Yao-Wen Huang
Fang Yu
ABSTRACT
Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities have been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named.WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities. After notifying the developers, 38 acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%.
- Allen, F. E, Cocke, J. "A Program Data Flow Analysis Procedure." Communications of the ACM, 19(3):137--147, March 1976.]] Google Scholar
Digital Library
- Andrews, G. R., Reitman, R. P. "An Axiomatic Approach to Information Flow in Programs." ACM Transactions on Programming Languages and Systems, 2(1), 56--76, 1980.]] Google ScholarDigital Library
- Ashcraft, K., Engler, D. "Using Programmer-Written Compiler Extensions to Catch Security Holes." In Proc. 2002 IEEE Symp. Security and Privacy, pages 131--147, Oakland, California, 2002.]] Google ScholarDigital Library
- Augustin, L., Bressler, D., Smith, G. "Accelerating Software Development through Collaboration." In Proc. 24th Int'l Conf. Software Engineering (ICSE2002), pages 559--563, Orlando, Florida, May 19-25, 2002.]] Google ScholarDigital Library
- Ball, T., Rajamani, S. K., "Automatically Validating Temporal Safety Properties of Interfaces." In Proc. 8th Int'l SPIN Workshop on Model Checking of Software (SPIN'01), pages 103-122, volume LNCS 2057, Toronto, Canada, May 19-21, 2001. Springer-Verlag.]] Google ScholarDigital Library
- Banatre, J. P., Bryce, C., Le Metayer, D. "Compile-time Detection of Information Flow in Sequential Programs." In Proc. Third European Symp. Research in Computer Security, pages 55--73, volume LNCS 875, Brighton, UK, Nov 1994. Springer-Verlag.]] Google ScholarDigital Library
- Banerjee, A., Naumann, D.A. "Secure Information Flow and Pointer Confinement in a Java-Like Language." In: Proc. 15th Computer Security Foundations Workshop (CSFW2002), pages 239--253, Nova Scotia, Canada, 2002.]] Google ScholarDigital Library
- Barth, J. M. "A Practical Interprocedural Data Flow Analysis Algorithm." Communications of the ACM, 21(9):724--736, 1978.]] Google ScholarDigital Library
- Bell, D. E., La Padula, L. J. "Secure Computer System: Unified Exposition and Multics Interpretation." Tech Rep. ESD-TR-75--306, MITRE Corporation, 1976.]]Google ScholarCross Ref
- Biba, K. J. "Integrity Considerations for Secure Computer Systems." Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, Massachusetts, Apr 1977.]]Google Scholar
- Bishop, M., Dilger, M. "Checking for Race Conditions in File Accesses." Computing Systems, 9(2):131--152, Spring 1996.]]Google Scholar
- Bobbitt, M. "Bulletproof Web Security." Network Security Magazine, TechTarget Storage Media, May 2002. http://infosecuritymag.techtarget.com/2002/may/bulletproof.shtml]]Google Scholar
- Chen, H., Wagner, D., "MOPS: an Infrastructure for Examining Security Properties of Software." In Proc. 9th ACM Conf. Computer and Communications Security (CCS2002), pages 235--244, Washington, DC, Nov 18-22, 2002.]] Google ScholarDigital Library
- Cousot, P., Cousot, R. "Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Constructions or Approximation of Fixpoints." In Conference Record of the Fourth ACM Symp. Principles of Programming Languages (POPL'77), pages 238--252, 1977.]] Google ScholarDigital Library
- Cowan, C., D. Maier, C. Pu, Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H. "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks." In Proc. 7th USENIX Security Conference (USENIX'98), pages 63--78, San Antonio, Texas, Jan 1998.]] Google ScholarDigital Library
- Cowan, C. "Software Security for Open-Source Systems." IEEE Security and Privacy Magazine, 1(1):38--45, 2003.]] Google ScholarDigital Library
- Curphey, M., Endler, D., Hau, W., Taylor, S., Smith, T., Russell, A., McKenna, G., Parke, R., McLaughlin, K., Tranter, N., Klien, A., Groves, D., By-Gad, I., Huseby, S., Eizner, M., McNamara, R. "A Guide to Building Secure Web Applications." The Open Web Application Security Project, v.1.1.1, Sep 2002.]]Google Scholar
