Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005."— Presentation transcript:

1 Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005

2  Lots of bug-finding research  Null dereferences, memory errors  Buffer overruns  Data races  Many – if not most – bugs are application-specific  Misuse of libraries  Violations of application logic

3  Programmer  Knows target program, its properties and invariants  Doesn’t know analysis  Program Analysis Specialists  Knows analysis  Doesn’t know specific bugs to look for  Goal: give the programmer a usable analysis for  bug finding  debugging, and  program understanding tasks

4  Queries operate on program traces  Sequence of events representing a run  Refers to object instances, not variables  Matched events may be widely spaced  Patterns resemble actual Java code  Like a small matching code snippet  No references to compiler internals

5  Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

6 HttpServletRequest req = /*... */; java.sql.Connection conn = /*... */; String query = req.getParameter(“QUERY”); conn.execute(query); 1 CALLo 1.getParameter(o 2 ) 2 RETo 2 3 CALLo 3.execute(o 2 ) 4 RETo 4  Unvalidated user input passed to a database  If SQL in embedded in the input, attacker can take over database  One of the top Web application security flaws

7 private String read() { HttpServletRequest req = /*... */; return req.getParameter(“QUERY”); } java.sql.Connection conn = /*... */; conn.execute(read()); 1 CALLread() 2 CALL o 1.getParameter(o 2 ) 3 RETo 3 4 RETo 3 5 CALLo 4.execute(o 3 ) 6 RETo 5

8 1. CALLo 1.getParameter(o 2 ) 2. RETo 3 3. CALLo 4.execute(o 3 ) 4. RETo 5 1. CALLread() 2. CALLo 1.getParameter(o 2 ) 3. RETo 3 4. RETo 3 5. CALLo 4.execute(o 3 ) 6. RETo 5 The object returned by getParameter is then argument 1 to execute The object returned by getParameter is then argument 1 to execute

9 query main() uses String param; matches { param = HttpServletRequest.getParameter(_); Connection.execute(param); } query main() uses String param; matches { param = HttpServletRequest.getParameter(_); Connection.execute(param); }  Query variables correspond to heap objects  Instructions need not be adjacent in a trace

10 query main() uses String x; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); Connection.execute(param); } query main() uses String x; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); Connection.execute(param); }

11 HttpServletRequest req = /*... */; String name = getParameter(“NAME”); String password = getParameter(“PASSWORD”); conn.execute( “SELECT * FROM logins WHERE name=” + name + “ AND passwd=” + password ); HttpServletRequest req = /*... */; String name = getParameter(“NAME”); String password = getParameter(“PASSWORD”); conn.execute( “SELECT * FROM logins WHERE name=” + name + “ AND passwd=” + password ); String concatenation translated into operations on String and StringBuffer objects

12 1 CALLo 1.getParameter(o 2 ) 2 RETo 3 3 CALLo 1.getParameter(o 4 ) 4 RETo 5 5 CALL StringBuffer. (o 6 ) 6 RETo 7 7 CALLo 7.append(o 8 ) 8 RETo 7 9 CALLo 7.append(o 3 ) 10 RETo 7 11 CALLo 7.append(o 9 ) 12 RETo 7 13 CALLo 7.append(o 5 ) 14 RETo 7 15 CALLo 7.toString() 16 RETo 10 17 CALLo 11.execute(o 10 ) 18 RETo 12 Old Pattern Doesn’t Work

13  Sources, sinks, derived objects  Generalizes to many information-flow security problems:  cross-site scripting,  path traversal,  HTTP response splitting,  format string attacks... o1o1 o1o1 o2o2 o2o2 o3o3 o3o3 sourcesink o4o4 o4o4

14 query derived (Object x) uses Object temp; returns Object d; matches { { temp.append(x); d := derived(temp); } | { temp = x.toString(); d := derived(temp); } | { d := x; } }

15 query main() uses String x, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); Connection.execute(final); }

16  Sanitizes user-derived input  Dangerous data cannot reach the database query main() uses String param, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); } replaces Connection.execute(final) with SQLUtil.safeExecute(param, final); query main() uses String param, final; matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); } replaces Connection.execute(final) with SQLUtil.safeExecute(param, final);

17  Partial order  { o.a(), o.b(), o.c(); }  Match calls to a, b, and c on o in any order  Forbidden Events  Example: double-lock l.lock(); ~l.unlock(); l.lock();

18  Ingredients:  Events, sequencing, alternation, subqueries  Recursion, partial order, forbidden events  Concatenation + alternation = Loop-free regex  + Subqueries = CFG  + Partial Order = CFG + Intersection  Quantified over heap  Each subquery independent  Existentially quantified

19  Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

20 Question Program Instrumented Program

21  Dynamic analysis: finds matches at runtime  After a match: ▪ Can execute user code ▪ Can fix code by replacing instructions  Static analysis: finds all possible matches  Conservative: can prove lack of match  Results can optimize dynamic analysis

22  Subqueries: state machine  Call to a subquery: new instance of machine  States carry bindings with them  Query variables: heap objects  Bindings are acquired when variables are referenced for the 1st time in a match

