Program Analysis Using Datalog

Slides:



Advertisements
Similar presentations
Finding Security Vulnerabilities in Java Applications with Static Analysis Benjamin Livshits and Monica S. Lam Stanford University.
Advertisements

Finding Input Validation Errors in Java with Static Analysis Benjamin Livshits and Monica S. Lam Stanford University.
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Cloning-Based Context-Sensitive Pointer Alias Analysis using BDDs Mayur Naik Intel Research CS294 Lecture March 19, 2009 (Slides courtesy of John Whaley)
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
Scalable Points-to Analysis. Rupesh Nasre. Advisor: Prof. R. Govindarajan. Comprehensive Examination. Jun 22, 2009.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Static Analysis for Bug Finding Benjamin Livshits.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Context-Sensitive Program Analysis as Database Queries Team: John Whaley, Ben Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Chris Unkel.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
SQL Injection and Buffer overflow
Cloning-Based Context-Sensitive Pointer Alias Analysis using BDDs John Whaley Monica Lam Stanford University June 10, 2004.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
HTTP and Server Security James Walden Northern Kentucky University.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Approaches to Application Security – DSM
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.
A Security Review Process for Existing Software Applications
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Introduction to CS520/CS596_026 Lecture Two Gordon Tian Fall 2015.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
Pointer Analysis – Part II CS Unification vs. Inclusion Earlier scalable pointer analysis was context- insensitive unification-based [Steensgaard.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
World Wide Web policy.
CS 371 Web Application Programming
Example – SQL Injection
A Security Review Process for Existing Software Applications
Marking Scheme for Semantic-aware Web Application Security
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
Securing Web Applications with Information Flow Tracking
Web Security CS 136 Computer Security Peter Reiher March 11, 2010
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
CS5123 Software Validation and Quality Assurance
Presentation transcript:

Why Use Datalog to Analyze Programs? Monica Lam Stanford University Team: John Whaley, Ben Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Chris Unkel

Program Analysis Using Datalog Jeffrey Ullman, Principles of Database and Knowledge-Base Systems, 1989

Reps, 1994 bddbddb, 2005 Problem interproc. data-flow reaching def/slicing software security programmer specified pointer alias analysis Demand Driven Exhaustive Implementation ease magic set xform BDD tuning Coral Custom, BDD based Slower Faster solved open problem < 1000 lines of code 800,000 byte codes

Confidential information leak Web Applications Evil Input Confidential information leak Hacker Browser Web App Database

Web Application Vulnerabilities 50% databases had a security breach [2002 Computer crime & security survey] 48% of all vulnerabilities Q3-Q4, 2004 Up from 39% Q1-Q2, 04 [Symantec May, 2005]

Top Ten Security Flaws in Web Applications [OWASP] Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management

