Курсы английского
<<  Design Considerations for Directly Imaging Earth-like Exoplanets A hybrid heuristic for an inventory routing problem  >>
Картинок нет
Картинки из презентации «Finding Application Errors and Security Flaws Using PQL: A Program Query Language» к уроку английского языка на тему «Курсы английского»

Автор: Michael Martin. Чтобы познакомиться с картинкой полного размера, нажмите на её эскиз. Чтобы можно было использовать все картинки для урока английского языка, скачайте бесплатно презентацию «Finding Application Errors and Security Flaws Using PQL: A Program Query Language.ppt» со всеми картинками в zip-архиве размером 254 КБ.

Finding Application Errors and Security Flaws Using PQL: A Program Query Language

содержание презентации «Finding Application Errors and Security Flaws Using PQL: A Program Query Language.ppt»
Сл Текст Сл Текст
1Finding Application Errors and 28are acquired as the variables are
Security Flaws Using PQL: A Program Query referenced for the first time in a match.
Language. Michael Martin, Benjamin 29Query to Translate. query main() uses
Livshits, Monica S. Lam Stanford Object x, final; matches { x =
University OOPSLA 2005. getParameter(_) | x = getHeader(); f :=
2The Problem. Lots of bug-finding derived (x); execute (f); } query
research Null dereferences Buffer overruns derived(Object x) uses Object t; returns
Data races Many bugs application-specific Object y; matches { { y := x; } | { t =
Misuse of libraries Violation of x.toString(); y := derived(t); } | {
application logic. t.append(x); y := derived(t); } }.
3Solution: Division of Labor. 30main() Query Machine. *. *. x =
Programmer Knows target program Doesn’t getParameter(_). x = getHeader(_). f :=
know analysis Program Analysis Specialists derived(x). *. execute(f). ? ? ? ?
Knows analysis Doesn’t know specific bugs. 31derived() Query Machine. *. *. y := x.
Give the programmer a usable analysis. ? ? ? t=x.toString(). y := derived(t). ? ?
4Program Query Language. Queries ? t.append(x). y := derived(t).
operate on program traces Sequence of 32Example Program Trace. o1 =
events representing a run Refers to object getHeader(o2) o3.append(o1) o3.append(o4)
instances, not variables Events matched o5 = execute(o3).
may be widely spaced Patterns resemble 33main(): Top Level Match. { }. *. *. x
Java code Like a small matching code = getParameter(_). x = getHeader(_). {
snippet No references to compiler x=o1 }. { x=o1 }1. f := derived(x). *.
internals. execute(f). ? ? ? ? o1 = getHeader(o2).
5System Architecture. Question. 34derived(): call 1. {x=y=o1}. *.
Program. instrumenter. static analyzer. {x=y=o1}. {x=o1}. *. y := x. ? ? ?
6Complementary Approaches. Dynamic t=x.toString(). y := derived(t). ? ? ?
analysis: finds matches at run time After t.append(x). y := derived(t). o1 =
a match: Can execute user code Can fix getHeader(o2).
code by replacing instructions Static 35main(): Top Level Match. { }. *. *. x
analysis: finds all possible matches = getParameter(_). x = getHeader(_). {
Conservative: can prove lack of match x=o1 }. { x=o1 }1. f := derived(x).
Results can optimize dynamic analysis. {x=o1,f=o1}. *. execute(f). ? ? ? ? o1 =
7Experimental Results. Explored a wide getHeader(o2). o3.append(o1).
range of PQL queries Bad session stores 36derived(): call 1. {x=o1}. {x=y=o1}.
(API violations) SQL injections (security *. {x=y=o1}. {x=o1}. {x=o1}. *. {x=o1}.
flaws) Mismatched calls (API violations) {x=o1, t=o3}2. y := x. ? ? ?
Lapsed listeners (memory leaks) t=x.toString(). y := derived(t). ? ? ?
Automatically repaired and prevented many t.append(x). y := derived(t). o1 =
bugs at runtime Fixed memory leaks, getHeader(o2) o3.append(o1).
prevented security flaws Runtime overhead 37derived(): call 2. {x=y=o3}. *.
is reasonable Overhead in the 9-125% range {x=y=o3}. {x=o3}. *. y := x. ? ? ?
Static optimization removed 82-99% of t=x.toString(). y := derived(t). ? ? ?
instr. points Found 206 bugs in 6 t.append(x). y := derived(t). o1 =
real-life Java applications Eclipse, getHeader(o2) o3.append(o1).
popular web applications 60,000 classes 38derived(): call 1. {x=y=o1}. {x=o1}.
combined. {x=o1, y=t=o3}. {x=y=o1}. *. {x=o1}.
8System Architecture. Question. PQL {x=o1}. *. {x=o1}. {x=o1, t=o3}2. {x=o1,
Query. Program. instrumenter. static y=t=o3}. y := x. ? ? ? t=x.toString(). y
analyzer. := derived(t). ? ? ? t.append(x). y :=
