Program Analysis

The Program Analysis team focuses on static analysis techniques to find bugs and vulnerabilities in software before the software is deployed. We build on top of the Parfait infrastructure and focus on web applications built on the Java Enterprise Edition, PL/SQL and SQL languages.

Beyond static analysis, we have a focus in several other areas:

  • dynamic analysis of Node.js web applications
  • web application fuzzing
  • secure languages

 

Current projects of the team are below.

Affogato

Principal Investigator: Alexander Jordan

Node.js is a JavaScript runtime environment that is popular for creating web applications. A typical Node.js application can be anything from a simple website to a large microservice-style application deployed to the cloud.

How it works

We build tools to detect security vulnerabilities in cutting-edge Node.js web applications. We analyse these applications at runtime (i.e., dynamic analysis) to detect and prevent bugs that could lead to security vulnerabilities, such as denial-of-service attacks, or confidential information being stolen from a database. 

Our challenges

The fast-evolving nature of the language and its environment make Node.js applications a challenging target for any program analysis. As part of our research, we aim to create analyses that are easy to use, precise, and fast enough to be deployed in production.

As part of our project, we collaborate with the Graal team to explore efficient dynamic analysis techniques applied to dynamic languages.

Gelato

Principal Investigator: Paddy Krishnan

Gelato is client-centric dynamic analysis of web applications. Web applications consist of client side and server side. In modern applications, lots of server-side logic is moving to the client side, which is mostly written in JavaScript using complex libraries. Gelato's main goal is to dynamically analyze the client side with two objectives: 

  • to find client-side vulnerabilities such as DOM-XSS
  • to generate interesting inputs for server-side dynamic analysis.

 

How it works

The inputs to an application determine the coverage of dynamic security analysis techniques. Many inputs to a web application, which consists of a server (e.g., Java EE) and client-side code that runs in a browser, can be generated by exploring (crawling) the client side. Crawling the client side enables client-side analysis, such as DOM-XSS detection or REST fuzzing. 

Gelato's new strategies perform state-aware crawling to increase coverage of client-side and server-side dynamic security analyses. Our crawler uses static approximate callgraphs to guide the execution towards program locations of interest. It also introduces state and event prioritisation algorithms to improve efficiency. It refines the statically generated callgraph at runtime to improve precision and recall. 

Our challenges

Many existing web application crawling techniques do not analyze JavaScript code. Instead, they rely only on static link extraction from HTML pages. On the other hand, most crawlers that analyze JavaScript code aim to cover many user-defined functionalities -- they are not designed for finding security vulnerabilities.

To deal with the challenges in existing crawling techniques, we have designed a new crawler that interacts with modern client-side web applications using instrumentation-based dynamic analysis. 

Parfait-web

Principal Investigator: Nathan Keynes

Parfait-web is a static code analysis tool from Oracle Labs that finds vulnerabilities in web applications written in Java EE and PL/SQL. The focus is on vulnerabilities that matter, with most based on the OWASP Top 10 list, including:

  • Injections: SQL injection, Command injection, LDAP injection, XML injection, XPath injection, XQuery injection
  • XML External Entities (XXE), XML Entity Expansion (XEE)
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Header manipulation
  • Path traversal
  • Unvalidated redirects and forwards
  • Weak crypto: weak encryption, weak cryptographic hash, weak cryptographic signature, and more.

 

How it works

Parfait-web is built on top of the same static analysis framework that powers Parfait for C/C++, with the addition of a new taint flow analysis to detect these types of security vulnerabilities. It can be used alongside Parfait for C/C++ for multi-lingual applications. 

Our challenges

As with many similar projects, scalability for large codebases is a major challenge. The highly dynamic and decoupled nature of web applications is another challenge for static analysis.

We are investigating techniques that will enable us to support different languages (Go, Python), frameworks, and libraries so as to improve the accuracy and performance of the analysis. We are also exploring modular and incremental analysis in order to be able to provide timely feedback to the developer. 

Secure languages

Principal Investigator: Cristina Cifuentes

Today’s languages do not support our developers in writing secure code for the most common types of vulnerabilities, such as buffer errors, injection attacks, and information leaks. We are exploring secure language concepts and secure abstractions that can be applied in future languages to prevent these vulnerabilities. 

Key challenge

The secure language concepts we are exploring need to extend the boundaries across different languages used in cloud applications, as well as extend into the databases used by such applications.

How we meet that challenge

Why not introduce secure language concepts into a multi-lingual, database-backed, memory-safe runtime, while at the same time improve compiler information flow tracking? We are starting to work on enhanced compiler and runtime to support security abstractions in these runtime conditions while we keep track of interoperability across the multiple languages.


Hardware and Software, Engineered to Work Together