introducing mango: a formal eclipse plugin for java vulnerability detection
DESCRIPTION
Introducing Mango: A Formal Eclipse plugin for Java Vulnerability Detection. Frank Rimlinger Information Assurance Directorate National Security Agency http:// babelfish.arc.nasa.gov / trac / jpf /wiki/projects/ jpf -mango. Summary. Tool purpose, features - PowerPoint PPT PresentationTRANSCRIPT
Introducing Mango: A Formal Eclipse plugin for Java Vulnerability Detection
Introducing Mango: A Formal Eclipse plugin for Java Vulnerability DetectionFrank RimlingerInformation Assurance DirectorateNational Security Agencyhttp://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-mango
SummaryTool purpose, featuresWhat is Eclipse? What is a plugin?Finalizer attack (from Oracle Java Security Guide)Step 1: Build trapStep2: Mock-upStep3: Detect trapStep4: TrainMango class resolver, and math foundations.Tool purposeCreate and understand formal specification of Java code.Create and apply tests to screen for known issues.Formulate and prove properties about the code using automated theorem proving.Tool featuresAvailable as open-source, Eclipse plugin.Persistent automated modeling of formal specification.Natural language translation.Navigable view of specification.Pattern capture-and-edit for test creation.Layered Eclipse project design for code approximation.What is Eclipse?
What is the Mango plugin?
Finalizer attack
Step 1: Build the trapHow to use Mango to build a trap for catching coding errors which enable the finalizer attack.Add safe.firewallCheck()
Build the opaque spec
Inspect the state transition
Modify the heap reference
Step 2: Mock-upHow to set up a mock situation that will fire the trap.Firewall and sensitive dummies
Approximate the sensitive methodStep 3: DetectCreate a training rule to detect and report all firewallCheck expressions.More refined rules later to weed out false positives.The training rule
Step 4 TrainUse Mango navigation of generated specification to reveal the salient features of the formal model. Develop rules for more general situations.
Generate the mock-up spec
Movie: Mango does its thing!
Navigate to the hit point
Edit hit to generalize
The loop algorithm
The confluence algorithm
Confluence Alg concluded