- Darvas, A., Hähnle, R., Sands, D. "A Theorem Proving Approach to Analysis of Secure Information Flow." In Proc. Workshop on Issues in the Theory of Security (WITS'03), Warsaw, Poland, Apr 5-6, 2003.]]Google Scholar
- Das, M., Lerner, S., Seigle, M. "ESP: Path-Sensitive Program Verification in Polynomial Time." In Proc. 2002 ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI2002), pages 57--68, Berlin, Germany, 2002.]] Google ScholarDigital Library
- DeKok, A. "PScan: A Limited Problem Scanner for C Source Files." http://www.striker.ottawa.on.ca/ aland/pscan/]]Google Scholar
- DeLine, R. Fahndrich, M. "Enforcing High-Level Protocols in Low-Level Software." In Proc. ACM SIGPLAN 2001 Conf. Programming Language Design and Implementation (PLDI2001), pages 59-69, Snowbird, Utah, 2001.]] Google ScholarDigital Library
- Denning, D. E. "A Lattice Model of Secure Information Flow." Communications of the ACM, 19(5):236--243, 1976.]] Google ScholarDigital Library
- DeRemer, F. "Simple LR(k) Grammars." Communications of the ACM, 14(7):453--460, 1971.]] Google ScholarDigital Library
- Dharmapurikar, S., Krishnamurthy, P., Sproull, T., and Lockwood, J. "Deep Packet Inspection Using Parallel Bloom Filters." In Proc. 11th Symp. High Performance Interconnects (HOTI'03), pages 44--51, Stanford, California, 2003.]]Google Scholar
- Doh, K. G., Shin, S. C. "Detection of Information Leak by Data Flow Analysis." ACM SIGPLAN Notices, 37(8):66--71, 2002.]] Google ScholarDigital Library
- Flanagan, C., Leino, K. R. M., Lillibridge, M., Nelson, G., Saxe, J. B., and Stata, R. "Extended Static Checking for Java." In Proc. 2002 ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI2002), pages 234--245, volume 37(5) of ACM SIGPLAN Notices, Berlin, Germany, Jun 2002.]] Google ScholarDigital Library
- Foster, J. S., Fähndrich, M., Aiken, A. "A Theory of Type Qualifiers." In Proc. ACM SIGPLAN 1999 Conf. Programming Language Design and Implementation (PLDI'99), pages 192--203, volume 34(5) of ACM SIGPLAN Notices, Atlanta, Georgia, May 1-4, 1999.]] Google ScholarDigital Library
- Foster, J., Terauchi, T., Aiken, A. "Flow-Sensitive Type Qualifiers." In Proc. ACM SIGPLAN 2002 Conf. Programming Language Design and Implementation (PLDI2002), pages 1--12, Berlin, Jun 2002.]] Google ScholarDigital Library
- Gagnon, E. M., Hendren, L. J. "SableCC, an Object-Oriented Compiler Framework." In Proc. 1998 Conf. Technology of Object-Oriented Languages and Systems (TOOLS-98), pages 140--154, Santa Barbara, California, Aug 3-7, 1998.]] Google ScholarDigital Library
- Goguen, J. A., Meseguer, J. "Security Policies and Security Models." In Proc. IEEE Symp. Security and Privacy, pages 11--20, Oakland, California, Apr 1982.]]Google Scholar
- Graham, S., Wegman, M. "A Fast and Usually Linear Algorithm for Global Flow Analysis." Journal of the ACM, 23(1):172--202, Janu 1976.]] Google ScholarDigital Library
- Guyer, S. Z., Berger, E. D., Lin, C. "Detecting Errors with Configurable Whole-program Dataflow Analysis." Technical Report, UTCS TR-02-04, University of Texas at Austin, 2002.]]Google Scholar
- Hallem, S., Chelf, B., Xie, Y., Engler, D. "A System and Language for Building System-Specific, Static Analyses." In Proc. ACM SIGPLAN 2002 Conf. Programming Language Design and Implementation, pages 69-82, Berlin, Germany, 2002.]] Google ScholarDigital Library
- Hecht, M. S., Ullman, J. D. "Analysis of a Simple Algorithm For Global Flow Problems." In Conference Record of the First ACM Symp. Principles of Programming Languages (POPL'73), pages 207--217, Boston, Massachussets, 1973.]] Google ScholarDigital Library
- Henglein, F. "Dynamic Typing." In Proc. Fourth European Symp. Programming (ESOP'92), pages 233-253, volume LNCS 582, Rennes, France, Feb 1992. Springer-Verlag.]] Google ScholarDigital Library
