ABSTRACT
SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a language called PQL (Program Query Language) that allows users to declare to specify information flow patterns succinctly and declaratively. We have developed a static context-sensitive, but flow-insensitive information flow tracking analysis that can be used to find all the vulnerabilities in a program. In the event that the analysis generates too many warnings, the result can be used to drive a model-checking system to analyze more precisely. Model checking is also used to automatically generate the input vectors that expose the vulnerability. Any remaining behavior these static analyses have not isolated may be checked dynamically. The results of the static analyses may be used to optimize these dynamic checks.
Our experimental results indicate the language is expressive enough for describing a large number of vulnerabilities succinctly. We have analyzed over nine applications, detecting 30 serious security vulnerabilities. We were also able to automatically recover from attacks as they occurred using the dynamic checker.
- C. Allan, P. Augustinov, A. S. Christensen, L. Hendren, S. Kuzins, O. Lhoták, Ode Moor, D. Sereni, G. Sittampalam, and J. Tibble. Adding Trace Matching with Free Variables to AspectJ. In OOPSLA '05: Proceedings of the 20th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 345--364, 2005. Google ScholarDigital Library
- Apache Software Foundation. Apache Struts. http://struts.apache.org, 2002.Google Scholar
- B. S. Baker. Parameterized Pattern Matching by Boyer-Moore Type Algorithms. In Proceedings of the Sixth Annual ACM--SIAM Symposium on Discrete Algorithms, pages 541--550, 1995. Google ScholarDigital Library
- T. Ball and S. Rajamani. SLIC: A Specification Language for Interface Checking (of C). Technical Report MSR--TR--2001--21, Microsoft Research, January 2002.Google Scholar
- P. Bates. Debugging Heterogeneous Distributed Systems Using Event-Based Models of Behavior. In Proceedings of the 1988 ACM SIGPLAN and SIGOPS workshop on Parallel and Distributed Debugging, pages 11--22, 1988. Google ScholarDigital Library
- S. M. Christey. Vulnerability type distribution in CVE. http://www.attrition.org/pipermail/vim/2006-September/001032.html.Google Scholar
- S. Cook. A Web developerýs guide to cross-site scripting. http://www.giac.org/practical/GSEC/Steve_Cook_GSEC.pdf, 2003.Google Scholar
- J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Puauareanu, Robby, and H. Zheng. Bandera: Extracting Finite-State Models from Java Source Code. In Proceedings of the 22nd International Conference on Software Engineering, pages 439--448, 2000. Google ScholarDigital Library
- J. C. Corbett, M. B. Dwyer, J. Hatcliff, and Robby. A Language Framework for Expressing Checkable Properties of Dynamic Software. In SPIN '00: Proceedings of the 7th SPIN Workshop, pages 205--223, 2000. Google ScholarDigital Library
- R. F. Crew. ASTLOG: A Language for Examining Abstract Syntax Trees. In Proceedings of the USENIX Conference on Domain-Specific Languages, pages 229--242, 1997. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th Annual International Symposium on Computer Architecture (ISCA'07), pages 482--493, 2007. Google ScholarDigital Library
- S. Goldsmith, R. O'Callahan, and A. Aiken. Relational Queries Over Program Traces. In Proceedings of the ACM SIGPLAN 2005 Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2005. Google ScholarDigital Library
- S. Hallem, B. Chelf, Y. Xie, and D. Engler. A System and Language for Building System-Specific, Static Analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI), pages 69--82, 2002. Google ScholarDigital Library
- G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley Publishing, 2004. Google ScholarDigital Library
- G. J. Holzmann. The Model Checker SPIN. Software Engineering, 23(5):279--295, 1997. Google ScholarDigital Library
- D. Hovemeyer and W. Pugh. Finding Bugs is Easy. In Proceedings of the Onward! Track of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 132--136, 2004. Google ScholarDigital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th Conference on the World Wide Web, pages 40--52, 2004. Google ScholarDigital Library
- G. Hulme. New software may improve application security. http://www.informationweek.com/story/IWK20010209S0003, 2001.Google Scholar
- D. Janzen and Kde Volder. Navigating and Querying Code Without Getting Lost. In Proceedings of the 2nd Annual Conference on Aspect-Oriented Software Development (AOSD), pages 178--187, 2003. Google ScholarDigital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proceedings of the 16th International World Wide Web Conference (WWW'07), pages 601--610, 2007. Google ScholarDigital Library
