Picture of a Griffin

Griffins are great beasts with amazing strength and wisdom and are commonly up to six feet long. The griffin will guard its golden nest and agates until they die, so they are also called the "Hounds of Zeus." Since griffins have golden nests they were very tempting to greedy hunters and had to keep a very close eye on their nests [...]

We like the symbology that lies behind the griffin as our static and dynamic analysis tools are designed to ultimately protect juicy tidbits of data -- "golden eggs", if you will, from malicious hackers.

Overview

The goal of the Griffin Software Security Project is to improve the security of Web applications through static and dynamic analysis. Today's Web applications may suffer from a variety of vulnerabilities, including SQL injections, cross-site scripting, HTTP splitting, path traversal, and a host of other flaws [more...]

A number of recently discovered security vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks are caused by programming errors in Web-based applications. There is a wealth of information available on the Web about these vulnerabilities. These vulnerabilities can lead to unauthorized data access by malicious users, loss of sensitive data, and application crashes. We recommend the following two resources: OWASP and Web Application Security Consortium.

The Griffin project proposes a combination of static and dynamic analysis techniques that detects all these and other vulnerabilities in Java applications.

The advantage of the static analysis approach described in our Usenix paper is that it finds all potential vulnerabilities at compile time without running the application. The advantage of the dynamic approach described in our OOPSLA paper is that is can prevent vulernabilities from even happening at runtime.

Publications

  • Improving Software Security with Precise Static and Runtime Analysis. Benjamin Livshits, Doctoral dissertation
    Stanford University, Stanford, California, December, 2006.

  • Finding Security Vulnerabilities in Java Applications with Static Analysis. Benjamin Livshits and Monica S. Lam
    In Proceedings of the Usenix Security Symposium, Baltimore, Maryland, August 2005.

  • SecuriFly: Runtime Protection and Recovery from Web Application Vulnerabilities. Benjamin Livshits, Michael Martin, and Monica S. Lam
    A technical report, which describes the runtime system for vulnerability protection first described in the OOPSLA '05 paper.

  • Finding Application Errors and Security Flaws Using PQL: a Program Query Language. Michael Martin, Benjamin Livshits, and Monica S. Lam
    To be presented at the 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, San Diego, California, October 2005.

Related work

  • The benchmark suite called Stanford SecuriBench used by us to conduct experiments was released.

  • Another benchmark suite called Stanford SecuriBench Micro consisting of a large number of small test cases was released.

  • LAPSE, a lightweight analysis tool based on Eclipse has been released.

  • We also maintain a list of academic papers on the subject of Web application security.

Contacts

[Counter]

Last modified on 12/21/05. [Home]