- Higgins, M., Ahmad, D., Arnold, C. L., Dunphy, B., Prosser, M., and Weafer, V., "Symantec Internet Security Threat Report-Attack Trends for Q3 and Q4 2002," Symantec, Feb 2003.]]Google Scholar
- Holzmann, G. J. "The Logic of Bugs." In Proc. 10th ACM SIGSOFT Symp. Foundations of Software Engineering (FSE-10), pages 81--87, Charleston, South Carolina, 2002.]] Google ScholarDigital Library
- Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. "Web Application Security Assessment by Fault Injection and Behavior Monitoring." In Proc. Twelfth Int'l World Wide Web Conference (WWW2003), 148--159, Budapest, Hungary, May 21-25, 2003.]] Google ScholarDigital Library
- Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., Kuo, S. Y. "Verifying Web Applications Using Bounded Model Checking." In: Proc. 2004 Int'l Conf. Dependable Systems and Networks (DSN2004), Florence, Italy, Jun 28-Jul 1, 2004.]] Google ScholarDigital Library
- Hughes, F. "PHP: Most Popular Server-Side Web Scripting Technology." LWN.net. http://lwn.net/Articles/1433/]]Google Scholar
- Jensen, T., Le Metayer, D., Thorn, T. "Verification of Control Flow Based Security Properties." In Proc. 20th IEEE Symp. Security and Privacy, pages 89--103, IEEE Computer Society, New York, USA, 1999.]]Google Scholar
- Joshi, R., Leino, K. M. "A Semantic Approach to Secure Information Flow." Science of Computer Programming, 37(1-3):113--138, 2000.]] Google ScholarDigital Library
- Kavado, Inc. "InterDo Version 3.0." Kavado Whitepaper, 2003.]]Google Scholar
- Larochelle, D., Evans, D. "Statically Detecting Likely Buffer Overflow Vulnerabilities." In Proc. 10th USENIX Security Symposium (USENIX'01), Washington, D.C., Aug 2001.]] Google ScholarDigital Library
- Mandre, I. "PHP 4 Grammar for SableCC 3 Complete with Transformations." Indrek's SableCC Page, 2003. http://www.mare.ee/indrek/sablecc/]]Google Scholar
- Meier, J. D., Mackman, A., Vasireddy, S. Dunner, M., Escamilla, R., Murukan, A. "Improving Web Application Security-Threats and Countermeasures." Microsoft Corporation, 2003.]]Google Scholar
- Microsoft. "Visual C++ Compiler Options: /GS (Buffer Security Check)." MSDN Library, 2003. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/vclrfGSBufferSecurity.asp]] Google ScholarDigital Library
- Mizuno, M., Schmidt, D. A. "A Security Flow Control Algorithm and Its Denotational Semantics Correctness Proof." Formal Aspects of Computing, 4(6A):727--754, 1992.]]Google ScholarCross Ref
- Morrisett, G., Walker, D., Crary, K., Glew, N. "From System F to Typed Assembly Language." ACM Transactions on Programming Languages and Systems, 21(3):528--569, May 1999.]] Google ScholarDigital Library
- Myers, A. C. "JFlow: Practical Mostly-Static Information Flow Control." In Proc. 26th ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL'99), pages 228--241, San Antonio, Texas, 1999.]] Google ScholarDigital Library
- Necula, G. C. "Proof-Carrying Code." In Conference Record of the 24th Annual ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL'97), pages 106--119, Paris, France, Jan 1997.]] Google ScholarDigital Library
- Necula, G. C., McPeak, S., Weimer, W. "CCured: Type-Safe Retrofitting of Legacy Code." In Proc. 29th Annual ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL2002), pages 128--139, Portland, Oregon, 2002.]] Google ScholarDigital Library
- Orbaek, P. "Can You Trust Your Data?" In Proc. 1995 TAPSOFT/FASE Conference, pages 575--590, volume LNCS 915, Aarhus, Denmark, May 1995. Springer-Verlag.]] Google ScholarDigital Library
- OWASP. "The Ten Most Critical Web Application Security Vulnerabilities." OWASP Whitepaper, version 1.0, 2003.]]Google Scholar
- Park, J. S., Sandhu, R. "Role-Based Access Control on the Web." ACM Transactions on Information and System Security 4(1):37--71, 2001.]] Google ScholarDigital Library
