Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.

Published byAlberta Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee."— Presentation transcript:

1 Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee IMDEA Software

2 Problem: Can we automatically infer which routines in a program are sources, sinks and sanitizers? Technology: Static analysis + Probabilistic inference Applications: – Lowers false errors from tools – Enables more complete flow checking Results: – Over 300 new vulnerabilities discovered in 10 deployed ASP.NET applications

3

4  Web application vulnerabilities are a serious threat!

5 $username = $_REQUEST['username']; $sql = "SELECT * FROM Students WHERE username = '$username';

6 Propagation graph m1→ m2 iff information flows “explicitly” from m1 to m2 void ProcessRequest() { string s1 = ReadData1("name"); string s2 = ReadData2("encoding"); string s11 = Prop1(s1); string s22 = Prop2(s2); string s111 = Cleanse(s11); string s222 = Cleanse(s22); WriteData("Parameter " + s111); WriteData("Header " + s222); }

7  Source  returns tainted data  Sink  error to pass tainted data  Sanitizer  cleanse or untaint the input  Regular nodes  propagate input to output  Every path from a source to a sink should go through a sanitizer  Any source to sink path without a sanitizer is an information flow vulnerability

8 void ProcessRequest() { string s1 = ReadData1("name"); string s2 = ReadData2("encoding"); string s11 = Prop1(s1); string s22 = Prop2(s2); string s111 = Cleanse(s11); string s222 = Cleanse(s22); WriteData("Parameter " + s111); WriteData("Header " + s222); } Vulnerabilities?

9 void ProcessRequest() { string s1 = ReadData1("name"); string s2 = ReadData2("encoding"); string s11 = Prop1(s1); string s22 = Prop2(s2); string s111 = Cleanse(s11); string s222 = Cleanse(s22); WriteData("Parameter " + s111); WriteData("Header " + s222); } source sink source sanitizer

10 void ProcessRequest() { string s1 = ReadData1("name"); string s2 = ReadData2("encoding"); string s11 = Prop1(s1); string s22 = Prop2(s2); string s111 = Cleanse(s11); string s222 = Cleanse(s22); WriteData("Parameter " + s111); WriteData("Header " + s222); } source sanitizer sink source

11 Assumption Most flow paths in the propagation graph are secure Given a propagation graph, can we infer a specification or ‘complete’ a partial specification?

12

13 Initial specification Program Final specification Prop. graph construction Factor graph construction Probabilistic inference Merlin Vulnerabilities

14 void ProcessRequest() { string s1 = ReadData1("name"); string s2 = ReadData2("encoding"); string s11 = Prop1(s1); string s22 = Prop2(s2); string s111 = Cleanse(s11); string s222 = Cleanse(s22); WriteData("Parameter " + s111); WriteData("Header " + s222); }

15 source sanitizer sink ? source ? sink source sanitizer ?

16  For every acyclic path m 1 m 2 … m n the probability that m 1 is a source, m n is a sink, and m 2, …, m n-1 are not sanitizers is very low Exponential number of path constraints: O(2 |V| ) ! ReadData1 Prop1 Cleanse WriteData source sink

17 For every triple such that m i is on a path from m 1 to m n, the probability that m 1 is a source, m n is a sink, and m i is not a sanitizer is very low Cubic number of triple constraints: O(|V| 3 ) ! ReadData1 Prop1 WriteData ReadData1 WriteData Cleanse source sink source sink

18 source sink

19 For every pair of nodes m 1, m 2 such that m 1 and m 2 lie on the same path from a potential source to a potential sink, the probability that both m 1 and m 2 are sanitizers is low ReadData1 Prop1 Cleanse WriteData source sink

20 a b c d Triple constraints  ¬(a ∧ ¬b ∧ d)  ¬(a ∧ ¬c ∧ d) Avoid double sanitizers  ¬(b ∧ c)  a ∧ d ⇒ b  a ∧ d ⇒ c  ¬(b ∧ c)

21 (x 1 ∨ x 2 ) ∧ (x 1 ∨ ¬x 3 ) C1C1 C2C2 f(x 1, x 2, x 3 ) = f C1 (x 1, x 2 ) ∧ f C2 (x 1, x 3 ) f C1 (x 1, x 2 ) = f C2 (x 1, x 3 ) = 1 if x 1 ∨ x 2 = true 0 otherwise 1 if x 1 ∨ ¬x 3 = true 0 otherwise

