Improving Software Security with Precise Static and Runtime Analysis

Wednesday, October 18, 2006 - 8:13am

Benjamin Livshits
Stanford University
Date: Wednesday, October 25th, 2006
Time: 2:00pm-3:00pm
Location:Trailer 932 Rm 101 CTL: Collaborative Technologies Lab


The landscape of security vulnerabilities has changed dramatically
during the last several years. As Web-based applications become more
prominent, familiar buffer overruns are far outnumbered by Web
application vulnerabilities such as SQL injections and cross-site
scripting attacks.

In this talk I introduce a comprehensive, static and runtime,
compiler-based solution to a wide range of Web application
vulnerabilities. Our approach led to the discovery of almost 100
vulnerabilities in 11 open-source benchmarks. Vulnerability
specifications written in PQL, a Program Query Language, make our
system extensible and user-friendly. Given a vulnerability
description, it produces both a static checker and a specially
instrumented, secured version of the program.

The static checker generated based on the PQL specification finds
vulnerabilities by analyzing the Web-based applications. The static
approach is sound, which ensures that it finds all vulnerabilities
captured by the specification in the statically analyzed code. We
evaluate analysis features such as context and object sensitivity
that help keep the number of false positives low. Unlike previous
work, our approach to reflection enables us to analyze code that
other techniques miss.

Alternatively, secured application executables can be automatically
generated based on the same PQL vulnerability specification. Secured
executables may be deployed on a standard application server.
Optional vulnerability recovery rules improve application uptime by
allowing the application to continue safely after an attack. Finally,
we show how static analysis is used to significantly reduce the
instrumentation overhead.


Benjamin Livshits is currently a Ph.D. candidate in computer science
at Stanford University. Benjamin graduated summa cum laude with a
B.A. degree in computer science and math from Cornell University in
1999. He obtained an M.S. from Stanford University in 2002. Benjamin’s
general research area is compilers and program analysis.
His research interests include application of sophisticated static
and dynamic analysis techniques to finding errors in programs. Lately
he has focused on approaches to finding buffer overruns in C programs
and a variety of security vulnerabilities (SQL injections, cross-site
scriping, etc.) in Web-based applications.

Benjamin has authored more than a dozen papers on program analysis
for security and other uses, including finding memory errors,
violations of API-specific patterns, software pattern mining, garbage
collection, etc. Benjamin is a winner of the NSF graduate fellowship.
His industrial experience involves working for companies including
Yahoo!, Netscape, and Intel.

Host: Giovanni Vigna