Patching Logic Vulnerabilities for Web Applications using LogicPatcher

Authors:
Maliheh Monshizadeh

University of Illinois at Chicago, Chicago, IL, USA

University of Illinois at Chicago, Chicago, IL, USA
View Profile

,
Prasad Naldurg

IBM Research India, Banglore, USA

IBM Research India, Banglore, USA
View Profile

,
V.N. Venkatakrishnan

University of Illinois at Chicago, Chicago, IL, USA

University of Illinois at Chicago, Chicago, IL, USA
View Profile

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyMarch 2016Pages 73–84https://doi.org/10.1145/2857705.2857727

Published:09 March 2016Publication History

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 73–84

ABSTRACT

Logic vulnerabilities are an important class of programming flaws in web applications. These vulnerabilities occur when a desired property pertaining to an application's logic does not hold along certain paths in the application's code. Many analysis tools have been developed to find logic vulnerabilities in web applications. Given a web application with logic vulnerabilities, the question is whether one can design methods to patch application code and prevent these vulnerabilities from being exploited. We answer this question by developing an approach and tool called LogicPatcher for patching of logic vulnerabilities. We focus on correct patch placement, i.e. identifying the precise location in code where the patch code can be introduced, based on path profiling. As we show in this paper, finding the appropriate location as well as generating the right patch can get complicated and require deep code analysis. We demonstrate the utility of LogicPatcher by automatically fixing several critical parameter tampering and authorization vulnerabilities in large web applications.

References

Sans critical security controls for effective cyber defense, 2015.Google Scholar
Aho, A. V., Sethi, R., and Ullman, J. D. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1986. Google ScholarDigital Library
Alkhalaf, M., Choudhary, S. R., Fazzini, M., Bultan, T., Orso, A., and Kruegel, C. Viewpoints: Differential string analysis for discovering client- and server-side input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (New York, NY, USA, 2012), ISSTA 2012, ACM, pp. 56--66. Google ScholarDigital Library
Andersen, J., and Lawall, J. L. Generic patch inference. In 23rd IEEE/ACM International Conference on Automated Software Engineering ASE 08 (2008). Google ScholarDigital Library
Ball, T., and Larus, J. R. Efficient path profiling. In Proceedings of the 29th Annual ACM/IEEE International Symposium on Microarchitecture (Washington, DC, USA, 1996), MICRO 29, IEEE Computer Society, pp. 46--57. Google ScholarDigital Library
Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., and Venkatakrishnan, V. N. Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (New York, NY, USA, 2010), CCS '10, ACM, pp. 607--618. Google ScholarDigital Library
Bisht, P., Hinrichs, T., Skrupsky, N., and Venkatakrishnan, V. N. Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer and Communications Security (New York, NY, USA, 2011), CCS '11, ACM, pp. 575--586. Google ScholarDigital Library
Bisht, P., Sistla, A. P., and Venkatakrishnan, V. N. Taps: Automatically preparing safe sql queries. In Proceedings of the 17th ACM Conference on Computer and Communications Security (New York, NY, USA, 2010), CCS '10, ACM, pp. 645--647. Google ScholarDigital Library
Felmetsger, V., Cavedon, L., Kruegel, C., and Vigna, G. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security (Berkeley, CA, USA, 2010), USENIX Security'10, USENIX Association, pp. 10--10. Google ScholarDigital Library
Ganapathy, V., Jaeger, T., and Jha, S. Automatic placement of authorization hooks in the Linux Security Modules framework. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Nov. 2005), pp. 330--339. Google ScholarDigital Library
Ganapathy, V., Jaeger, T., and Jha, S. Retrofitting legacy code for authorization policy enforcement. 2012 IEEE Symposium on Security and Privacy 0 (2006), 214--229. Google ScholarDigital Library
Jin, G., Song, L., Zhang, W., Lu, S., and Liblit, B. Automated atomicity-violation fixing. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (2011). Google ScholarDigital Library
Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2006), SP '06, IEEE Computer Society, pp. 258--263. Google ScholarDigital Library
Livshits, B., and Chong, S. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 2013), POPL '13, ACM, pp. 385--398. Google ScholarDigital Library
Monshizadeh, M., Naldurg, P., and Venkatakrishnan, V. N. Mace: Detecting privilege escalation vulnerabilities in web applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS '14, ACM, pp. 690--701. Google ScholarDigital Library
Pellegrino, G., and Balzarotti, D. Toward black-box detection of logic flaws in web applications. In NDSS 2014, Network and Distributed System Security Symposium, 23--26 February 2014, San Diego, USA (2014).Google ScholarCross Ref
Perkins, J. H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.-F., Zibin, Y., Ernst, M. D., and Rinard, M. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles SOSP 09 (2009). Google ScholarDigital Library
Son, S., McKinley, K. S., and Shmatikov, V. Rolecast: finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications (New York, NY, USA, 2011), OOPSLA '11, ACM, pp. 1069--1084. Google ScholarDigital Library
Son, S., Mckinley, K. S., and Shmatikov, V. Fix me up: Repairing access-control bugs in web applications. In In Network and Distributed System Security Symposium (2013).Google Scholar
Son, S., and Shmatikov, V. Saferphp: Finding semantic vulnerabilities in php applications. In ACM PLAS (2011). Google ScholarDigital Library
Srivastava, V., Bond, M. D., McKinley, K. S., and Shmatikov, V. A security policy oracle: Detecting security holes using multiple api implementations. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (2011). Google ScholarDigital Library
Tan, L., Zhang, X., Ma, X., Xiong, W., and Zhou, Y. utoises: Automatically inferring security specifications and detecting violations. In Proceedings of the 17th Usenix Security Symposium (2008). Google ScholarDigital Library
Vijayakumar, H., Ge, X., Payer, M., and Jaeger, T. Jigsaw: Protecting resource access by inferring programmer expectations. In Proceedings of the 23rd USENIX Conference on Security Symposium (Berkeley, CA, USA, 2014), SEC'14, USENIX Association, pp. 973--988. Google ScholarDigital Library

Index Terms

Patching Logic Vulnerabilities for Web Applications using LogicPatcher
1. Security and privacy
  1. Security services
    1. Access control
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Software verification

Recommendations

Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Read More
Automated removal of cross site scripting vulnerabilities in web applications

Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. ...
Read More
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
March 2016
340 pages
ISBN:9781450339353
DOI:10.1145/2857705
General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 March 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
logic vulnerabilities
patch generation
static program analysis
web security
Qualifiers
- research-article
Conference

Acceptance Rates
CODASPY '16 Paper Acceptance Rate22of115submissions,19%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 597
  Total Downloads
- Downloads (Last 12 months)69
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Patching Logic Vulnerabilities for Web Applications using LogicPatcher

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security vulnerabilities and mitigation techniques of web applications

Automated removal of cross site scripting vulnerabilities in web applications

Securing web applications from injection and logic vulnerabilities