michael martin, ben livshits, monica s. lam stanford university first presented at oopsla 2005
Post on 19-Dec-2015
216 views
TRANSCRIPT
![Page 1: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/1.jpg)
Finding Application Errors and
Security Flaws Using PQL:
A Program Query Language
Michael Martin, Ben Livshits, Monica S. Lam
Stanford University
First presented at OOPSLA 2005
![Page 2: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/2.jpg)
Motivation
Lots of bug-finding research Null dereferences, memory
errors Buffer overruns Data races
Many – if not most – bugs are application-specific Misuse of libraries Violations of application logic
![Page 3: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/3.jpg)
Our Approach: Division of Labor
Programmer Knows target program, its properties and invariants Doesn’t know analysis
Program Analysis Specialists Knows analysis Doesn’t know specific bugs to look for
Goal: give the programmer a usable analysis for bug finding debugging, and program understanding tasks
![Page 4: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/4.jpg)
Program Query Language: PQL Queries operate on program traces
Sequence of events representing a run Refers to object instances, not variables Matched events may be widely spaced
Patterns resemble actual Java code Like a small matching code snippet No references to compiler internals
![Page 5: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/5.jpg)
Talk Outline
Motivation for PQL
PQL language by example
Dynamic PQL query matcher
Static PQL query matcher
Experimental results
![Page 6: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/6.jpg)
Basic SQL Injection
HttpServletRequest req = /* ... */;
java.sql.Connection conn = /* ... */;
String query = req.getParameter(“QUERY”);
conn.execute(query);
1 CALL o1.getParameter(o2)
2 RET o2
3 CALL o3.execute(o2)
4 RET o4
Unvalidated user input passed to a database
If SQL in embedded in the input, attacker can take over database
One of the top Web application security flaws
![Page 7: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/7.jpg)
Interprocedural SQL Injection
private String read() {
HttpServletRequest req = /* ... */;
return req.getParameter(“QUERY”);
}
java.sql.Connection conn = /* ... */;
conn.execute(read());
1 CALL read()2 CALL o1.getParameter(o2)3 RET o3
4 RET o3
5 CALL o4.execute(o3)6 RET o5
![Page 8: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/8.jpg)
Essence of Patterns is the Same
1. CALL o1.getParameter(o2)2. RET o3
3. CALL o4.execute(o3)4. RET o5
1. CALL read()2. CALL o1.getParameter(o2)3. RET o3
4. RET o3
5. CALL o4.execute(o3)6. RET o5
The object returned by getParameter is then argument 1 to execute
![Page 9: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/9.jpg)
query main()uses String param;matches { param = HttpServletRequest.getParameter(_);
Connection.execute(param);}
Translates Directly to PQL
Query variables correspond to heap objects Instructions need not be adjacent in a trace
![Page 10: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/10.jpg)
query main() uses String x;matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); Connection.execute(param);}
Add Alternation
![Page 11: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/11.jpg)
Capturing More Complex SQL Injection
HttpServletRequest req = /* ... */;
String name = getParameter(“NAME”);
String password = getParameter(“PASSWORD”);
conn.execute(“SELECT * FROM logins WHERE name=” + name +“ AND passwd=” + password
);
String concatenation translated into operations on String and StringBuffer objects
![Page 12: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/12.jpg)
SQL Injection (3)
1 CALL o1.getParameter(o2)
2 RET o3
3 CALL o1.getParameter(o4)
4 RET o5
5 CALL StringBuffer.<init>(o6)
6 RET o7
7 CALL o7.append(o8)
8 RET o7
9 CALL o7.append(o3)
10 RET o7
11 CALL o7.append(o9)
12 RET o7
13 CALL o7.append(o5)
14 RET o7
15 CALL o7.toString()
16 RET o10
17 CALL o11.execute(o10)
18 RET o12
Old Pattern Doesn’t Work
![Page 13: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/13.jpg)
Tainted Data Problem
Sources, sinks, derived objects Generalizes to many information-flow security
problems: cross-site scripting, path traversal, HTTP response splitting, format string attacks...
