TCE Guest Lecture: Accurate and Scalable Security Analysis of Web Applications

Speaker:
Marco Pistoia (IBM New York)
Date:
Thursday, 21.11.2013, 10:30
Place:
Taub 539

Security auditing of industry-scale software systems mandates automation. Static taint analysis enables exhaustive tracking of data flows for detection of leakage and integrity violations, such as cross-site scripting, SQL injection, and log forging. Research in this area has taken two directions: program slicing and type systems. Both of these approaches suffer from a high rate of false findings, which limits the usability of analysis tools based on these techniques. Attempts to reduce the number of false findings have resulted in analyses that are either unsound, suffering from the dual problem of false negatives, or too expensive due to their high precision, thereby failing to scale to real-world applications. In this talk, I present a novel approach for enabling precise yet scalable static taint analysis. The key observation is that taint analysis is a demand-driven problem, which enables lazy computation of vulnerable information flows. We have implemented our approach in ANDROMEDA, an analysis tool that computes data-flow propagations on demand, in an efficient and accurate manner, and additionally features incremental analysis capabilities. ANDROMEDA is currently in use in a commercial product, and supports applications written in Java, .NET and JavaScript. This presentation covers work jointly performed with Patrick Cousot, Radhia Cousot and Omer Tripp.

Bio:
Dr. Marco Pistoia received his Ph.D. in Mathematics from New York University in May 2005. He is a Manager, Research Staff Member and Master Inventor at the IBM Thomas J. Watson Research Center in New York, where he leads the Mobile Middleware and Language-based Security group. He has authored numerous conference papers, journal articles and books in the areas of programming languages, program analysis and security. He is the inventor of thirty patents. He has been the recipient of two ACM SIGSOFT Distinguished Paper Awards. In the course of his career, he has designed and implemented numerous static-analysis components and contributed large amounts of code to IBM’s main products for software quality and security enforcement. Dr. Pistoia is also an Adjunct Professor at New York University, and has lectured at numerous research institutions worldwide.

Back to the index of events