Speaker: Yishai Feldman, IBM Research -- Haifa

Title: Automatically Fixing Security Vulnerabilities in Java Code
SPLASH'11 DemoA Methodology for Developing Secure Database CodeA Methodology for Developing Secure Database CodeA Methodology for Developing Secure Database CodeA Methodology for Developing Secure Database Code A Methodology for Developing Secure Database Code Behavioral Programming

Abstract:
Most kinds of security vulnerabilities in web applications can be
fixed by adding appropriate sanitization methods. Finding the correct
place for the sanitizers can be difficult due to complicated data and
control flow. Fixing SQL injection vulnerabilities may require more
complex transformations, such as replacing uses of Statement by
PreparedStatement, including some code motion.

We have developed algorithms to place sanitizers correctly, as well as
to transform Statement to PreparedStatement. These have
been implemented as "quick fixes" in an Eclipse plugin that works
together with a commercial tool that discovers security
vulnerabilities in web applications. The demonstration will show
several vulnerabilities found by the tool, and how they are fixed
automatically by our plugin.

Joint work with Aharon Abadi, Ran Ettinger, and Mati Shomrat.