skip to main content
10.1145/2336717.2336724acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Towards a taint mode for cloud computing web applications

Published: 15 June 2012 Publication History

Abstract

Cloud computing is generally understood as the distribution of data and computations over the Internet. Over the past years, there has been a steep increase in web sites using this technology. Unfortunately, those web sites are not exempted from injection flaws and cross-site scripting, two of the most common security risks in web applications. Taint analysis is an automatic approach to detect vulnerabilities. Cloud computing platforms possess several features that, while facilitating the development of web applications, make it difficult to apply off-the-shelf taint analysis techniques. More specifically, several of the existing taint analysis techniques do not deal with persistent storage (e.g. object datastores), opaque objects (objects whose implementation cannot be accessed and thus tracking tainted data becomes a challenge), or a rich set of security policies (e.g. forcing a specific order of sanitizers to be applied). We propose a taint analysis for could computing web applications that consider these aspects. Rather than modifying interpreters or compilers, we provide taint analysis via a Python library for the cloud computing platform Google App Engine (GAE). To evaluate the use of our library, we harden an existing GAE web application against cross-site scripting attacks.

References

[1]
OWASP Top 10 2010. http://www.owasp.org/index. php/Top_10_2010.
[2]
The Perl programming language. http://www.perl.org/.
[3]
The Ruby programming language. http://www.ruby-lang.org.
[4]
CherryPy. http://www.cherrypy.org/.
[5]
Django project. http://www.djangoproject.com/.
[6]
Getting Started: Python - Google App Engine. https://code.google.com/appengine/docs/python/gettingstarted/.
[7]
Samples for Google App Engine. https://code.google.com/p/google-app-engine-samples.
[8]
Guetbook example for Google App Engine. https://google-app-engine-samples.googlecode.com/files/guestbook_10312008.zip.
[9]
PEP 3333: Python Web Server Gateway Interface v1.0.1. http://http://www.python.org/dev/peps/pep-3333/.
[10]
Pylons Project. http://pylonshq.com/.
[11]
M. Andrews. Guest Editor's Introduction: The State of Web Security. IEEE Security and Privacy, 4(4):14--15, 2006.
[12]
D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE Computer Society, 2008.
[13]
K. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, Apr. 1977. (Also available through National Technical Information Service, Springfield Va., NTIS AD-A039324.).
[14]
W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 39--50, New York, NY, USA, 2008. ACM. ISBN 978-1-59593-810-7.
[15]
J. J. Conti and A. Russo. A taint mode for Python via a library. In OWASP AppSec Research 2010. Invited paper to NORDSEC 2010, LNCS, 2010.
[16]
D. E. Denning. A lattice model of secure information flow. Comm. of the ACM, 19(5):236--243, May 1976.
[17]
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504--513, July 1977.
[18]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smart-phones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10. USENIX Association, 2010.
[19]
Federal Aviation Administration (US). Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, June 2009.
[20]
A. Futoransky, E. Gutesman, and A. Waissbein. A dynamic technique for enhancing the security and privacy of web applications. In Black Hat USA Briefings, Aug. 2007.
[21]
V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 303--311, 2005.
[22]
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. of the International Conference on World Wide Web, May 2004.
[23]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In 2006 IEEE Symposium on Security and Privacy. IEEE Computer Society, 2006.
[24]
J. Kong, C. C. Zou, and H. Zhou. Improving software security via runtime instruction-level taint checking. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, ASID '06. ACM, 2006.
[25]
D. Kozlov and A. Petukhov. Implementation of Tainted Mode approach to finding security vulnerabilities for Python technology. In Proc. of Young Researchers' Colloquium on Software Engineering (SYRCoSE), June 2007.
[26]
P. Li and S. Zdancewic. Practical information-flow control in web-based information systems. In Proc. of the 18th workshop on Computer Security Foundations. IEEE Computer Society, 2005.
[27]
J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: A platform for secure distributed computation and storage. In Proc. ACM Symp. on Operating System Principles, October 2009.
[28]
V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14. USENIX Association, 2005.
[29]
M. Monga, R. Paleari, and E. Passerini. A hybrid analysis framework for detecting web application vulnerabilities. In Proc. of the 2009 ICSE Workshop on Software Engineering for Secure Systems, IWSESS '09. IEEE Computer Society, 2009.
[30]
A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. ACM Symp. on Principles of Programming Languages, Jan. 1999.
[31]
National Institute of Standards and Technology. Definition of cloud computing. csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011.
[32]
J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. of the Network and Distributed System Security Symposium, 2005.
[33]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In In 20th IFIP International Information Security Conference, pages 372--382, 2005.
[34]
T. Pietraszek, C. V. Berghe, C. V, and E. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection, 2005.
[35]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21 (1):5--19, Jan. 2003.
[36]
SANS (SysAdmin, Audit, Network, Security) Institute. The top cyber security risks. http://www.sans.org/top-cyber-security-risks, Sept. 2009.
[37]
P. Saxena, D. Molnar, and B. Livshits. Scriptgard: automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11. ACM, 2011.
[38]
J. Seo and M. S. Lam. InvisiType: Object-Oriented Security Policies. In 17th Annual Network and Distributed System Security Symposium. Internet Society (ISOC), Feb. 2010.
[39]
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proc. ACM SIGPLAN conference on Programming Language Design and Implementation, PLDI '09. ACM, 2009.
[40]
A. van der Stock, J. Williams, and D. Wichers. OWASP Top 10 2007. http://www.owasp.org/index.php/Top_10_2007, 2007.
[41]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. of the Network and Distributed System Security Symposium, Feb. 2007.
[42]
D. Volpano. Safety versus secrecy. In Proc. Symp. on Static Analysis, volume 1694 of LNCS, pages 303--311. Springer-Verlag, Sept. 1999.
[43]
J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in web application frameworks. In Proc. of the European Conference on Research in Computer Security. Springer-Verlag, 2011.
[44]
W. Xu, E. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical report, Stony Brook University, 2005.
[45]
W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15. USENIX Association, 2006.

