Griffin Software Security Project - PowerPoint PPT Presentation
Title:
Griffin Software Security Project
Description:
Ben Livshits. 2. TRUST NSF Site Visit, Berkeley, April 27th 28th, 2006 ... Ben Livshits. 5. TRUST NSF Site Visit, Berkeley, April 27th 28th, 2006. Static ... – PowerPoint PPT presentation
Number of Views:34
Avg rating:3.0/5.0
Title: Griffin Software Security Project
1
Griffin Software Security Project
- Static and Runtime Solutions for Web Application
Vulnerabilities
2
Web Application Vulnerabilities On the Rise
- Compared to several years ago, vulnerabilities
like SQL injections and cross-site scripting
attacks dominate the charts
A study of 500 vulnerability reports in Nov.Dec.
2005
3
Griffin Application Security Project
- Project home
- http//suif.stanford.edu/livshits/work/griffin/
- We propose a hybrid static/runtime solution to
Web application vulnerabilities - Goes after the most prominent vulnerability
types - SQL injections
- Cross-site scripting
- Path traversal
- HTTP splitting
- etc.
- Our focus is on Java J2EE applications
4
Griffin Architecture
- Extensible architecture
- User specifies vulnerabilities in PQL, a program
query language - A static checker and as well as runtime
instrumentation is produced
Instrumented application
Dynamic analysis
query simpleSQLInjection returns object
String param, derived uses object
HttpServletRequest req object Connection
con object StringBuffer
temp matches param
req.getParameter(_) temp.append(param)
derived temp.toString()
con.executeQuery(derived)
Warnings
Static analysis
5
Static Error Detection
- Advantages
- Finds vulnerabilities early in development cycle
- Sounds, so finds all vuln. of a particular type
- Can run after every build ensuring continuous
security - Result summary
- Analyzed 9 large open-source Web applications in
Java - Thousands of users combined
- 29 vulnerabilities found, most confirmed and
fixed - Publication
- Described in Finding Security Vulnerabilities in
Java Applications with Static Analysis, B.
Livshits and M.S. Lam, In Proceedings of the
Usenix Security Symposium, 2005.
6
Runtime Prevention Recovery
- Advantages
- Prevents vulnerabilities from doing harm
- Safe mode for Web application execution
- Quarantines suspicious actions, application
continues to run - Perfect runtime information means no false
positives - Result summary
- Detected and prevented exploits in all our
experiments - Unoptimized overhead 57 average
- Optimized overhead 14 average
- Static privation removes 82-99 of instr. points
- Publication
- Finding Application Errors and Security Flaws
Using PQL a Program Query Language, M. Martin,
B. Livshits, and M.S. Lam, Presented in OOPSLA
2005.
Recommended
CrystalGraphics Presentations
