Improving Software Security with Precise Static and Runtime Analysis

Опубликовано 6 сентября 2016, 6:37

The landscape of security vulnerabilities has changes dramatically in the last several years. As Web-based applications become more prominent, familiar buffer overruns are far outnumbered by Web application vulnerabilities such as SQL injections and cross-site scripting attacks. In this talk I introduce a comprehensive static and runtime compiler-based solution to a wide range of Web application vulnerabilities. Our approach targets large real-life Web-based Java applications. Given a vulnerability description, either a static checker or specially instrumented, secured application bytecode is produced. To make our approach extensible and user-friendly, vulnerability specifications are written in PQL, a Program Query Language [...]. The static checker generated based on the PQL specification finds vulnerabilities by analyzing the Web-based applications [...]. The static approach is sound, which ensures that it finds all vulnerabilities captured by the specification in the statically analyzed code. We evaluate analysis features such as context- and object sensitivity that help keep the number of false positives low. We also describe our approach to call graph construction in the presence of reflection [...]. Alternatively, secured application executables can be automatically generated based on the same PQL vulnerability specification. Secured executables may be deployed on a standard application server. Furthermore, to improve application uptime, vulnerability recovery rules may be specified. Finally, we show how static analysis can be used to significantly reduce the instrumentation overhead.