o1 o2 o3
source sink
o4
![Page 14: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/14.jpg)
Derived String Query
query derived (Object x)
uses Object temp;
returns Object d;
matches {
{ temp.append(x); d := derived(temp); }
| { temp = x.toString(); d := derived(temp); }
| { d := x; }
}
![Page 15: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/15.jpg)
New Main Query
query main()uses String x, final;
matches { param = HttpServletRequest.getParameter(_)
| param = HttpServletRequest.getHeader(_);
final := derived(param);
Connection.execute(final);}
![Page 16: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/16.jpg)
Defending Against Attacks
Sanitizes user-derived input Dangerous data cannot reach the database
query main() uses String param, final;matches { param = HttpServletRequest.getParameter(_) | param = HttpServletRequest.getHeader(_); final := derived(param); } replaces
Connection.execute(final) with SQLUtil.safeExecute(param, final);
![Page 17: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/17.jpg)
Remaining PQL Constructs
Partial order { o.a(), o.b(), o.c(); } Match calls to a, b, and c on o in any
order
Forbidden Events Example: double-lock
l.lock(); ~l.unlock(); l.lock();
![Page 18: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/18.jpg)
Expressiveness of PQL
Ingredients: Events, sequencing, alternation, subqueries Recursion, partial order, forbidden events
Concatenation + alternation = Loop-free regex + Subqueries = CFG + Partial Order = CFG + Intersection
Quantified over heap Each subquery independent Existentially quantified
![Page 19: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/19.jpg)
Talk Outline
Motivation for PQL
PQL language by example
Dynamic PQL query matcher
Static PQL query matcher
Experimental results
![Page 20: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/20.jpg)
PQL System Architecture
Question
Program
PQL Query
PQL Engine
Instrumented Program
Static ResultsOptimized
Instrumented Program
![Page 21: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/21.jpg)
Complementary Approaches Dynamic analysis: finds matches at
runtime After a match:▪ Can execute user code▪ Can fix code by replacing instructions
Static analysis: finds all possible matches Conservative: can prove lack of match Results can optimize dynamic analysis
![Page 22: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/22.jpg)
Dynamic Matcher for PQL Subqueries: state machine
Call to a subquery: new instance of machine
States carry bindings with them Query variables: heap objects Bindings are acquired when variables
are referenced for the 1st time in a match
![Page 23: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/23.jpg)
query main()uses Object param, final;
matches {param = getParameter(_) | param = getHeader();f := derived (param); execute (f);
}
query derived(Object x)uses Object t;returns Object y;
matches { { y := x; }
| { t = x.toString(); y := derived(t); } | { t.append(x); y := derived(t); }}
Query to Translate
![Page 24: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/24.jpg)
main() Query Machine
*
* *
param = getParameter(_) param = getHeader(_)
f := derived(param)
execute(f)
![Page 25: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/25.jpg)
derived() Query Machine
t=x.toString()
t.append(x)
y := x
y := derived(t)
y := derived(t)
*
*
![Page 26: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/26.jpg)
main(): Top Level Match
*
* *x = getParameter(_) x = getHeader(_)
f := derived(x)
execute(f)
{ }
{ } { }
{ x=o1 }
{ x=o1 }1
o1 = getHeader(o2){x=o1,f=o1}o3.append(o1)
o3.append(o4)
o5 = execute(o3) {x=o1,f=o3}
, {x=o1,f=o3}
![Page 27: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/27.jpg)
Talk Outline
Motivation for PQL
PQL language by example
Dynamic PQL query matcher
Static PQL query matcher
Experimental results
![Page 28: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/28.jpg)
Static Analysis
“Can this program match this query?” Use pointer analysis to give a conservative
approximation No matches found = None possible
PQL query automatically translated into a query on pointer analysis results Pointer analysis is sound and context-sensitive▪ 1014 contexts in a good-sized application▪ Exponential space represented with BDDs▪ Analyses given in Datalog
See Whaley/Lam, PLDI 2004 (bddbddb) for details
