Abstract
Web applications written in languages such as PHP and JSP are notoriously vulnerable to accidentally omitted authorization checks and other security bugs. Existing techniques that find missing security checks in library and system code assume that (1) security checks can be recognized syntactically and (2) the same pattern of checks applies universally to all programs. These assumptions do not hold for Web applications. Each Web application uses different variables and logic to check the user's permissions. Even within the application, security logic varies based on the user's role, e.g., regular users versus administrators. This paper describes ROLECAST, the first system capable of statically identifying security logic that mediates security-sensitive events (such as database writes) in Web applications, rather than taking a specification of this logic as input. We observe a consistent software engineering pattern-the code that implements distinct user role functionality and its security logic resides in distinct methods and files-and develop a novel algorithm for discovering this pattern in Web applications. Our algorithm partitions the set of file contexts (a coarsening of calling contexts) on which security-sensitive events are control dependent into roles. Roles are based on common functionality and security logic. ROLECAST identifies security-critical variables and applies rolespecific variable consistency analysis to find missing security checks. ROLECAST discovered 13 previously unreported, remotely exploitable vulnerabilities in 11 substantial PHP and JSP applications, with only 3 false positives.
This paper demonstrates that (1) accurate inference of application- and role-specific security logic improves the security of Web applications without specifications, and (2) static analysis can discover security logic automatically by exploiting distinctive software engineering features.
- D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of Web-based applications. In CCS, pages 25--35, 2007. Google Scholar
Digital Library
- M. Bond, V. Srivastava, K. McKinley, and V. Shmatikov. Efficient, context-sensitive detection of real-world semantic attacks. In PLAS, pages 1--10, 2010. Google Scholar
Digital Library
- W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS, pages 39--50, 2008. Google Scholar
Digital Library
- A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In PLDI, pages 234--245, 2011.Google Scholar
- R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, Oct. 1991. Google Scholar
Digital Library
- M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing authentication and access control vulnerabilities in Web applications. In USENIX Security, pages 267--282, 2009. Google Scholar
Digital Library
- D. Denning and P. Denning. Certification of programs for secure information flow. CACM, 20(7):504--513, 1977. Google Scholar
Digital Library
- V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in Web applications. In USENIX Security, pages 143--160, 2010. Google Scholar
Digital Library
- Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee, and S. Kuo. Securing Web application code by static analysis and runtime protection. In WWW, pages 40--52, 2004. Google Scholar
Digital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In S&P, pages 258--263, 2006. Google Scholar
Digital Library
- JSP. http://java.sun.com/products/jsp.Google Scholar
- L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In OOPSLA, pages 359--372, 2002. Google Scholar
Digital Library
- B. Livshits, A. Nori, S. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In PLDI, pages 75--86, 2009. Google Scholar
Digital Library
- B. Livshits and T. Zimmermann. Dynamine: Finding common error patterns by mining software revision histories. In ESEC/FSE, pages 296--305, 2005. Google Scholar
Digital Library
- PHP. http://www.php.net.Google Scholar
- PHP advent 2010: Usage statistics. http://phpadvent.org/2010/usage-statistics-by-ilia-alshanetsky.Google Scholar
- M. Pistoia, R. Flynn, L. Koved, and V. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In ECOOP, pages 362--386, 2005. Google Scholar
Digital Library
- Quercus. http://quercus.caucho.com.Google Scholar
- A. Sistla, V. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ASIACCS, pages 100--111, 2008. Google Scholar
Digital Library
- S. Son and V. Shmatikov. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In PLAS, 2011. Google Scholar
Digital Library
- Soot: A Java optimization framework. http://www.sable.mcgill.ca/soot/.Google Scholar
- V. Srivastava, M. Bond, K. McKinley, and V. Shmatikov. A security policy oracle: Detecting security holes using multiple API implementations. In PLDI, pages 343--354, 2011. Google Scholar
Digital Library
- L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security, pages 379--394, 2008. Google Scholar
Digital Library
- Apache Tomcat. http://tomcat.apache.org.Google Scholar
- G. Wasserman and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, pages 32--41, 2007. Google Scholar
Digital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, pages 179--192, 2006. Google Scholar
Digital Library
- A. Yip, X. Wang, N. Zeldovich, and F. Kaashoek. Improving application security with data flow assertions. In SOSP, pages 291--304, 2009. Google Scholar
Digital Library
Index Terms
RoleCast: finding missing security checks when you do not know what checks are
Recommendations
RoleCast: finding missing security checks when you do not know what checks are
OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applicationsWeb applications written in languages such as PHP and JSP are notoriously vulnerable to accidentally omitted authorization checks and other security bugs. Existing techniques that find missing security checks in library and system code assume that (1) ...
SAFERPHP: finding semantic vulnerabilities in PHP applications
PLAS '11: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for SecurityWeb applications are vulnerable to semantic attacks such as denial of service due to infinite loops caused by malicious inputs and unauthorized database operations due to missing security checks. Unlike "conventional" threats such as SQL injection and ...
Interprocedural Pointer Analysis in Goanna
Goanna is an industrial-strength static analysis tool used in academia and industry alike to find bugs in C/C++ programs. Unlike existing approaches, Goanna uses the off-the-shelf model checker NuSMV as its core analysis engine on a syntactic flow-...







Comments