Cited By

View all
  • (2019)Cloud computing security taxonomy: From an atomistic to a holistic viewFuture Generation Computer Systems10.1016/j.future.2019.11.013Online publication date: Dec-2019
  • (2018)Secure‐CamFlow: A device‐oriented security model to assist information flow control systems in cloud environments for IoTsConcurrency and Computation: Practice and Experience10.1002/cpe.472931:8Online publication date: 5-Sep-2018
  • (2017)Survivability Analogy for Cloud Computing2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA.2017.219(1056-1062)Online publication date: Oct-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '12: Proceedings of the 7th Workshop on Programming Languages and Analysis for Security
June 2012
91 pages
ISBN:9781450314411
DOI:10.1145/2336717
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Python
  2. cloud computing
  3. library
  4. taint analysis
  5. web applications

Qualifiers

  • Research-article

Conference

PLDI '12
Sponsor:

Acceptance Rates

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2019)Cloud computing security taxonomy: From an atomistic to a holistic viewFuture Generation Computer Systems10.1016/j.future.2019.11.013Online publication date: Dec-2019
  • (2018)Secure‐CamFlow: A device‐oriented security model to assist information flow control systems in cloud environments for IoTsConcurrency and Computation: Practice and Experience10.1002/cpe.472931:8Online publication date: 5-Sep-2018
  • (2017)Survivability Analogy for Cloud Computing2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA.2017.219(1056-1062)Online publication date: Oct-2017
  • (2017)A Countermeasure to SQL Injection Attack for Cloud EnvironmentWireless Personal Communications: An International Journal10.1007/s11277-016-3741-796:4(5279-5293)Online publication date: 1-Oct-2017
  • (2016)IFCaaS: Information Flow Control as a Service for Cloud Security2016 11th International Conference on Availability, Reliability and Security (ARES)10.1109/ARES.2016.27(211-216)Online publication date: Aug-2016
  • (2015)A Classification of Intrusion Detection Systems in the CloudJournal of Information Processing10.2197/ipsjjip.23.39223:4(392-401)Online publication date: 2015
  • (2014)Information Flow Control for Secure Cloud ComputingIEEE Transactions on Network and Service Management10.1109/TNSM.2013.122313.13042311:1(76-89)Online publication date: Mar-2014
  • (2013)CloudFenceProceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 814510.1007/978-3-642-41284-4_21(411-431)Online publication date: 23-Oct-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media