23 query main() uses Object param, final; matches { param = getParameter(_) | param = getHeader(); f := derived (param); execute (f); } query derived(Object x) uses Object t; returns Object y; matches { { y := x; } |{ t = x.toString(); y := derived(t); } | { t.append(x); y := derived(t); } } query main() uses Object param, final; matches { param = getParameter(_) | param = getHeader(); f := derived (param); execute (f); } query derived(Object x) uses Object t; returns Object y; matches { { y := x; } |{ t = x.toString(); y := derived(t); } | { t.append(x); y := derived(t); } }

24    * ** param = getParameter(_) param = getHeader(_) f := derived(param) execute(f)

25       t=x.toString() t.append(x) y := x y := derived(t) * *

26    * * * x = getParameter(_)x = getHeader(_) f := derived(x) execute(f) { } { x=o 1 } { x=o 1 } 1 o 1 = getHeader(o 2 ) {x=o 1,f=o 1 } o 3.append(o 1 ) o 3.append(o 4 ) o 5 = execute(o 3 ) {x=o 1,f=o 3 }, {x=o 1,f=o 3 }

27  Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

28  “Can this program match this query?”  Use pointer analysis to give a conservative approximation  No matches found = None possible  PQL query automatically translated into a query on pointer analysis results  Pointer analysis is sound and context-sensitive ▪ 10 14 contexts in a good-sized application ▪ Exponential space represented with BDDs ▪ Analyses given in Datalog  See Whaley/Lam, PLDI 2004 (bddbddb) for details

29  Sets of objects and events that could represent a match  Program points that could participate in a match  Static results conservative  So, point not in result  point never in any match  So, no need to instrument  Usually more than 90% overhead reduction OR

30  Motivation for PQL  PQL language by example  Dynamic PQL query matcher  Static PQL query matcher  Experimental results

31 Security vulnerabilities (SQL injection, cross-site scripting attacks) Security vulnerabilities (SQL injection, cross-site scripting attacks) Bad session stores (a common J2EE bug) Bad session stores (a common J2EE bug) Memory leaks (lapsed listeners, variation of the observer pattern) Memory leaks (lapsed listeners, variation of the observer pattern) Mismatched API calls (method call pairs) Web AppsEclipse

32

33  Very common bug in Web applications  Server tries to persist non-persistent objects  Only manifests under heavy load  Hard to find with testing  One-line query in PQL HttpSession.setAttribute(_,!Serializable(_));  Solvable purely statically  Dynamic confirmation possible

34  Part of a system called SecuriFly [MLL’06]  Static greatly optimizes overhead  92%-99.8% reduction of points  2-3x speedup  4 injections, 2 exploitable  Blocked both exploits

35  A popular IDE for Java  Very large (tens of MB of bytecode)  Too large for our static analysis  Purely interactive  Unoptimized dynamic overhead acceptable

36  Paired method calls  register/deregister  createWidget/destroyWidget  install/uninstall  startup/shutdown  How do we find more patterns like this?  Read our FSE’05 paper [LZ’05]

37  Frequent anti-pattern leading to memory leaks  Hold on to a large object, fail to call removeListener  Can force a call to removeListener if we keep track of added listeners Listener l = new MyListener(…){…}; widget.addListener(l); {…} widget.removeListener(l); Listener l = new MyListener(…){…}; widget.addListener(l); {…} widget.removeListener(l);

38  All paired methods queries were run simultaneously  56 mismatches detected  Lapsed listener query was run alone  136 lapsed listeners detected  Can be automatically fixed

39  Automatically repaired & prevented bugs at runtime  Overhead in the 9-125% range  Static optimization removes 82-99% of instrumentation points

40  PQL system is open source  Hosted on SourceForge http://pql.sourceforge.net  Standalone dynamic implementation  Point-and-shoot static system

41  PQL: a Program Query Language  Match histories of sets of objects on a program trace  Targeting application developers  Found many bugs  206 application bugs and security flaws  6 large real-life applications  PQL gives a bridge to powerful analyses  Dynamic matcher ▪ Point-and-shoot even for unknown applications ▪ Automatically repairs program on the fly  Static matcher ▪ Proves absence of bugs ▪ Can reduce runtime overhead to production- acceptable

42  Domains for bug recovery  SecuriFly (sanitize when necessary)  Failure-oblivious computing  Distributed monitors  Consider gmail  Can we monitor properties of such a client/server application?  Dynamic monitors  Long-running applications  Add and remove monitoring rules as time

Download ppt "Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005."

Similar presentations

Locating Matching Method Calls by Mining Revision History Data Benjamin Livshits Stanford University and Thomas Zimmermann Saarland University.

Locating Matching Method Calls by Mining Revision History Data Benjamin Livshits Stanford University and Thomas Zimmermann Saarland University.
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.

Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Finding Application Errors and Security Flaws Using PQL: A Program Query Language Michael Martin, Benjamin Livshits, Monica S. Lam Stanford University.

Finding Application Errors and Security Flaws Using PQL: A Program Query Language Michael Martin, Benjamin Livshits, Monica S. Lam Stanford University.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Chapter 10 Storage Management Implementation details beyond programmer’s control Storage/CPU time trade-off Binding times to storage.

Chapter 10 Storage Management Implementation details beyond programmer’s control Storage/CPU time trade-off Binding times to storage.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Similar presentations

Ads by Google