Results 1 - 10
of
26
Finding Application Errors and Security Flaws Using PQL: a Program Query Language
, 2005
"... A number of effective error detection tools have been built in recent years to check if a program conforms to certain design rules. An important class of design rules deals with sequences of events associated with a set of related objects. This paper presents a language called PQL (Program Query Lan ..."
Abstract
-
Cited by 188 (5 self)
- Add to MetaCart
A number of effective error detection tools have been built in recent years to check if a program conforms to certain design rules. An important class of design rules deals with sequences of events associated with a set of related objects. This paper presents a language called PQL (Program Query Language) that allows programmers to express such questions easily in an application-specific context. A query looks like a code excerpt corresponding to the shortest amount of code that would violate a design rule. Details of the target application's precise implementation are abstracted away. The programmer may also specify actions to perform when a match is found, such as recording relevant information or even correcting an erroneous execution on the fly.
Securing web applications with static and dynamic information flow tracking
- In ACM Symposium on Partial Evaluation and Semantics-based Program Manipulation
, 2008
"... SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a language called PQL (Program Query Language) that a ..."
Abstract
-
Cited by 40 (0 self)
- Add to MetaCart
(Show Context)
SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a language called PQL (Program Query Language) that allows users to declare to specify information flow patterns succinctly and declaratively. We have developed a static context-sensitive, but flow-insensitive information flow tracking analysis that can be used to find all the vulnerabilities in a program. In the event that the analysis generates too many warnings, the result can be used to drive a modelchecking system to analyze more precisely. Model checking is also used to automatically generate the input vectors that expose the vulnerability. Any remaining behavior these static analyses have not isolated may be checked dynamically. The results of the static analyses may be used to optimize these dynamic checks. Our experimental results indicate the language is expressive enough for describing a large number of vulnerabilities succinctly. We have analyzed over nine applications, detecting 30 serious security vulnerabilities. We were also able to automatically recover from attacks as they occurred using the dynamic checker.
Finding application errors using PQL: a program query language
- IN PROCEEDINGS OF THE ACM CONFERENCE ON OBJECT-ORIENTED PROGRAMMING, SYSTEMS, LANGUAGES, AND APPLICATIONS (OOPSLA
, 2005
"... A number of effective error detection tools have been built in recent years to check if a program conforms to certain design rules. An important class of design rules deals with sequences of events associated with a set of related objects. This paper presents a language called PQL (Program Query Lan ..."
Abstract
-
Cited by 28 (4 self)
- Add to MetaCart
A number of effective error detection tools have been built in recent years to check if a program conforms to certain design rules. An important class of design rules deals with sequences of events associated with a set of related objects. This paper presents a language called PQL (Program Query Language) that allows programmers to express such questions easily in an application-specific context. A query looks like a code excerpt corresponding to the shortest amount of code that would violate a design rule. Details of the target application’s precise implementation are abstracted away. The programmer may also specify actions to perform when a match is found, such as recording relevant information or even correcting an erroneous execution on the fly. We have developed both static and dynamic techniques to find solutions to PQL queries. Our static analyzer finds all potential matches conservatively using a context-sensitive, flow-insensitive, inclusionbased pointer alias analysis. While the results may not be precise for certain queries, they are useful in optimizing the dynamic analysis. Our dynamic analyzer instruments the source program to catch all violations precisely as the program runs and to perform the specified actions if such are provided. We have implemented the proposed techniques and used them successfully to find severe breaches of security and important resource leaks in 6 large real-world open-source Java applications containing a total of more than 62,000 classes using a combination of static and dynamic analysis.
RDF with regular expressions
- RESEARCH REPORT 6191, INRIA RHÔNE-ALPES, GRENOBLE (FR
, 2007
"... ..."
(Show Context)
SecuriFly: Runtime Protection and Recovery from Web Application Vulnerabilities
, 2006
"... This reports presents a runtime solution to a range of Web application security vulnerabilities. The solution we proposes called SecuriFly consists of instrumenting the application to precisely track the flow of data. When a potential vulnerability is observed, the application is either terminated t ..."