Vulnerability Alerts SecurityFocus.com, on May 16, 2005

Source of vulnerabilities 2005-05-16: JGS-Portal Multiple Cross-Site Scripting and SQL Injection Vulnerabilities 2005-05-16: WoltLab Burning Board Verify_email Function SQL Injection Vulnerability 2005-05-16: Version Cue Local Privilege Escalation Vulnerability 2005-05-16: NPDS THOLD Parameter SQL Injection Vulnerability 2005-05-16: DotNetNuke User Registration Information HTML Injection Vulnerability 2005-05-16: Pserv completedPath Remote Buffer Overflow Vulnerability 2005-05-16: DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability 2005-05-16: DotNetNuke Failed Logon Username Application Logs HTML Injection Vulnerability 2005-05-16: Mozilla Suite And Firefox DOM Property Overrides Code Execution Vulnerability 2005-05-16: Sigma ISP Manager Sigmaweb.DLL SQL Injection Vulnerability 2005-05-16: Mozilla Suite And Firefox Multiple Script Manager Security Bypass Vulnerabilities 2005-05-16: PServ Remote Source Code Disclosure Vulnerability 2005-05-16: PServ Symbolic Link Information Disclosure Vulnerability 2005-05-16: Pserv Directory Traversal Vulnerability 2005-05-16: MetaCart E-Shop ProductsByCategory.ASP Cross-Site Scripting Vulnerability 2005-05-16: WebAPP Apage.CGI Remote Command Execution Vulnerability 2005-05-16: OpenBB Multiple Input Validation Vulnerabilities 2005-05-16: PostNuke Blocks Module Directory Traversal Vulnerability 2005-05-16: MetaCart E-Shop V-8 IntProdID Parameter Remote SQL Injection Vulnerability 2005-05-16: MetaCart2 StrSubCatalogID Parameter Remote SQL Injection Vulnerability 2005-05-16: Shop-Script ProductID SQL Injection Vulnerability 2005-05-16: Shop-Script CategoryID SQL Injection Vulnerability 2005-05-16: SWSoft Confixx Change User SQL Injection Vulnerability 2005-05-16: PGN2WEB Buffer Overflow Vulnerability 2005-05-16: Apache HTDigest Realm Command Line Argument Buffer Overflow Vulnerability 2005-05-16: Squid Proxy Unspecified DNS Spoofing Vulnerability 2005-05-16: Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerability 2005-05-16: Gaim Jabber File Request Remote Denial Of Service Vulnerability 2005-05-16: Gaim IRC Protocol Plug-in Markup Language Injection Vulnerability 2005-05-16: Gaim Gaim_Markup_Strip_HTML Remote Denial Of Service Vulnerability 2005-05-16: GDK-Pixbuf BMP Image Processing Double Free Remote Denial of Service Vulnerability 2005-05-16: Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability 2005-05-16: Multiple Vendor FTP Client Side File Overwriting Vulnerability 2005-05-16: PostgreSQL TSearch2 Design Error Vulnerability 2005-05-16: PostgreSQL Character Set Conversion Privilege Escalation Vulnerability Source of vulnerabilities Input validation: 62% SQL injection: 26%

Give me Bob’s credit card # SQL Injection Errors Hacker Browser Web App Database Give me Bob’s credit card # Delete all records

Happy-go-lucky SQL Query User supplies: name, password Java program: String query = “SELECT UserID, Creditcard FROM CCRec WHERE Name = ” + name + “ AND PW = ” + password

Fun with SQL “ — ”: “the rest are comments” in Oracle SQL SELECT UserID, CreditCard FROM CCRec WHERE: Name = bob AND PW = foo Name = bob— AND PW = x Name = bob or 1=1— AND PW = x Name = bob; DROP CCRec— AND PW = x

A Simple SQL Injection Pattern o = req.getParameter ( ); stmt.executeQuery ( o );

In Practice ParameterParser.java:586 String session.ParameterParser.getRawParameter(String name) public String getRawParameter(String name) throws ParameterNotFoundException { String[] values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); ParameterParser.java:570 String session.ParameterParser.getRawParameter(String name, String def) public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; }

In Practice (II) ChallengeScreen.java:194 Element lessons.ChallengeScreen.doStage2(WebSession s) String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query ); ...

PQL: Program Query Language o = req.getParameter ( ); stmt.executeQuery ( o ); Query on the dynamic behavior based on object entities Generates a static checker and a dynamic checker

SQL Injection in PQL query SQLInjection() returns object Object source, taint; uses object HttpServletRequest req, java.sql.Statement stmt; matches { source = req.getParameter (); tainted := derivedString(source); stmt.execute(tainted); } query derivedString(object Object x) returns object Object y; uses object Object temp; y := x | { temp.append(x); y := derivedString(temp); }

Vulnerabilities in Web Applications Inject Parameters Hidden fields Headers Cookie poisoning Exploit SQL injection Cross-site scripting HTTP splitting Path traversal X