- A. Klein. Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. http://www.packetstormsecurity.org/papers/general/whitepaper_httprespon%se.pdf, 2004.Google Scholar
- R. Lencevicius, U. Hölzle, and A. K. Singh. Query-Based Debugging of Object-Oriented Programs. In OOPSLA '97: Proceedings of the 12th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 304--317, New York, NY, USA, 1997. ACM Press. Google ScholarDigital Library
- S. Lerner, T. Millstein, E. Rice, and C. Chambers. Automated Soundness Proofs for Dataflow Analyses and Transformations Via Local Rules. In POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 364--377, 2005. Google ScholarDigital Library
- Y. A. Liu, T. Rothamel, F. Yu, S. D. Stoller, and N. Hu. Parametric Regular Path Queries. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI), pages 219--230, 2004. Google ScholarDigital Library
- V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, Aug. 2005. Google ScholarDigital Library
- M. C. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws using PQL: a Program Query Language. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 365--383, 2005. Google ScholarDigital Library
- A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN--SIGACT Symposium on Principles of Programming Languages (POPL), pages 228--241, 1999. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI), pages 89--100, 2007. Google ScholarDigital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the 20th IFIP International Information Security Conference (SEC), pages 295--308, 2005.Google ScholarCross Ref
- R. A. Olsson, R. H. Cawford, and W. W. Ho. A Dataflow Approach to Event-Based Debugging. Software - Practice and Experience, 21(2):209--230, 1991. Google ScholarDigital Library
- OWASP. The ten most critical web application security vulnerabilities. http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf, 2007.Google Scholar
- D. Reimer, E. Schonberg, K. Srinivas, H. Srinivasan, B. Alpern, R. D. Johnson, A. Kershenbaum, and L. Koved. SABER: Smart Analysis Based Error Reduction. In Proceedings of International Symposium on Software Testing and Analysis, pages 243--251, 2004. Google ScholarDigital Library
- Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In POPL '06: Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, 2006. Google ScholarDigital Library
- Sun Microsystems. JSR-000154 Java Servlet 2.5 Specification. http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html, 2004.Google Scholar
- Sun Microsystems. JSR-000245 JavaServer Pages 2.1. http://jcp.org/aboutJava/communityprocess/final/jsr245/index.html, 2006.Google Scholar
- J. D. Ullman. Principles of Database and Knowledge-Base Systems. Computer Science Press, Rockville, Md., volume II edition, 1989. Google ScholarDigital Library
- M. Vernon. Top Five Threats. ComputerWeekly.com (http://www.computerweekly.com/Article129980.htm), April 2004.Google Scholar
- W. Visser, K. Havelund, G. Brat, S.-J. Park, and FLerda. Model Checking Programs. Automated Software Engineering, 10(2):203--232, 2003. Google ScholarDigital Library
- R. J. Walker and K. Viggers. Implementing Protocols Via Declarative Event Patterns. In SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 159--169, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- Web Application Security Consortium. Threat Classification. http://www.webappsec.org/tc/WASC--TC--v1_0.pdf, 2004.Google Scholar
- WebCohort, Inc. Only 10% of Web applications are secured against common hacking techniques. http://www.imperva.com/company/news/2004--feb--02.html, 2004.Google Scholar
- J. Whaley. bddbddb: BDD-Based Deductive DataBase. http://bddbddb.sourceforge.net, 2004.Google Scholar
- J. Whaley and M. S. Lam. Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI), 2004. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieères. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI'06), pages 263--278, 2006. Google ScholarDigital Library
Index Terms
- Securing web applications with static and dynamic information flow tracking
Recommendations
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Dynamic multi-process information flow tracking for web application security
MC '07: Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companionAlthough there is a large body of research on detection and prevention of such memory corruption attacks as buffer overflow, integer overflow, and format string attacks, the web application security problem receives relatively less attention from the ...
Comments