9Running Example: SQL Injection. derived(t). o1 = getHeader(o2)
Unvalidated user input passed to a o3.append(o1).
database back-end for execution If SQL in 39main(): Top Level Match. { }. *. *. x
embedded in the input, attacker can take = getParameter(_). x = getHeader(_). {
over database Unauthorized data reads x=o1 }. { x=o1 }1. f := derived(x).
Unauthorized data modifications One of the {x=o1,f=o1}. , {x=o1,f=o3}. *. execute(f).
top web security flaws. {x=o1,f=o3}. ? ? ? ? o1 = getHeader(o2).
10SQL Injection 1. HttpServletRequest o3.append(o1). o3.append(o4). o5 =
req = /* ... */; java.sql.Connection conn execute(o3).
= /* ... */; String q = 40Find Relevance Fast. Hash map for each
req.getParameter(“QUERY”); transition Every call-instance combined
conn.execute(q); CALL o1.getParameter(o2) Key on known-used variables All used
RET o2 CALL o3.execute(o2) RET o4. variables known-used ? one lookup per
11SQL Injection 2. String read() { transition.
HttpServletRequest req = /* ... */; return 41System Architecture. Question.
req.getParameter(“QUERY”); } /* ... */ Program. PQL Engine. Static Results.
java.sql.Connection conn = /* ... */; instrumenter. static analyzer.
conn.execute(read()); CALL read() CALL 42Static Analysis. “Can this program
o1.getParameter(o2) RET o3 RET o3 CALL match this query?” Undecidable in general
o4.execute(o3) RET o5. We give a conservative approximation No
12Essence of Pattern the Same. The matches found = None possible.
object returned by getParameter is then 43Static Analysis. PQL query
argument 1 to execute. 1 CALL automatically translated to query on
o1.getParameter(o2) 2 RET o3 3 CALL pointer analysis results Pointer analysis
o4.execute(o3) 4 RET o5. 1 CALL read() 2 is sound and context-sensitive 1014
CALL o1.getParameter(o2) 3 RET o3 4 RET o3 contexts in a good-sized application
5 CALL o4.execute(o3) 6 RET o5. Exponential space represented with BDDs
13Translates Directly to PQL. query Analyses given in Datalog Whaley/Lam, PLDI
main() uses String x; matches { x = 2004 (bddbddb) for details.
HttpServletRequest.getParameter(_); 44Static Results. Sets of objects and
Connection.execute(x); } Query variables ? events that could represent a match OR
heap objects Instructions need not be Program points that could participate in a
adjacent in trace. match No results = no match possible!
14Alternation. query main() uses String 45System Architecture. Question.
x; matches { x = Program. Optimized Instrumented Program.
HttpServletRequest.getParameter(_) | x = instrumenter. static analyzer.
HttpServletRequest.getHeader(_); 46Optimizing the Dynamic Analysis.
Connection.execute(x); }. Static results conservative So, point not
15SQL Injection 3. HttpServletRequest in result ? point never in any match So,
req = /* ... */; n = getParameter(“NAME”); no need to instrument Usually more than
p = getParameter(“PASSWORD”); 90% reduction.
conn.execute( “SELECT * FROM logins WHERE 47Experiment Topics. Domain of Java Web
name=” + n + “ AND passwd=” + p ); applications Serialization errors SQL
Compiler translates string concatenation injection Domain of Eclipse IDE plugins
into operations on String and StringBuffer API violations Memory leaks.
objects. 48Experiment Summary. Name. Classes.
16SQL Injection 3. CALL Inst Pts. Bugs. webgoat. 1,021. 69. 2.
o1.getParameter(o2) RET o3 CALL personalblog. 5,236. 36. 2.
o1.getParameter(o4) RET o5 CALL road2hibernate. 7,062. 779. 1. snipsnap.
StringBuffer.<init>(o6) RET o7 CALL 10,851. 543. 8. roller. 16,359. 0. 1.
o7.append(o8) RET o7 CALL o7.append(o3) Eclipse. 19,439. 18,152. 192. TOTAL.
RET o7 CALL o7.append(o9) RET o7 CALL 59,968. 19,579. 206.
o7.append(o5) RET o7 CALL o7.toString() 49Session Serialization Errors. Very
RET o10 CALL o11.execute(o10) RET o12. common bug in Web applications Server
17Old Pattern Doesn’t Work. CALL tries to persist non-persistent objects
o1.getParameter(o2) RET o3 CALL Only manifests under heavy load Hard to
o1.getParameter(o4) RET o5 CALL find with testing One-line query in PQL
o11.execute(o10) o10 is neither o3 nor o5, HttpSession.setAttribute(_,!Serializable);
so no match. Solvable purely statically Dynamic
18Instance of Tainted Data Problem. confirmation possible.
User-controlled input must be trapped and 50SQL Injection. Our running example
validated before being passed to database Static optimizes greatly 92%-99.8%
Objects derived from an initial input must reduction of points 2-3x speedup 4
