter(o 2 ) 3. RETo 3 4. RETo 3 5. CALLo 4.execute(o 3 ) 6. RETo 5 The object returned by getParameter is then argument 1 to execute The object returned by getParameter is then argument 1 to execute

query main() uses String param; matches { param = HttpServletRequest.getParameter(_); Connection.execute(param); } query main() uses String param; matches { param = HttpServletRequest.getParameter(_); Connection.execute(param); }  Query variables correspond to heap objects  Instructions need not be adjacent in a trace

query main() uses String x; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); Connection.execute(param); } query main() uses String x; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); Connection.execute(param); }

HttpServletRequest req = /*... */; String name = getParameter(“NAME”); String password = getParameter(“PASSWORD”); conn.execute( “SELECT * FROM logins WHERE name=” + name + “ AND passwd=” + password ); HttpServletRequest req = /*... */; String name = getParameter(“NAME”); String password = getParameter(“PASSWORD”); conn.execute( “SELECT * FROM logins WHERE name=” + name + “ AND passwd=” + password ); String concatenation translated into operations on String and StringBuffer objects

1 CALLo 1.getParameter(o 2 ) 2 RETo 3 3 CALLo 1.getParameter(o 4 ) 4 RETo 5 5 CALL StringBuffer. (o 6 ) 6 RETo 7 7 CALLo 7.append(o 8 ) 8 RETo 7 9 CALLo 7.append(o 3 ) 10 RETo 7 11 CALLo 7.append(o 9 ) 12 RETo 7 13 CALLo 7.append(o 5 ) 14 RETo 7 15 CALLo 7.toString() 16 RETo CALLo 11.execute(o 10 ) 18 RETo 12 Old Pattern Doesn’t Work

 Sources, sinks, derived objects  Generalizes to many information-flow security problems:  cross-site scripting,  path traversal,  HTTP response splitting,  format string attacks... o1o1 o1o1 o2o2 o2o2 o3o3 o3o3 sourcesink o4o4 o4o4

query derived (Object x) uses Object temp; returns Object d; matches { { temp.append(x); d := derived(temp); } | { temp = x.toString(); d := derived(temp); } | { d := x; } }

query main() uses String x, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); Connection.execute(final); }

 Sanitizes user-derived input  Dangerous data cannot reach the database query main() uses String param, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); } replaces Connection.execute(final) with SQLUtil.safeExecute(param, final); query main() uses String param, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); } replaces Connection.execute(final) with SQLUtil.safeExecute(param, final);

 Partial order  { o.a(), o.b(), o.c(); }  Match calls to a, b, and c on o in any order  Forbidden Events  Example: double-lock l.lock(); ~l.unlock(); l.lock();

 Ingredients:  Events, sequencing, alternation, subqueries  Recursion, partial order, forbidden events  Concatenation + alternation = Loop-free regex  + Subqueries = CFG  + Partial Order = CFG + Intersection  Quantified over heap  Each subquery independent  Existentially quantified

 Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

Question Program Instrumented Program

 Dynamic analysis: finds matches at runtime  After a match: ▪ Can execute user code ▪ Can fix code by replacing instructions  Static analysis: finds all possible matches  Conservative: can prove lack of match  Results can optimize dynamic analysis

 Subqueries: state machine  Call to a subquery: new instance of machine  States carry bindings with them  Query variables: heap objects  Bindings are acquired when variables are referenced for the 1st time in a match

query main() uses Object param, final; matches { param = getParameter(_) | param = getHeader(); f := derived (param); execute (f); } query derived(Object x) uses Object t; returns Object y; matches { { y := x; } |{ t = x.toString(); y := derived(t); } | { t.append(x); y := derived(t); } } query main() uses Object param, final; matches { param = getParameter(_) | param = getHeader(); f := derived (param); execute (f); } query derived(Object x) uses Object t; returns Object y; matches { { y := x; } |{ t = x.toString(); y := derived(t); } | { t.append(x); y := derived(t); } }

   * ** param = getParameter(_) param = getHeader(_) f := derived(param) execute(f)

      t=x.toString() t.append(x) y := x y := derived(t) * *

   * * * x = getParameter(_)x = getHeader(_) f := derived(x) execute(f) { } { x=o 1 } { x=o 1 } 1 o 1 = getHeader(o 2 ) {x=o 1,f=o 1 } o 3.append(o 1 ) o 3.append(o 4 ) o 5 = execute(o 3 ) {x=o 1,f=o 3 }, {x=o 1,f=o 3 }

 Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

 “Can this program match this query?”  Use pointer analysis to give a conservative approximation  No matches found = None possible  PQL query automatically translated into a query on pointer analysis results  Pointer analysis is sound and context-sensitive ▪ contexts in a good-sized application ▪ Exponential space represented with BDDs ▪ Analyses given in Datalog  See Whaley/Lam, PLDI 2004 (bddbddb) for details

 Sets of objects and events that could represent a match  Program points that could participate in a match  Static results conservative  So, point not in result  point never in any match  So, no need to instrument  Usually more than 90% overhead reduction OR

 Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

Security vulnerabilities (SQL injection, cross-site scripting attacks) Security vulnerabilities (SQL injection, cross-site scripting attacks) Bad session stores (a common J2EE bug) Bad session stores (a common J2EE bug) Memory leaks (lapsed listeners, variation of the observer pattern) Memory leaks (lapsed listeners, variation of the observer pattern) Mismatched API calls (method call pairs) Web AppsEclipse

 Very common bug in Web applications  Server tries to persist non-persistent objects  Only manifests under heavy load  Hard to find with testing  One-line query in PQL HttpSession.setAttribute(_,!Serializable(_));  Solvable purely statically  Dynamic confirmation possible

 Part of a system called SecuriFly [MLL’06]  Static greatly optimizes overhead  92%-99.8% reduction of points  2-3x speedup  4 injections, 2 exploitable  Blocked both exploits

 A popular IDE for Java  Very large (tens of MB of bytecode)  Too large for our static analysis  Purely interactive  Unoptimized dynamic overhead acceptable

 Paired method calls  register/deregister  createWidget/destroyWidget  install/uninstall  startup/shutdown  How do we find more patterns like this?  Read our FSE’05 paper [LZ’05]

 Frequent anti-pattern leading to memory leaks  Hold on to a large object, fail to call removeListener  Can force a call to removeListener if we keep track of added listeners Listener l = new MyListener(…){…}; widget.addListener(l); {…} widget.removeListener(l); Listener l = new MyListener(…){…}; widget.addListener(l); {…} widget.removeListener(l);

 All paired methods queries were run simultaneously  56 mismatches detected  Lapsed listener query was run alone  136 lapsed listeners detected  Can be automatically fixed

 Automatically repaired & prevented bugs at runtime  Overhead in the 9-125% range  Static optimization removes 82-99% of instrumentation points

 PQL system is open source  Hosted on SourceForge  Standalone dynamic implementation  Point-and-shoot static system

 PQL: a Program Query Language  Match histories of sets of objects on a program trace  Targeting application developers  Found many bugs  206 application bugs and security flaws  6 large real-life applications  PQL gives a bridge to powerful analyses  Dynamic matcher ▪ Point-and-shoot even for unknown applications ▪ Automatically repairs program on the fly  Static matcher ▪ Proves absence of bugs ▪ Can reduce runtime overhead to production- acceptable

 Domains for bug recovery  SecuriFly (sanitize when necessary)  Failure-oblivious computing  Distributed monitors  Consider gmail  Can we monitor properties of such a client/server application?  Dynamic monitors  Long-running applications  Add and remove monitoring rules as time