ABSTRACT
Logic vulnerabilities are an important class of programming flaws in web applications. These vulnerabilities occur when a desired property pertaining to an application's logic does not hold along certain paths in the application's code. Many analysis tools have been developed to find logic vulnerabilities in web applications. Given a web application with logic vulnerabilities, the question is whether one can design methods to patch application code and prevent these vulnerabilities from being exploited. We answer this question by developing an approach and tool called LogicPatcher for patching of logic vulnerabilities. We focus on correct patch placement, i.e. identifying the precise location in code where the patch code can be introduced, based on path profiling. As we show in this paper, finding the appropriate location as well as generating the right patch can get complicated and require deep code analysis. We demonstrate the utility of LogicPatcher by automatically fixing several critical parameter tampering and authorization vulnerabilities in large web applications.
- Sans critical security controls for effective cyber defense, 2015.Google Scholar
- Aho, A. V., Sethi, R., and Ullman, J. D. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1986. Google ScholarDigital Library
- Alkhalaf, M., Choudhary, S. R., Fazzini, M., Bultan, T., Orso, A., and Kruegel, C. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (New York, NY, USA, 2012), ISSTA 2012, ACM, pp. 56--66. Google ScholarDigital Library
- Andersen, J., and Lawall, J. L. Generic patch inference. In 23rd IEEE/ACM International Conference on Automated Software Engineering ASE 08 (2008). Google ScholarDigital Library
- Ball, T., and Larus, J. R. Efficient path profiling. In Proceedings of the 29th Annual ACM/IEEE International Symposium on Microarchitecture (Washington, DC, USA, 1996), MICRO 29, IEEE Computer Society, pp. 46--57. Google ScholarDigital Library
- Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., and Venkatakrishnan, V. N. Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (New York, NY, USA, 2010), CCS '10, ACM, pp. 607--618. Google ScholarDigital Library
- Bisht, P., Hinrichs, T., Skrupsky, N., and Venkatakrishnan, V. N. Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer and Communications Security (New York, NY, USA, 2011), CCS '11, ACM, pp. 575--586. Google ScholarDigital Library
- Bisht, P., Sistla, A. P., and Venkatakrishnan, V. N. Taps: Automatically preparing safe sql queries. In Proceedings of the 17th ACM Conference on Computer and Communications Security (New York, NY, USA, 2010), CCS '10, ACM, pp. 645--647. Google ScholarDigital Library
- Felmetsger, V., Cavedon, L., Kruegel, C., and Vigna, G. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security (Berkeley, CA, USA, 2010), USENIX Security'10, USENIX Association, pp. 10--10. Google ScholarDigital Library
- Ganapathy, V., Jaeger, T., and Jha, S. Automatic placement of authorization hooks in the Linux Security Modules framework. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Nov. 2005), pp. 330--339. Google ScholarDigital Library
- Ganapathy, V., Jaeger, T., and Jha, S. Retrofitting legacy code for authorization policy enforcement. 2012 IEEE Symposium on Security and Privacy 0 (2006), 214--229. Google ScholarDigital Library
- Jin, G., Song, L., Zhang, W., Lu, S., and Liblit, B. Automated atomicity-violation fixing. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (2011). Google ScholarDigital Library
- Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2006), SP '06, IEEE Computer Society, pp. 258--263. Google ScholarDigital Library
- Livshits, B., and Chong, S. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 2013), POPL '13, ACM, pp. 385--398. Google ScholarDigital Library
- Monshizadeh, M., Naldurg, P., and Venkatakrishnan, V. N. Mace: Detecting privilege escalation vulnerabilities in web applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS '14, ACM, pp. 690--701. Google ScholarDigital Library
- Pellegrino, G., and Balzarotti, D. Toward black-box detection of logic flaws in web applications. In NDSS 2014, Network and Distributed System Security Symposium, 23--26 February 2014, San Diego, USA (2014).Google ScholarCross Ref
- Perkins, J. H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.-F., Zibin, Y., Ernst, M. D., and Rinard, M. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles SOSP 09 (2009). Google ScholarDigital Library
- Son, S., McKinley, K. S., and Shmatikov, V. Rolecast: finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications (New York, NY, USA, 2011), OOPSLA '11, ACM, pp. 1069--1084. Google ScholarDigital Library
- Son, S., Mckinley, K. S., and Shmatikov, V. Fix me up: Repairing access-control bugs in web applications. In In Network and Distributed System Security Symposium (2013).Google Scholar
- Son, S., and Shmatikov, V. Saferphp: Finding semantic vulnerabilities in php applications. In ACM PLAS (2011). Google ScholarDigital Library
- Srivastava, V., Bond, M. D., McKinley, K. S., and Shmatikov, V. A security policy oracle: Detecting security holes using multiple api implementations. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (2011). Google ScholarDigital Library
- Tan, L., Zhang, X., Ma, X., Xiong, W., and Zhou, Y. utoises: Automatically inferring security specifications and detecting violations. In Proceedings of the 17th Usenix Security Symposium (2008). Google ScholarDigital Library
- Vijayakumar, H., Ge, X., Payer, M., and Jaeger, T. Jigsaw: Protecting resource access by inferring programmer expectations. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 973--988. Google ScholarDigital Library
Index Terms
- Patching Logic Vulnerabilities for Web Applications using LogicPatcher
Recommendations
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Automated removal of cross site scripting vulnerabilities in web applications
Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Comments