also be considered user controlled injections, 2 exploitable Blocked both
Generalizes to many security problems: exploits Further applications and an
cross-site scripting, path traversal, improved static analysis in Usenix
response splitting, format string Security ’05.
attacks... o1. 51Full derived() Query. query derived
19Pattern Must Catch Derived Strings. (Object x) returns Object y; uses Object
CALL o1.getParameter(o2) RET o3 CALL temp; matches { y := x | { temp =
o1.getParameter(o4) RET o5 CALL StringProp(x); y := derived(temp); } }.
o7.append(o3) RET o7 CALL o7.append(o9) query StringProp (Object * x) returns
RET o7 CALL o7.toString() RET o10 CALL Object y; uses Object z; matches {
o11.execute(o10). y.append(x, ...) | x.getChars(_, _, y, _)
20Pattern Must Catch Derived Strings. | y.insert(_, x) | y.replace(_, _, x) | y
CALL o1.getParameter(o2) RET o3 CALL = x.substring(...) | y = new
o1.getParameter(o4) RET o5 CALL java.lang.String(x) | y = new
o7.append(o3) RET o7 CALL o7.append(o9) java.lang.StringBuffer(x) | y =
RET o7 CALL o7.toString() RET o10 CALL x.toString() | y = x.getBytes(...) | y =
o11.execute(o10). _.copyValueOf(x) | y = x.concat(_) | y =
21Pattern Must Catch Derived Strings. _.concat(x) | y = new
CALL o1.getParameter(o2) RET o3 CALL java.util.StringTokenizer(x) | y =
o1.getParameter(o4) RET o5 CALL x.nextToken() | y = x.next() | y = new
o7.append(o3) RET o7 CALL o7.append(o9) java.lang.Number(x) | y = x.trim() | { z =
RET o7 CALL o7.toString() RET o10 CALL x.split(...); y = z[]; } | y =
o11.execute(o10). x.toLowerCase(...) | y =
22Derived String Query. query derived x.toUpperCase(...) | y = _.replaceAll(_,
(Object x) uses Object temp; returns x) | y = _.replaceFirst(_, x); }.
Object d; matches { { temp.append(x); d := 52Eclipse. IDE for Java Very large (tens
derived(temp); } | { temp = x.toString(); of MB of bytecode) Too large for our
d := derived(temp); } | { d := x; } }. static analysis Purely interactive
23New Main Query. query main() uses Unoptimized dynamic overhead acceptable.
String x, final; matches { x = 53Queries on Eclipse. Paired Methods
HttpServletRequest.getParameter(_) | x = register/deregister
HttpServletRequest.getHeader(_); final := createWidget/destroyWidget
derived(x); Connection.execute(final); }. install/uninstall startup/shutdown Lapsed
24Defending Against Attacks. query Listeners.
main() uses String x, final; matches { x = 54Eclipse Results. All paired methods
HttpServletRequest.getParameter(_) | x = queries were run simultaneously 56
HttpServletRequest.getHeader(_); final := mismatches detected Lapsed listener query
derived(x); } replaces was run alone 136 lapsed listeners Can be
Connection.execute(final) with automatically fixed.
SQLUtil.safeExecute(x, final); Sanitizes 55Current Status. Open source and hosted
user-derived input Dangerous data cannot on SourceForge http://pql.sf.net –
reach the database. standalone dynamic implementation.
25Other PQL Constructs. Partial order { 56Related work. PQL is a query language
x.a(), x.b(), x.c(); } Match calls to a, JQuery on program traces Partiqle, Dalek,
b, and c on x in any order. Forbidden ... Observing behavior and finding bugs
Events Example: double-lock x.lock(); Metal, Daikon, PREfix, Clouseau, ... and
~x.unlock(); x.lock(); Single statements automatically add code to fix them
only. AspectJ.
26Expressiveness. Concatenation + 57Conclusions. PQL – a Program Query
alternation = Loop-free regexp + Language Match histories of sets of
Subqueries = CFG + Partial Order = CFG + objects on a program trace Targeting
Intersection Quantified over heap Each application developers Found many bugs 206
subquery independent Existentially application bugs and security flaws 6
quantified. large real-life applications PQL provides
27System Architecture. Question. a bridge to powerful analyses Dynamic
Program. PQL Engine. Instrumented Program. matcher Point-and-shoot even for unknown
instrumenter. static analyzer. applications Automatically repairs program
28Dynamic Matcher. Subquery ? state on the fly Static matcher Proves absence
machine Call to subquery ? new instance of of bugs Can reduce runtime overhead to
machine States carry “bindings” with them production-acceptable.
Query variables ? heap objects Bindings
Finding Application Errors and Security Flaws Using PQL: A Program Query Language.ppt
cсылка на страницу

