Merlin: Specification inference for explicit information flow problems

ACM SIGPLAN Notices

Volumn 44, Issue 6, 2009, Pages 75-86

  Livshits, Benjamin ^a   Nori, Aditya V ^a   Rajamani, Sriram K ^a   Banerjee, Anindya ^b  

^a MICROSOFT RESEARCH   (United States)

^b IMDEA SOFTWARE INSTITUTE   (Spain)

Author keywords

Security analysis tools; Specification inferences

Indexed keywords

BUFFER OVERRUN; CROSS SITE SCRIPTING; DATA PROPAGATION; EXPLICIT INFORMATION; EXPONENTIAL NUMBERS; FACTOR GRAPHS; FALSE POSITIVE; FALSE POSITIVE RATES; INFORMATION FLOWS; INTER-PROCEDURAL; LARGE BUSINESS; MANUAL LABORS; NEW APPROACHES; PATH CONSTRAINT; PROBABILISTIC ABSTRACTION; PROBABILISTIC CONSTRAINTS; PROBABILISTIC INFERENCE; PROGRAM CODE; PROPAGATION GRAPH; QUALITY OF RESULTS; RUN-TIME ANALYSIS; SECURITY ANALYSIS TOOLS; SECURITY VIOLATIONS; SQL INJECTION; WEB APPLICATION;

GRAPH THEORY; SECURITY OF DATA; SECURITY SYSTEMS; WORLD WIDE WEB;

SPECIFICATIONS;

EID: 67650837962     PISSN: 15232867     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Conference Paper

References (36)

1. D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a java virtual machine. In Annual Computer Security Applications Conference, pages 463-475, 2007.
2. M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In Proceedings of the International Symposium on Computer Architecture, pages 482-493, 2007.
3. D. R. Engler, D. Y. Chen, and A. Chou. Bugs as inconsistent behavior: A general approach to inferring errors in systems code. In In Proceedings of ACM Symposium on Operating Systems Principles, pages 57-72, 2001.
4. Fortify. Fortify code analyzer. http://www.ouncelabs.com/, 2008.
5. C. L. Goues and W. Weimer. Specification mining with few false positives. In Tools and Algorithms for the Construction and Analysis of Systems, 2009.
6. V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, pages 303-311, Dec. 2005.
7. C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12:576-583, October 1969.
8. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the Conference on World Wide Web, pages 40-52, May 2004.
9. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: a static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the Symposium on Security and Privacy, May 2006.
10. T. Kremenek, P. Twohey, G. Back, A. Y. Ng, and D. R. Engler. From uncertainty to belief: Inferring the specification within. In Symposium on Operating Systems Design and Implementation, pages 161-176, Nov. 2006.
11. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard os abstractions. In Proceedings of Symposium on Operating Systems Principles, pages 321-334, 2007.
12. F. R. Kschischang, B. J. Frey, and H. A. Loeliger. Factor graphs and the sum-product algorithm. IEEE Transactions on Information Theory, 47(2):498-519, 2001.
13. Z. Li and Y. Zhou. Pr-miner: Automatically extracting implicit programming rules and detecting violations in large software code. In Proceedings of the European Software Engineering Conference, 2005.
14. B. Livshits. Improving Software Security with Precise Static and Runtime Analysis. PhD thesis, Stanford University, Stanford, California, 2006.
15. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, pages 271-286, Aug. 2005.
16. B. Livshits and T. Zimmermann. DynaMine: Finding common error patterns by mining software revision histories. In Proceedings of the International Symposium on the Foundations of Software Engineering, pages 296-305, Sept. 2005.
17. M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security vulnerabilities using PQL: a program query language. In Proceedings of the Conference on Object-Oriented Programming, Systems, Languages, and Applications, Oct. 2005.
18. M. Martin, B. Livshits, and M. S. Lam. SecuriFly: Runtime vulnerability protection for Web applications. Technical report, Stanford University, Oct. 2006.
19. A. McIver and C. Morgan. Abstraction, Refinement and Proof of Probabilistic Systems. Springer, 2004.
20. A. McIver and C. Morgan. Abstraction and refinement in probabilistic systems. SIGMETRICS Performance Evaluation Review, 32:41-47, March 2005.
21. Microsoft Corporation. Microsoft Code Analysis Tool .NET (CAT.NET). http://www.microsoft. com/downloads/details.aspx?FamilyId= 0178e2ef-9da8-445e- 9348-c93f24cc9f9d&displaylang=en, 3 2009.
22. T. Minka, J. Winn, J. Guiver, and A. Kannan. Infer.NET 2.2, 2009. Microsoft Research Cambridge. http://research.microsoft.com/infernet.
23. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, June 2005.
24. OunceLabs, Inc. Ounce. http://www.ouncelabs.com/, 2008.
25. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005.
26. M. K. Ramanathan, A. Grama, and S. Jagannathan. Static specification inference using predicate mining. In PLDI, 2007.
27. A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5- 19, January 2003.
28. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of POPL, 2006.
29. S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst., 25(4):11, 2007.
30. L. Wall. Perl security. http://search.cpan.org/dist/perl/ pod/perlsec.pod.
31. W. Weimer and G. C. Necula. Mining temporal specifications for error detection. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 461-476, 2005.
32. J. Whaley, M. Martin, and M. Lam. Automatic extraction of object-oriented component interfaces. In Proceedings of the International Symposium on Software Testing and Analysis, pages 218-228, 2002.
33. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, pages 271-286, Aug. 2006.
34. J. Yang and D. Evans. Perracotta: mining temporal API rules from imperfect traces. In Proceedings of the International Conference on Software Engineering, pages 282-291, 2006.
35. J. S. Yedidia, W. T. Freeman, and Y. Weiss. Understanding belief propagation and its generalizations. Exploring Artificial Intelligence in the New Millennium, pages 239-269, 2003.
36. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazires. Making information flow explicit in HiStar. In Proceedings of the Symposium on Operating Systems Design and Implementation, pages 263-278, 2006.