The June meeting of OWASP San Antonio will be held June 16th, 2010. Steve Cook from Southwest Research Institute will be presenting on Securing Software Applications Using Dynamic Dataflow Analysis. More information below.
San Antonio OWASP Chapter: Wed June 16, 2010
Topic: Securing Software Applications Using Dynamic Dataflow Analysis
Presenter: Steve Cook, Senior Research Analyst, SwRI
Date: Wednesday June 16, 2010 11:30am – 1:00pm
San Antonio Technology Center (Web Room)
3463 Magic Drive
San Antonio, TX 78229
In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project.
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library.
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime.
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment.
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions.
Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&M University. While at Texas A&M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free.
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.
Please RSVP: E-mail firstname.lastname@example.org or call (210) 572-4400.
dan _at_ denimgroup.com