Abstract
-
Cited by 13 (1 self)
- Add to MetaCart
This reports presents a runtime solution to a range of Web application security vulnerabilities. The solution we proposes called SecuriFly consists of instrumenting the application to precisely track the flow of data. When a potential vulnerability is observed, the application is either terminated to prevent the vulnerability from being exploited or special recovery code is executed and the application is allowed to continue on running. We have used SecuriFly to harden and experiment with a range of large opensource benchmarks written in Java. Protection provided by SecuriFly was sufficient to protect against all exploits we were able to generate. Chapter 1
Querying Complex Graphs
- Proceedings of the Eighth Intl Symposium on Practical Aspects of Declarative Languages (PADL
, 2006
"... Abstract. This paper presents a powerful language for querying complex graphs and a method for generating efficient implementations that can answer queries with complexity guarantees. The graphs may have edge labels that may have parameters, and easily and naturally capture complex interrelated obje ..."
Abstract
-
Cited by 10 (2 self)
- Add to MetaCart
(Show Context)
Abstract. This paper presents a powerful language for querying complex graphs and a method for generating efficient implementations that can answer queries with complexity guarantees. The graphs may have edge labels that may have parameters, and easily and naturally capture complex interrelated objects in object-oriented systems and XML data. The language is built on extended regular path expressions with variables and scoping, and can express queries more easily and clearly than previous query languages. The method for implementation first transforms queries into Datalog with limited extensions. It then extends a previous method to generate specialized algorithms and complexity formulas from Datalog with these extensions. 1
IMPROVING SOFTWARE SECURITY WITH PRECISE STATIC AND RUNTIME ANALYSIS
, 2006
"... ii ..."
(Show Context)
Efficient Implementation of Tuple Pattern Based Retrieval ∗
"... Tuple pattern based retrieval is a language construct that matches a tuple pattern against a set of tuples to retrieve components of those tuples. This high-level abstraction allows programs to be written more easily and clearly than otherwise. This paper describes a clean and automatic method for t ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
(Show Context)
Tuple pattern based retrieval is a language construct that matches a tuple pattern against a set of tuples to retrieve components of those tuples. This high-level abstraction allows programs to be written more easily and clearly than otherwise. This paper describes a clean and automatic method for transforming tuple pattern based retrievals into efficient implementations. The paper also presents two systems that implement the method, and describes successful experience and experiments in generating efficient implementations for graph algorithms, program analysis, security, and other applications. 1.
Automatic incrementalization of prolog based static analyses
- Practical Aspects of Declarative Languages, volume 4354 of LNCS
, 2007
"... Abstract. Modern development environments integrate various static analyses into the build process. Analyses that analyze the whole project whenever the project changes are impractical in this context. We present an approach to automatic incrementalization of analyses that are specified as tabled lo ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Modern development environments integrate various static analyses into the build process. Analyses that analyze the whole project whenever the project changes are impractical in this context. We present an approach to automatic incrementalization of analyses that are specified as tabled logic programs and evaluated using incremental tabled evaluation, a technique for efficiently updating memo tables in response to changes in facts and rules. The approach has been implemented and integrated into the Eclipse IDE. Our measurements show that this technique is effective for automatically incrementalizing a broad range of static analyses. 1
Symbolic path simulation in path-sensitive dataflow analysis
- IN: PROC. OF 6TH ACM SIGPLAN-SIGSOFT WORKSHOP ON PROGRAM ANALYSIS FOR SOFTWARE TOOLS AND ENGINEERING (PASTE
, 2005
"... Symbolic path simulation is becoming an increasingly important component in many static analysis tasks. The eme-gence of inter-procedural path-sensitive dataflow algorithms has both raised the demands and posed new challenges for effective techniques in path feasibility analysis. This paper develops ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
(Show Context)
Symbolic path simulation is becoming an increasingly important component in many static analysis tasks. The eme-gence of inter-procedural path-sensitive dataflow algorithms has both raised the demands and posed new challenges for effective techniques in path feasibility analysis. This paper develops a general-purpose path simulator and applies it to support path-sensitive dataflow analysis. The core component of the path simulator is a simulation en-gine that supports a wide variety of programming language features. This simulation engine can be "wrapped" with an interface layer to support a given client application. As a concrete case study, we discuss the experiences gained in integrating the path simulator with ESP, a software validation tool for C/C++ programs. We apply ESP to validate a future version of Windows against critical security properties. Our results show that the global path simula-tion mechanism is both critical in improving precision and scalable enough to be of practical use.