Finding Application Errors and Security Flaws Using PQL: A Program Query Language

другие презентации на тему «Finding Application Errors and Security Flaws Using PQL: A Program Query Language»

«Курс обучения в Language Link» - Услуги. Профессиональные преимущества. Бизнес-английский для специалистов. Преимущества обучения в Language Link. Методика обучения. Общий английский. Отзывы клиентов. Корпоративное обучение иностранным языкам. Международный языковой центр Language Link. Деловой английский. Переводы. Обучение за рубежом.

«Английский язык для туристов» - Научитесь выживать, чтобы полноценно жить и путешествовать по всему миру!!! Норвегия. Дания. Мальта. Канада. Второй уровень. Начнем в алфавитном порядке: Австралия. ВЫЖИЛИ! Ирландия. Преподаватель всегда с улыбкой, очень доброжелательна”. Первый уровень. Третий уровень. Голландия. Ямайки! С английским языком нигде не пропадешь!

«Профессор Хиггинс» - Возможности использования диска на уроках в 6 классе. Приложения. Цель программы . Добавлены раздел стихов (около 100), поговорок, скороговорок и раздел омонимы. Курс . Курс фонетики увеличен в объеме, расширена возможностью видеть имена фонем в эталонном произношении. Возможности программы. Фонетика.

«Языковые лагеря» - Workshops. English lessons. Искра. Тематические вечеринки. Москва. Knowledge control. Языковые лагеря. Языковые лагеря в России и за рубежом. Елочки. E-Camp explore Europe. Распорядок дня.

«Школа английского» - EF education first – крупнейшая частная образовательная компания в мире. Исследования об уровне владения английским языком в России и в мире. Индивидуальная отчетность. ПРОБУЙ! Новаторский подход в обучении английскому языку. Детальные отчеты, удостоверяющие соответствие обучения основным показателям эффективности.

«Сайт английского языка» - English First. Tom house. Основные конкуренты. Language link. Целевая аудитория. Cфера бизнеса компании. Корпоративные клиенты. Компании, сотрудники которых изучают английский на корпоративных курсах. Обучение за рубежом. Сайт школы изучения английского языка Sunny plus. Продвижение сайта. Предоставление услуг по изучению английского языка.

Курсы английского

25 презентаций о курсах английского

Английский язык

29 тем
900igr.net > Презентации по английскому языку > Курсы английского > Finding Application Errors and Security Flaws Using PQL: A Program Query Language