![Page 29: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/29.jpg)
Using Static Analysis Results Sets of objects and
events that could represent a match
Program points that could participate in a match
Static results conservative So, point not in result point never in any match So, no need to instrument
Usually more than 90% overhead reduction
OR
![Page 30: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/30.jpg)
Talk Outline
Motivation for PQL
PQL language by example
Dynamic PQL query matcher
Static PQL query matcher
Experimental results
![Page 31: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/31.jpg)
Experimental Results
Security vulnerabilities
(SQL injection, cross-site scripting attacks)
Bad session stores (a common J2EE bug)
Memory leaks (lapsed listeners,
variation of the observer pattern)
Mismatched API calls (method call pairs)
Web Apps Eclipse
![Page 32: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/32.jpg)
Web Applications
Name Classeswebgoat 1,021
personalblog 5,236
road2hibernate 7,062
snipsnap 10,851
roller 16,359
![Page 33: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/33.jpg)
Session Serialization Errors Very common bug in Web applications Server tries to persist non-persistent objects
Only manifests under heavy load Hard to find with testing
One-line query in PQL
HttpSession.setAttribute(_,!Serializable(_));
Solvable purely statically Dynamic confirmation possible
![Page 34: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/34.jpg)
SQL Injection
Part of a system called SecuriFly [MLL’06]
Static greatly optimizes overhead 92%-99.8% reduction of points 2-3x speedup
4 injections, 2 exploitable Blocked both exploits
![Page 35: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/35.jpg)
Eclipse
A popular IDE for Java
Very large (tens of MB of bytecode)
Too large for our static analysis
Purely interactive
Unoptimized dynamic overhead
acceptable
![Page 36: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/36.jpg)
Queries on Eclipse APIs
Paired method calls register/deregister createWidget/destroyWidget install/uninstall startup/shutdown
How do we find more patterns like this? Read our FSE’05 paper [LZ’05]
![Page 37: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/37.jpg)
Lapsed Listeners
Frequent anti-pattern leading to memory leaks Hold on to a large object, fail to call
removeListener
Can force a call to removeListener if we keep track of added listeners
Listener l = new MyListener(…){…};widget.addListener(l);{…}widget.removeListener(l);
![Page 38: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/38.jpg)
Eclipse Result Summary
All paired methods queries were run simultaneously 56 mismatches detected
Lapsed listener query was run alone 136 lapsed listeners detected Can be automatically fixed
![Page 39: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/39.jpg)
Experimental Summary
Name Classes
Instrumentation Pts
Bugs
webgoat 1,021 69 2
personalblog 5,236 36 2
road2hibernate
7,062 779 1
snipsnap 10,851 543 8
roller 16,359 0 1
Eclipse 19,439 18,152 192
TOTAL 59,968 19,579 206 Automatically repaired & prevented bugs at runtime Overhead in the 9-125% range
Static optimization removes 82-99% of instrumentation points
![Page 40: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/40.jpg)
Current Status
PQL system is open source Hosted on SourceForge
http://pql.sourceforge.net
Standalone dynamic implementation Point-and-shoot static system
![Page 41: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/41.jpg)
Conclusions
PQL: a Program Query Language Match histories of sets of
objects on a program trace
Targeting application developers
Found many bugs 206 application bugs and
security flaws 6 large real-life
applications
PQL gives a bridge to powerful analyses Dynamic matcher▪ Point-and-shoot even
for unknown applications
▪ Automatically repairs program on the fly
Static matcher▪ Proves absence of bugs▪ Can reduce runtime
overhead to production-acceptable
![Page 42: Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d2d5503460f94a03490/html5/thumbnails/42.jpg)
Discussion
Domains for bug recovery SecuriFly (sanitize when necessary) Failure-oblivious computing
Distributed monitors Consider gmail Can we monitor properties of such a client/server
application?
Dynamic monitors Long-running applications Add and remove monitoring rules as time