Dynamic vs. Static Pattern o = req.getParameter ( ); stmt.executeQuery (o); Dynamically: p1 = req.getParameter ( ); stmt.executeQuery (p2); Statically: p1 and p2 point to same object? Pointer alias analysis

Top 4 Techniques in PQL Implementation Drawn from 4 different fields Compiler Context-sensitive pointer analysis HW Verification BDD: binary decision diagrams Logic Programming Datalog AI Active machine learning

Context-Sensitive Pointer Analysis L1: a=malloc(); a=id(a); id(x) id(x) {return x;} L2: b=malloc( ); b=id(b); context-sensitive a L1 x context-insensitive b L2 x

# of Contexts is exponential!

Recursion A A G B C D E F B C D E F G

Top 20 Sourceforge Java Apps 1016 1012 108 104 100

Costs of Context Sensitivity Typical large program has ~1014 paths If you need 1 byte to represent a context: 256 terabytes of storage > 12 times size of Library of Congress 1GB DIMMs: $98.6 million Power: 96.4 kilowatts (128 homes) 300 GB hard disks: 939 x $250 = $234,750 Time to read sequentially: 70.8 days

Cloning-Based Algorithm Whaley&Lam, PLDI 2004 (best paper award) Create a “clone” for every context Apply context-insensitive algorithm to cloned call graph Lots of redundancy in result Exploit redundancy by clever use of BDDs (binary decision diagrams)

Performance of BDD Algorithm Direct implementation Does not finish even for small programs > 3000 lines of code Requires tuning for about 1 year Easy to make mistakes Mistakes found months later

Automatic Analysis Generation PQL Ptr analysis in 10 lines Datalog bddbddb (BDD-based deductive database) with Active Machine Learning Thousand-lines 1 year tuning BDD code

Automatic Analysis Generation PQL Datalog bddbddb (BDD-based deductive database) with Active Machine Learning BDD code

Flow-Insensitive Pointer Analysis o1: p = new Object(); o2: q = new Object(); p.f = q; r = p.f; Input Tuples vPointsTo(p,o1) vPointsTo(q,o2) Store(p,f,q) Load(p,f,r) New Tuples hPointsTo(o1,f,o2) vPointsTo(r,o2) p o1 f q o2 r

Inference Rule in Datalog Stores: hPointsTo(h1, f, h2) :- Store(v1, f, v2), vPointsTo(v1, h1), vPointsTo(v2, h2). v1.f = v2; v1 h1 f v2 h2

Inference Rules vPointsTo(v, h) :- vPointsTo0(v, h). vPointsTo(v1, h1) Creation site :- vPointsTo0(v, h). vPointsTo(v1, h1) Assignment :- Assign(v1, v2), vPointsTo(v2, h1). hPointsTo(h1, f, h2) :- Store(v1, f, v2), vPointsTo(v1, h1), vPointsTo(v2, h2). Store vPointsTo(v2, h2) Load :- Load(v1, f, v2), vPointsTo(v1, h1), hPointsTo(h1, f, h2).

Pointer Alias Analysis Specified by a few Datalog rules Creation sites Assignments Stores Loads Apply rules until they converge

SQL Injection Query SQLInjection: o = req.getParameter ( ); PQL: stmt.executeQuery ( o ); SQLInjection (o) :- calls(c1,b1,_, “getParameter”), ret(b1,v1),vPointsTo(c1, v1,o), Datalog: calls(c2,b2,_, “executeQuery”), actual(b2,1,v2),vPointsTo(c2,v2,o)

Program Analyses in Datalog Context-sensitive Java pointer analysis C pointer analysis Escape analysis Type analysis External lock analysis Interprocedural def-use Interprocedural mod-ref Object-sensitive analysis Cartesian product algorithm

Automatic Analysis Generation PQL Datalog bddbddb (BDD-based deductive database) with Active Machine Learning BDD code

