From the Series از مجموعه :-

Produced by تهيه كننده :Microsoft Research

Date تاريخ :2006-06-26

Description توضيح :The landscape of security vulnerabilities has changes dramatically in the last several years. As Web-based applications become more prominent, familiar buffer overruns are far outnumbered by Web application vulnerabilities such as SQL injections and cross-site scripting attacks. In this talk I introduce a comprehensive static and runtime compiler-based solution to a wide range of Web application vulnerabilities. Our approach targets large real-life Web-based Java applications. Given a vulnerability description, either a static checker or specially instrumented, 'secured' application bytecode is produced. To make our approach extensible and user-friendly, vulnerability specifications are written in PQL, a Program Query Language [...]. The static checker generated based on the PQL specification finds vulnerabilities by analyzing the Web-based applications [...]. The static approach is sound, which ensures that it finds all vulnerabilities captured by the specification in the statically analyzed code. We evaluate analysis features such as context- and object sensitivity that help keep the number of false positives low. We also describe our approach to call graph construction in the presence of reflection [...]. Alternatively, 'secured' application executables can be automatically generated based on the same PQL vulnerability specification. Secured executables may be deployed on a standard application server. Furthermore, to improve application uptime, vulnerability recovery rules may be specified. Finally, we show how static analysis can be used to significantly reduce the instrumentation overhead.

Related Links لينك‌های مرتبط :-

Speaker(s) اجرا :Benjamin Livshits, Ph.D. candidate, Computer Science, Stanford University

Runtime مدت زمان :01:24:47

Video Size حجم ويدئو :294 MB

Number of Slides تعداد اسلايد‌ها :150 (7 MB)