Presentation is loading. Please wait.

Presentation is loading. Please wait.

Merlin: Inferring Specifications for Explicit Information Flow Problems Ben Livshits Aditya Nori Sriram Rajamani Anindya Banerjee.

Published byDrusilla French Modified over 9 years ago

Similar presentations

Presentation on theme: "Merlin: Inferring Specifications for Explicit Information Flow Problems Ben Livshits Aditya Nori Sriram Rajamani Anindya Banerjee."— Presentation transcript:

1 Merlin: Inferring Specifications for Explicit Information Flow Problems Ben Livshits Aditya Nori Sriram Rajamani Anindya Banerjee

2 Web application vulnerabilities are a serious threat addressed by static analysis tools Microsoft C AT.N ET

3 M OTIVATION & P ROJECT G OALS

4 When it comes to static analysis tools, specification quality affects result quality More specification more bugs Better specification fewer false positives

5 A typical specification includes dozens of sources, sinks, and sanitizers TypeCountRevisions Sources2711 Sanitizers72 Sinks7710 Specification  Sources: start taint  Sinks: taint not allowed  Sanitizers: untaint data = 111= 23

6 Tools are only as good as the specification and good specification is hard to come by This example  ReadData1, ReadData2 – source?  Cleanse – sanitizer?  WriteData – sink? Large scale  Libraries with their own APIs  Specification particular to application 1. void ProcessRequest() 2. { 3. string s1 = ReadData1("name"); 4. string s2 = ReadData2("encoding"); 5. string s3 = Cleanse(s1); 6. WriteData("Parameter " + s1); 7. WriteData("Header " + s2); 8. }

7 A LGORITHMS

8 Merlin Processing Initial specification Program Final specification Merlin inference Merlin inference Prop. graph construction Factor graph construction Probabilistic inference Static analysis Vulnerabilities 1 1 2 2 3 3

9 We convert the propagation graph we get from CAT.NET to a reduced propagation graph

10 ReadData1, Cleanse, WriteData ReadData2

11 ReadData1, ReadData2, WriteData Cleanse

12 ReadData1, ReadData2, Cleanse WriteData

13 Avoid source wrappers: Prop1 is not a source

14 Avoid sink wrappers: Cleanse is not a sink

15 Avoid double sanitizers: Prop1 is not a sanitizer

16 We derive probabilistic constraints from the reduced propagation graph

17 We approximate path constraints with triple constraints 2N2N N3N3

18 Direct constraint representation is way too big. Factor graph is a compressed representation.

19 Probabilistic inference SourceSanitizerSinks ReadData1.95.001 ReadData2.5 Cleanse.5 WriteData.5.85 … SourceSanitizerSinks ReadData1.95.001 ReadData2.5 Cleanse.01.997.03 WriteData.5.85 …

20 Direct constraint representation is too big. Factor graphs to the rescue.

21 Factor graph inference TODO

22 E XPERIMENTAL R ESULTS

23 We have chosen 10 line-of-business applications written in C# using ASP.NET.

24 Summary of Discovered Specifications

25 Summary of Discovered Vulnerabilities

26 Analyze This: a routine from one of our benchmarks that shows how Merlin affects vulnerabilities. known sink

27 Starting with an initial specification really helps, but Merlin can work with no specification at all.

28 Executive summary of experimental results. 10 large Web apps in.NET New specs: 167 New vulnerabilities: 302 False positives removed: 3 Final false positive rate for Cat.Net after Merlin <1%

29 Related work Explicit information flow Analysis of Web apps (WebSSARI, Griffin, etc.) and Fortify, Cat.Net Asbestos, HiStar Hardware support Mining sec. specifications AutoISES – security-sensitive data structures in Linux kernel Ganapathy Specification mining Kremenek (belief inf. for malloc / free ) Perracotta, DynaMine, Dyckon, Weimer

Download ppt "Merlin: Inferring Specifications for Explicit Information Flow Problems Ben Livshits Aditya Nori Sriram Rajamani Anindya Banerjee."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Gated Graphs and Causal Inference

Gated Graphs and Causal Inference
Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,

Mining Specifications Glenn Ammons, Dept. Computer Science University of Wisconsin Rastislav Bodik, Computer Science Division University of California,
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.
A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.
Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.

Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.

Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Similar presentations

Ads by Google