Variant Analysis with QL
As new security problems and innovative attacks continue to be discovered, program analysis remains a burgeoning area of research. QL builds on previous attempts to enable declarative program analysis through Datalog, but solves some of the traditional challenges: Its object-oriented nature enables the creation of extensive libraries, and the query optimizer minimizes the performance cost of the abstraction layers introduced in this way. QL enables agile security analysis, allowing security response teams to find all variants of a newly discovered vulnerability. Their work can then be leveraged to provide automated on-going checking, thus ensuring that the same mistake never makes it into the code base again. This paper demonstrates declarative variant analysis by example.
- 1.Avgustinov, P., de Moor O., Jones, M.P., Schäfer. M.: QL: object-oriented queries on relational data. In: Krishnamurthi, S., Lerner, B.S. (eds.) 30th European Conference on Object-Oriented Programming, ECOOP 2016, LIPIcs, Rome, Italy, 18–22 July 2016, vol. 56, pp. 2:1–2:25. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2016)Google Scholar
- 2.Backhouse, K.: Using QL to find a memory exposure vulnerability in Apple’s macOS XNU kernel. In: lgtm.com blog (2017). https://lgtm.com/blog/apple_xnu_dtrace_CVE-2017-13782
- 4.Frohoff, C., Lawrence, G.: Deserialize My Shorts, Or How I Learned to Start Worrying and Hate Java Object Deserialization. In: AppSec California (2015)Google Scholar
- 5.Mo, M.Y.: Using QL to find a remote code execution vulnerability in Apache Struts. lgtm.com blog (2017). https://lgtm.com/blog/apache_struts_CVE-2017-9805