- Pottier, F., Simonet, V. "Information Flow Inference for ML." ACM Transactions on Programming Languages and Systems, 25(1):117--158, 2003.]] Google ScholarDigital Library
- Sabelfeld, A., Myers, A. C. "Language-Based Information-Flow Security." IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003.]]Google ScholarDigital Library
- Sanctum Inc. "AppShield 4.0 Whitepaper." 2002. http://www.sanctuminc.com]]Google Scholar
- Sanctum Inc. "Web Application Security Testing-AppScan 3.5." http://www.sanctuminc.com]]Google Scholar
- Sandhu, R. S. "Lattice-Based Access Control Models." IEEE Computer, 26(11):9--19, 1993.]] Google ScholarDigital Library
- Schneider, F. B. "Enforceable Security Policies." ACM Transactions on Information and System Security, 3(1):30--50, Feb 2000.]] Google ScholarDigital Library
- Scott, D., Sharp, R. "Abstracting Application-Level Web Security." In: Proc. 11th Int'l Conf. World Wide Web (WWW2002), pages 396-407, Honolulu, Hawaii, May 17-22, 2002.]] Google ScholarDigital Library
- Scott, D., Sharp, R. "Developing Secure Web Applications." IEEE Internet Computing, 6(6), 38--45, Nov 2002.]] Google ScholarDigital Library
- Secure Software, Inc. "RATS-Rough Auditing Tool for Security." http://www.securesoftware.com/]]Google Scholar
- Shankar, U., Talwar, K., Foster, J. S., Wagner, D. "Detecting Format String Vulnerabilities with Type Qualifiers." In Proc. 10th USENIX Security Symposium (USENIX'02), pages 201--220, Washington DC, Aug 2002.]] Google ScholarDigital Library
- SPI Dynamics. "Web Application Security Assessment." SPI Dynamics Whitepaper, 2003.]]Google Scholar
- Stiennon, R., "Magic Quadrant for Enterprise Firewalls, 1H03." Research Note. M-20-0110, Gartner, Inc., 2003.]]Google Scholar
- Strom, R. E., Yemini, S. A. "Typestate: A Programming Language Concept for Enhancing Software Reliability." IEEE Transactions on Software Engineering, 12(1):157--171, Jan 1986.]] Google ScholarDigital Library
- Viega, J., Bloch, J., Kohno, T., McGraw, G. "ITS4: a static vulnerability scanner for C and C++ code." In The 16th Annual Computer Security Applications Conference (ACSAC'00), New Orleans, Louisiana, Dec 11-15, 2000.]] Google ScholarDigital Library
- Volpano, D., Smith, G., Irvine, C. "A Sound Type System For Secure Flow Analysis." Journal of Computer Security, 4(3):167--187, 1996.]] Google ScholarDigital Library
- Wagner, D., Foster, J. S., Brewer, E. A., Aiken, A. "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities." In Proc. 7th Network and Distributed System Security Symposium (NDSS2000), pages 3--17, San Diego, California, Feb 2000.]]Google Scholar
- Wall, L., Christiansen, T., Schwartz, R. L. Programming Perl. O'Reilly and Associates, 3rd edition, July 2000.]] Google ScholarDigital Library
- Walker, D. "A Type System for Expressive Security Policies." In Proc. 27th Symp. Principles of Programming Languages (POPL'00), pages 254--267, ACM Press, Boston, Massachusetts, Jan 2000.]] Google ScholarDigital Library
- Watts, G. "PHPXref: PHP Cross Referencing Documentation Generator." Sep 2003. http://phpxref.sourceforge.net/]]Google Scholar
- Wheeler, D. A. "FlawFinder." http://www.dwheeler.com/flawfinder/]]Google Scholar
- Witten, B., Landwehi, C., Caloyannides, M., "Does Open Source Improve System Security?" IEEE Software, 18(5):57--61, 2001.]] Google ScholarDigital Library
- Wright, A. K, Cartwright, R. "A Practical Soft Type System for Scheme." ACM Transactions on Programming Languages and Systems, 19(1):87--152, Jan 1999]] Google ScholarDigital Library
Index Terms
- Securing web application code by static analysis and runtime protection
Recommendations
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Precise alias analysis for static detection of web application vulnerabilities
PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for securityThe number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Comments