Improving Software Security with Precise Static and Runtime Analysis

Channel:
Microsoft Research
Subscribers:
344,000
Published on ● Video Link: https://www.youtube.com/watch?v=bCoMj0DAX44


Duration: 1:25:11
89 views
1

The landscape of security vulnerabilities has changes dramatically in the last several years. As Web-based applications become more prominent, familiar buffer overruns are far outnumbered by Web application vulnerabilities such as SQL injections and cross-site scripting attacks. In this talk I introduce a comprehensive static and runtime compiler-based solution to a wide range of Web application vulnerabilities. Our approach targets large real-life Web-based Java applications. Given a vulnerability description, either a static checker or specially instrumented, secured application bytecode is produced. To make our approach extensible and user-friendly, vulnerability specifications are written in PQL, a Program Query Language [...]. The static checker generated based on the PQL specification finds vulnerabilities by analyzing the Web-based applications [...]. The static approach is sound, which ensures that it finds all vulnerabilities captured by the specification in the statically analyzed code. We evaluate analysis features such as context- and object sensitivity that help keep the number of false positives low. We also describe our approach to call graph construction in the presence of reflection [...]. Alternatively, secured application executables can be automatically generated based on the same PQL vulnerability specification. Secured executables may be deployed on a standard application server. Furthermore, to improve application uptime, vulnerability recovery rules may be specified. Finally, we show how static analysis can be used to significantly reduce the instrumentation overhead.



Other Videos By Microsoft Research


2016-09-06Software Development Practices and Knowledge Sharing: A Comparison of XP & Waterfall Team Behaviors
2016-09-06How likely is BuffonΓÇÖs needle to meet a Cantor square?
2016-09-06Dense triangle-free digraphs
2016-09-06MOP: A Generic and Efficient Runtime Verification Framework
2016-09-06An Examination of User Behaviour during Web Information Tasks
2016-09-06Modeling Science: Topic models of Scientific Journals and Other Large Document Collections
2016-09-06Exhaustive Phase Order Search Space Exploration and Evaluation
2016-09-06Supervised Dimensionality Reduction with Principal Component Analysis
2016-09-06Network Market Design for Efficient Resource Allocation
2016-09-06Probabilistic Latent Variable Decompositions for Image and Audio Analysis
2016-09-06Improving Software Security with Precise Static and Runtime Analysis
2016-09-06What Analytical Performance Modeling Teaches Us About Computer Systems Design
2016-09-06A search engine for the real world, or, a top-down approach to vision
2016-09-06Approximate Inference Techniques for Identity Uncertainty
2016-09-06Edgenet 2006 - Issues in Enterprise Networks
2016-09-06Towards a Memory Model for C++
2016-09-06Edgenet 2006 - Keynote - Model-Based Management of Distributed Services
2016-09-06SCS '06 - Wrap-up and Next Steps
2016-09-06Technology Matters
2016-09-06SCS '06 - Closing Keynotes - Part 2
2016-09-06People Pen and Computers


Tags:
microsoft research