Improving Software Security with Precise Static and Runtime Analysis

June 26, 2006
Benjamin Livshits | Stanford University

The landscape of security vulnerabilities has changes dramatically in the last several years. As Web-based applications become more prominent, familiar buffer overruns are far outnumbered by Web application vulnerabilities such as SQL injections and cross-site scripting attacks.

In this talk I introduce a comprehensive static and runtime compiler-based solution to a wide range of Web application vulnerabilities. Our approach targets large real-life Web-based Java applications. Given a vulnerability description, either a static checker or specially instrumented, “secured” application bytecode is produced. To make our approach extensible and user-friendly, vulnerability specifications are written in PQL, a Program Query Language […].

The static checker generated based on the PQL specification finds vulnerabilities by analyzing the Web-based applications […]. The static approach is sound, which ensures that it finds all vulnerabilities captured by the specification in the statically analyzed code. We evaluate analysis features such as context- and object sensitivity that help keep the number of false positives low. We also describe our approach to call graph construction in the presence of reflection […].

Alternatively, “secured” application executables can be automatically generated based on the same PQL vulnerability specification. Secured executables may be deployed on a standard application server. Furthermore, to improve application uptime, vulnerability recovery rules may be specified. Finally, we show how static analysis can be used to significantly reduce the instrumentation overhead.

Speaker Details

Benjamin Livshits is currently a Ph.D. candidate in computer science at Stanford University. Benjamin graduated summa cum laude with a B.A. degree in computer science and math from Cornell University in 1999. He obtained an M.S. from Stanford University in 2002.Benjamin’s general research area is compilers and program analysis. His research interests include application of sophisticated static and dynamic analysis techniques to finding errors in programs. Lately he has focused on techniques for finding buffer overruns in C programs and a variety of security vulnerabilities (SQL injections, cross-site scriping, etc.) in Web-based applications.Benjamin has authored more than a dozen papers on program analysis for security and other uses, including finding memory errors, violations of API-specific patterns, software pattern mining, garbage collection, etc.