22 f(x 1, x 2, x 3 ) = f C1 (x 1, x 2 ) ∧ f C2 (x 1, x 3 ) f C1 (x 1, x 2 ) = f C2 (x 1, x 3 ) = 1 if x 1 ∨ x 2 = true 0 otherwise 1 if x 1 ∨ ¬x 3 = true 0 otherwise (x 1 ∨ x 2 ) ∧ (x 1 ∨ ¬x 3 ) C1C1 C2C2 p(x 1, x 2, x 3 ) = f C1 (x 1, x 2 ) × f C2 (x 1, x 3 )/Z Z = ∑ x1, x2, x3 (f C1 (x 1, x 2 ) × f C2 (x 1, x 3 )) 0.9 0.1 0.9 0.1

23 Step 1: choose x i with highest p i (x i ) and set x i = true if p i (x i ) is greater than a threshold, false otherwise Step 2: recompute marginals and repeat Step 1 until all variables have been assigned marginal p i (x i ) = ∑ x1 … ∑ x(i-1) ∑ x(i+1) … ∑ xN p(x 1, …, x N )

24 f C1 (x 1, x 2 ) = f C2 (x 1, x 3 ) = 1 if x 1 ∨ x 2 = true 0 otherwise 1 if x 1 ∨ ¬x 3 = true 0 otherwise

25

26 SourceSanitizer Sink ReadData1.95.001 ReadData2.5 Cleanse.5 WriteData.5.85 … SourceSanitizerSink ReadData1.95.001 ReadData2.5 Cleanse.01.997.03 WriteData.5.85 … Probabilistic Inference

27 Theorem Path refines Triple

28

29  Merlin is implemented in C#  Uses CAT.NET for building the propagation graph  Uses Infer.NET for probabilistic inference ▪ http://research.microsoft.com/infernet http://research.microsoft.com/infernet

30 10 line-of-business applications written in C# using ASP.NET

31

32 Original With Merlin False positives eliminated

33  10 large Web apps in.NET  Time taken per app < 4 minutes  New specs: 167  New vulnerabilities: 322  False positives removed: 13  Final false positive rate for CAT.NET after Merlin < 1%

34  Merlin is first practical approach to infer explicit information flow specifications  Design based on a formal characterization of an approximate probabilistic constraint system  Able to successfully and efficiently infer explicit information flow specifications in large applications which result in detection of new vulnerabilities

35 http://research.microsoft.com/merlin

Download ppt "Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Gated Graphs and Causal Inference

Gated Graphs and Causal Inference
1 Finite Constraint Domains. 2 u Constraint satisfaction problems (CSP) u A backtracking solver u Node and arc consistency u Bounds consistency u Generalized.

1 Finite Constraint Domains. 2 u Constraint satisfaction problems (CSP) u A backtracking solver u Node and arc consistency u Bounds consistency u Generalized.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Expressions and Statements. 2 Contents Side effects: expressions and statements Expression notations Expression evaluation orders Conditional statements.

Expressions and Statements. 2 Contents Side effects: expressions and statements Expression notations Expression evaluation orders Conditional statements.
Exact Inference in Bayes Nets

Exact Inference in Bayes Nets
Junction Trees And Belief Propagation. Junction Trees: Motivation What if we want to compute all marginals, not just one? Doing variable elimination for.

Junction Trees And Belief Propagation. Junction Trees: Motivation What if we want to compute all marginals, not just one? Doing variable elimination for.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Junction Trees: Motivation Standard algorithms (e.g., variable elimination) are inefficient if the undirected graph underlying the Bayes Net contains cycles.

Junction Trees: Motivation Standard algorithms (e.g., variable elimination) are inefficient if the undirected graph underlying the Bayes Net contains cycles.
GS 540 week 6. HMM basics Given a sequence, and state parameters: – Each possible path through the states has a certain probability of emitting the sequence.

GS 540 week 6. HMM basics Given a sequence, and state parameters: – Each possible path through the states has a certain probability of emitting the sequence.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.
A Differential Approach to Inference in Bayesian Networks - Adnan Darwiche Jiangbo Dang and Yimin Huang CSCE582 Bayesian Networks and Decision Graph.

A Differential Approach to Inference in Bayesian Networks - Adnan Darwiche Jiangbo Dang and Yimin Huang CSCE582 Bayesian Networks and Decision Graph.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Global optimization. Data flow analysis To generate better code, need to examine definitions and uses of variables beyond basic blocks. With use- definition.

Global optimization. Data flow analysis To generate better code, need to examine definitions and uses of variables beyond basic blocks. With use- definition.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Similar presentations

Ads by Google