Example: Call Graph Relation “Call graph” expressed as a relation. Five edges: calls(A,B) calls(A,C) calls(A,D) calls(B,D) calls(C,D) A B C D

Call Graph Relation Relation expressed as a binary function. 00 01 10 1 Relation expressed as a binary function. A=00, B=01, C=10, D=11 A 00 01 B C 10 D 11

Binary Decision Diagrams Graphical encoding of a truth table. x1 0 edge 1 edge x2 x2 x3 x3 x3 x3 x4 x4 x4 x4 x4 x4 x4 x4 1 1 1 1 1

Binary Decision Diagrams Collapse redundant nodes. x1 x2 x2 x3 x3 x3 x3 x4 x4 x4 x4 x4 x4 x4 x4 1 1 1 1 1

Binary Decision Diagrams Collapse redundant nodes. x1 x2 x2 x3 x3 x3 x3 x4 x4 x4 x4 x4 x4 x4 x4 1

Binary Decision Diagrams Collapse redundant nodes. x1 x2 x2 x3 x3 x3 x3 x4 x4 x4 1

Binary Decision Diagrams Collapse redundant nodes. x1 x2 x2 x3 x3 x3 x4 x4 x4 1

Binary Decision Diagrams Eliminate unnecessary nodes. x1 x2 x2 x3 x3 x3 x4 x4 x4 1

Binary Decision Diagrams Eliminate unnecessary nodes. x1 x2 x2 x3 x3 x4 1

Datalog  BDDs Datalog BDDs Relations Boolean functions Relation ops: ⋈, , select, project Boolean function ops:  ,  , − , ~ Relation at a time Function at a time Semi-naïve evaluation Incrementalization Fixed-point Iterate until stable

Binary Decision Diagrams Represent tiny and huge relations compactly Size depends on redundancy Similar contexts have similar numberings Variable ordering in BDDs

BDD Variable Order is Important! x1x2 + x3x4 x1 x3 x4 1 x2 x1 x3 x4 1 x2 x1<x2<x3<x4 x1<x3<x2<x4

Variable Numbering: Active Machine Learning Must be determined dynamically Limit trials with properties of relations Each trial may take a long time Active learning: select trials based on uncertainty Several hours Comparable to exhaustive for small apps

Optimizations in bddbddb Algorithmic Clever context numbering to exploit similarities Query optimizations Magic-set transformation semi-naïve evaluation Compiler optimizations Redundancy elimination, liveness analysis BDD optimizations Active machine learning BDD library extensions and turning

Top 4 Techniques in PQL Compiler Context-sensitive pointer analysis HW Verification BDD: binary decision diagrams Logic Programming Datalog AI Active machine learning

Benchmark 9 large, widely used applications Blogging/bulletin board applications Used at a variety of sites Open-source Java J2EE apps Available from SourceForge.net

Vulnerabilities Found SQL injection HTTP splitting Cross-site scripting Path traversal Total Header 6 4 10 Parameter 5 2 13 Cookie 1 Non-Web 3 9 11 29

Accuracy Benchmark Classes Context insensitive Context sensitive False jboard 264 blueblog 306 1 webgoat 349 51 6 blojsom 428 48 2 personalblog 611 460 snipsnap 653 732 27 12 road2hibernate 867 18 pebble 889 427 roller 989 378 Total 5356 2115 41

Easy Context-Sensitive Analysis PQL Datalog bddbddb (BDD-based deductive database) with Active Machine Learning Context-sensitive Analysis BDD code

To try out our software …with a click of a button Bddbddb + JavaBDD + Eclipse + JDK Encapsulated as a LivePC Visit http://internal.moka5.com Download the LivePC player Click to subscribe “Java Program Analysis Toolset”

References Pointers: Whaley, Lam, PLDI 04 C pointers: Avots, Dalton, Livshits, Lam, ICSE 05 PQL: Martin, Livshits, Lam, OOPSLA 05 Java Security: Livshits, Lam, Usenix security 05

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.