skip to main content
research-article

RoleCast: finding missing security checks when you do not know what checks are

Published:22 October 2011Publication History
Skip Abstract Section

Abstract

Web applications written in languages such as PHP and JSP are notoriously vulnerable to accidentally omitted authorization checks and other security bugs. Existing techniques that find missing security checks in library and system code assume that (1) security checks can be recognized syntactically and (2) the same pattern of checks applies universally to all programs. These assumptions do not hold for Web applications. Each Web application uses different variables and logic to check the user's permissions. Even within the application, security logic varies based on the user's role, e.g., regular users versus administrators. This paper describes ROLECAST, the first system capable of statically identifying security logic that mediates security-sensitive events (such as database writes) in Web applications, rather than taking a specification of this logic as input. We observe a consistent software engineering pattern-the code that implements distinct user role functionality and its security logic resides in distinct methods and files-and develop a novel algorithm for discovering this pattern in Web applications. Our algorithm partitions the set of file contexts (a coarsening of calling contexts) on which security-sensitive events are control dependent into roles. Roles are based on common functionality and security logic. ROLECAST identifies security-critical variables and applies rolespecific variable consistency analysis to find missing security checks. ROLECAST discovered 13 previously unreported, remotely exploitable vulnerabilities in 11 substantial PHP and JSP applications, with only 3 false positives.

This paper demonstrates that (1) accurate inference of application- and role-specific security logic improves the security of Web applications without specifications, and (2) static analysis can discover security logic automatically by exploiting distinctive software engineering features.

References

  1. D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of Web-based applications. In CCS, pages 25--35, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Bond, V. Srivastava, K. McKinley, and V. Shmatikov. Efficient, context-sensitive detection of real-world semantic attacks. In PLAS, pages 1--10, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS, pages 39--50, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In PLDI, pages 234--245, 2011.Google ScholarGoogle Scholar
  5. R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, Oct. 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing authentication and access control vulnerabilities in Web applications. In USENIX Security, pages 267--282, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Denning and P. Denning. Certification of programs for secure information flow. CACM, 20(7):504--513, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in Web applications. In USENIX Security, pages 143--160, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee, and S. Kuo. Securing Web application code by static analysis and runtime protection. In WWW, pages 40--52, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In S&P, pages 258--263, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. JSP. http://java.sun.com/products/jsp.Google ScholarGoogle Scholar
  12. L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In OOPSLA, pages 359--372, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. B. Livshits, A. Nori, S. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In PLDI, pages 75--86, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. B. Livshits and T. Zimmermann. Dynamine: Finding common error patterns by mining software revision histories. In ESEC/FSE, pages 296--305, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. PHP. http://www.php.net.Google ScholarGoogle Scholar
  16. PHP advent 2010: Usage statistics. http://phpadvent.org/2010/usage-statistics-by-ilia-alshanetsky.Google ScholarGoogle Scholar
  17. M. Pistoia, R. Flynn, L. Koved, and V. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In ECOOP, pages 362--386, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Quercus. http://quercus.caucho.com.Google ScholarGoogle Scholar
  19. A. Sistla, V. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ASIACCS, pages 100--111, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. S. Son and V. Shmatikov. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In PLAS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Soot: A Java optimization framework. http://www.sable.mcgill.ca/soot/.Google ScholarGoogle Scholar
  22. V. Srivastava, M. Bond, K. McKinley, and V. Shmatikov. A security policy oracle: Detecting security holes using multiple API implementations. In PLDI, pages 343--354, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security, pages 379--394, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Apache Tomcat. http://tomcat.apache.org.Google ScholarGoogle Scholar
  25. G. Wasserman and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, pages 32--41, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, pages 179--192, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. A. Yip, X. Wang, N. Zeldovich, and F. Kaashoek. Improving application security with data flow assertions. In SOSP, pages 291--304, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. RoleCast: finding missing security checks when you do not know what checks are

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!