[Owasp-sanantonio] OWASP San Antonio: June 16th at 11:30: Securing Software Applications Using Dynamic Dataflow Analysis

Dan Cornell dan at denimgroup.com
Fri Jun 4 13:59:56 EDT 2010


The next OWASP San Antonio meeting will be Wed June 16th at 11:30.  The presenter will be Steve Cook from Southwest Research Institute and he will be talking about how to secure software with dynamic dataflow analysis.  This should be a good presentation - hope to see folks there and bring a friend!





San Antonio OWASP Chapter: Wed June 16, 2010

Topic: Securing Software Applications Using Dynamic Dataflow Analysis

Presenter: Steve Cook, Senior Research Analyst, SwRI

Date: Wednesday June 16, 2010 11:30am - 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229


Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project.

The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library.

The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime.

Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment.

The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions.

Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master's degree in computer science from Texas A&M University. While at Texas A&M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp at denimgroup.com or call (210) 572-4400.

More information about the Owasp-sanantonio mailing list