VIBRANCE: Automatic Removal of Security Vulnerabilities from Java Applications
Presented as part of the 2012 HCSS conference.
Abstract:
The VIBRANCE (= Vulnerabilities in Bytecode Removed by Analysis, Nuanced Confinement, and diversification) project aims at constructing a tool that automatically hardens Java bytecode to make it resistant to certain classes of attacks. VIBRANCE uses static and dynamic analysis to find vulnerable code, run-time confinement to prevent exploits of the vulnerable code, run-time confinement to prevent exploits of the vulnerable code, and diversification to increase the difficulty of attacks. The current version of the VIBRANCE tool provides comprehensive and precise protection from injection (e.g. SQL) and other tainted-data attacks. For a large class of vulnerabilities, the protection added by VIBRANCE blocks the attacks and safely continues execution. Besides addressing specific CWEs, the VIBRANCE tool can also conservatively handle unforeseen weaknesses. Most of the VIBRANCE tool’s protections are not hard-wired in the implementation, but can be customized via a configuration file that enables fine-tuning of the checks to be performed on tainted data and of the actions to be taken when those checks fail. The VIBRANCE project is joint work of Kestrel Institute, Kestrel Technology, and MIT CSAIL.
Biography:
Alessandro Coglio is a Principal Scientist at Kestrel Institute and a Board Manager and Co-Founder of Kestrel Technology LLC. He has over 10 years of experience in both technical and management tasks in a variety of research and development projects. His current research interests include formal methods and tools to develop correct-by-construction software via formal specification, refinement, and theorem proving. Prior to joining Kestrel, Mr. Coglio was a Consulting Researcher at University of Genoa (Italy), where he worked on several research projects on theorem proving (in collaboration with Stanford University), Petri net and discrete event systems, and artificial emotions. Mr. Coglio has a degree in Informatics Engineering from University of Genoa (Italy).