OWASP San Antonio June Meeting: Securing Software Applications Using Dynamic Dataflow Analysis

The June meeting of OWASP San Antonio will be held June 16th, 2010.  Steve Cook from Southwest Research Institute will be presenting on Securing Software Applications Using Dynamic Dataflow Analysis.  More information below.

 

Sponsored by:

owsap logo    dg horz

San Antonio OWASP Chapter: Wed June 16, 2010

Topic: Securing Software Applications Using Dynamic Dataflow Analysis

Presenter: Steve Cook, Senior Research Analyst, SwRI

Date: Wednesday June 16, 2010 11:30am – 1:00pm

Location:

San Antonio Technology Center (Web Room)

3463 Magic Drive

San Antonio, TX 78229


View Larger Map

 

Abstract:

In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA).  The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin).  UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project.

 

The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls.  The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library.

 

The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques.  This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime.

 

Disruption to the development process is minimized through the security policy specification.  The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment.

 

The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes.  In the future, our system can be extended to handle multiple languages and complement new security solutions.

 

Presenter Bio:

Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&M University. While at Texas A&M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free.

 

Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.

 

Please RSVP: E-mail owasprsvp@denimgroup.com  or call (210) 572-4400.

 

Contact us for more information about events put on by OWASP San Antonio.

 

–Dan

 

dan _at_ denimgroup.com

 

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

2 Responses to “OWASP San Antonio June Meeting: Securing Software Applications Using Dynamic Dataflow Analysis”

  1. Senior Home Care San Antonio

    I知 not that much of a online reader to be honest but your sites really nice, keep it up! I’ll go ahead and bookmark your website to come back later on. All the best

  2. Eugene Charter Service

    I’m curious to find out what blog platform you happen to be utilizing? I’m having some small security issues with my latest blog and I’d like to find something more risk-free. Do you have any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *