François Gauthier
ABSTRACT
Software clone detection techniques identify fragments of code that share some level of syntactic similarity. In this study, we investigate security-sensitive clone clusters: clusters of syntactically similar fragments of code that are protected by some privileges. From a security perspective, security-sensitive clone clusters can help reason about the implemented security model: given syntactically similar fragments of code, it is expected that they are protected by similar privileges. We hypothesize that clones that violate this assumption, defined as security-discordant clones, are likely to reveal weaknesses and flaws in access control models.
In order to characterize security-discordant clones, we investigated two of the largest and most popular open-source PHP applications: Joomla! and Moodle, with sizes ranging from hundred thousands to more than a million lines of code. Investigation of security-discordant clone clusters in these systems revealed several previously undocumented, recurring, and application-independent security weaknesses. Moreover, security-discordant clones also revealed four, previously unreported, security flaws. Results also show how these flaws were revealed through the investigation of as little as 2% of the code base. Distribution of weaknesses and flaws between the two systems is investigated and discussed. Potential extensions to this exploratory work are also presented.
- M. Alalfi, J. Cordy, and T. Dean. Automated verification of role-based access control security models recovered from dynamic web applications. In WSE '12, pages 1--10. IEEE, 2012. Google Scholar
Digital Library
- M. Alalfi, J. Cordy, and T. Dean. Recovering role-based access control security models from dynamic web applications. In ICWE '12, pages 121--136. Springer, 2012. Google ScholarDigital Library
- L. Bauer, S. Garriss, and M. K. Reiter. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC), 14(1):2:1--2:28, 2011. Google ScholarDigital Library
- L. Bauer, Y. Liang, M. K. Reiter, and C. Spensky. Discovering access-control misconfigurations: New approaches and evaluation methodologies. In CODASPY '12, pages 95--104. ACM, 2012. Google ScholarDigital Library
- I. Baxter, A. Yahin, l. Moura, M. Sant'Anna, and L. Bier. Clone detection using abstract syntax trees. In ICSM '98, pages 368--377. IEEE, 1998. Google ScholarDigital Library
- T. H. Cormen, C. Stein, R. L. Rivest, and C. E. Leiserson. Introduction to Algorithms. McGraw-Hill Higher Education, 3rd edition, 2009. Google ScholarDigital Library
- CWE/SANS. CWE/SANS top 25 most dangerous software errors, September 2011. http://cwe.mitre.org/top25.Google Scholar
- Y. Dang, D. Zhang, S. Ge, C. Chu, Y. Qiu, and T. Xie. XIAO: tuning code clones at hands of engineers in practice. In ACSAC '12, pages 369--378. ACM, 2012. Google ScholarDigital Library
- T. Das, R. Bhagwan, and P. Naldurg. Baaz: a system for detecting access control misconfigurations. In USENIX Security '10, pages 161--176, 2010. Google ScholarDigital Library
- S. Ducasse, O. Nierstrasz, and M. Rieger. On the effectiveness of clone detection by string matching. International Journal on Software Maintenance and Evolution: Research and Practice, 18(1):37--58, 2006. Google ScholarDigital Library
- V. Ganapathy, T. Jaeger, and S. Jha. Retrofitting legacy code for authorization policy enforcement. In S&P '06, pages 15 pp.--229. IEEE, 2006. Google ScholarDigital Library
- F. Gauthier and E. Merlo. Alias-aware propagation of simple pattern-based properties in PHP applications. In SCAM '12, pages 44--53. IEEE, 2012. Google ScholarDigital Library
- F. Gauthier and E. Merlo. Fast detection of access control vulnerabilities in PHP applications. In WCRE '12, pages 247--256. IEEE, 2012. Google ScholarDigital Library
- F. Gauthier and E. Merlo. Semantic smells and errors in access control models: A case study in PHP. In ICSE '13. IEEE/ACM, 2013. Google ScholarDigital Library
- N. Göde and R. Koschke. Incremental clone detection. In CSMR '09, pages 219--228. IEEE, 2009. Google ScholarDigital Library
- J. Jang, A. Agrawal, and D. Brumley. ReDeBug: Finding unpatched code clones in entire OS distributions. In S&P '12, pages 48--62. IEEE, 2012. Google ScholarDigital Library
- T. Lavoie and E. Merlo. An accurate estimation of the Levenshtein distance using metric trees and Manhattan distance. In IWSC '12, pages 1--7, 2012.Google ScholarCross Ref
- D. Letarte and E. Merlo. Extraction of inter-procedural simple role privilege models from PHP code. In WCRE '09, pages 187--191. IEEE, 2009. Google ScholarDigital Library
- J. Li and M. D. Ernst. CBCD: cloned buggy code detector. In ICSE '12, pages 310--320. IEEE/ACM, 2012. Google ScholarDigital Library
- J. Mayrand, C. Leblanc, and E. Merlo. Experiment on the automatic detection of function clones in a software system using metrics. In ICSM '96, pages 244--253. IEEE, 1996. Google ScholarDigital Library
- C. K. Roy and J. R. Cordy. A survey on software clone detection research. Technical Report Technical Report 2007-541, School of Computing, Queen's University, November 2007.Google Scholar
- S. Son, K. McKinley, and V. Shmatikov. RoleCast: finding missing security checks when you do not know what checks are. In OOPSLA '11, pages 1069--1084. ACM, 2011. Google ScholarDigital Library
- S. Son and V. Shmatikov. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In PLAS '11, pages 8:1--8:13. ACM, 2011. Google ScholarDigital Library
- F. Sun, L. Xu, and Z. Su. Static detection of access control vulnerabilities in web applications. In USENIX Security '11, pages 155--170, 2011. Google ScholarDigital Library
- F. Yamaguchi, M. Lottmann, and K. Rieck. Generalized vulnerability extrapolation using abstract syntax trees. In ACSAC '12, pages 359--368. ACM, 2012. Google ScholarDigital Library
Index Terms
- Uncovering access control weaknesses and flaws with security-discordant software clones
Recommendations
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application securityThe most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
Tracking clones' imprint
IWSC '10: Proceedings of the 4th International Workshop on Software ClonesCloning imprint is the lasting effect of cloning on applications. This paper aims to analyze the clone imprint over time, in terms of the extension of cloning, the persistence of clones in methods, and the stability of cloned methods. Such level of ...
Comments