Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Slides:

Advertisements

Similar presentations

Finding Security Vulnerabilities in Java Applications with Static Analysis Benjamin Livshits and Monica S. Lam Stanford University.

Advertisements

Finding Input Validation Errors in Java with Static Analysis Benjamin Livshits and Monica S. Lam Stanford University.

4 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: Servlets.

Vulnerability Analysis of Web-Based Applications

Benjamin Livshits SUIF Compiler Group Computer Science Lab

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Finding Application Errors and Security Flaws Using PQL: A Program Query Language Michael Martin, Benjamin Livshits, Monica S. Lam Stanford University.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Approaches to Application Security – DSM

A Framework for Automated Web Application Security Evaluation

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Computer Security and Penetration Testing

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Host and Application Security Lesson 20: How the Web Does not Work.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

A Generalized Architecture for Bookmark and Replay Techniques Thesis Proposal By Napassaporn Likhitsajjakul.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

Content Coverity Static Analysis Use cases of Coverity Examples

Group 18: Chris Hood Brett Poche

Runtime Verification of Business Processes

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Secure Software Development: Theory and Practice

Security mechanisms and vulnerabilities in .NET

PHP / MySQL Introduction

High Coverage Detection of Input-Related Security Faults

Improving Software Security with Precise Static and Runtime Analysis

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Securing Web Applications with Information Flow Tracking

Introduction to Static Analyzer

CS5123 Software Validation and Quality Assurance

Automatically Hardening Web Applications Using Precise Tainting

Presentation transcript:

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution Can quarantine suspicious actions, application continues to run No false positives Described in Finding Application Errors and Security Flaws Using PQL: a Program Query Language, Michael Martin, Benjamin Livshits, and Monica S. Lam, Presented at the 20th Annual ACM Conference on Object- Oriented Programming, Systems, Languages, and Applications, San Diego, California, October Runtime analysis works by instrumenting an existing application to look for matches of a specified pattern. A recovery policy can be specified also Some issues to address: Overhead can be high (usually 35-55%) Have a static optimization technique that brings the overhead down to several percent Result summary: Detected and prevented exploits in all our experiments Unoptimized overhead: 57% average Optimized overhead: 14% average Static privation removes 82-99% of instr. points Static Error Detection Analyze applications as they are being developed Advantages: Finds vulnerabilities early in development cycle Sounds, so finds all vuln. of a particular type Can run after every build ensuring continuous security Described in Finding Security Vulnerabilities in Java Applications with Static Analysis, Benjamin Livshits and Monica S. Lam, In Proceedings of the Usenix Security Symposium, Baltimore, Maryland, August Static analysis is based on a state-of-the-art fully context- sensitive pointer analysis with extensions Many practical issues needed to be addressed: Handle containers without a loss of precision Construct the application call graph in the presence of reflective constructs of Java (see Reflection Analysis for Java, Livshits, Whaley, and Lam, Nov. 2005) Result summary: Analyzed 9 large open-source Web applications in Java Thousands of users combined 29 vulnerabilities found, most confirmed and fixed Web Application Vulnerabilities on the Rise Compared to several years ago vulnerabilities like SQL injections and cross-site scripting attacks dominate the charts Griffin Application Security Project We propose a hybrid static/runtime solution to Web application vulnerabilities. Our focus is on Java J2EE applications Goes after the most prominent vulnerability types: SQL injections Cross-site scripting Path traversal HTTP splitting etc. An extensible definition language PQL is used for specifying vulnerabilities Static and Runtime Solutions for Web Application Vulnerabilities Benjamin Livshits, Stanford University April 27, 2006 A study of 500 vulnerability reports in Nov.Dec Remove instrumentation points Static analysis Dynamic analysis Warnings Instrumented application Instrumented application query simpleSQLInjection returns object String param, derived; uses object HttpServletRequest req; object Connection con; object StringBuffer temp; matches { param = req.getParameter(_); temp.append(param); derived = temp.toString(); con.executeQuery(derived); } query simpleSQLInjection returns object String param, derived; uses object HttpServletRequest req; object Connection con; object StringBuffer temp; matches { param = req.getParameter(_); temp.append(param); derived = temp.toString(); con.executeQuery(derived); }