AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
In this paper we showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules

Finding security vulnerabilities in java applications with static analysis

USENIX Security, pp.18-18, (2005)

Cited: 649|Views247
EI
Full Text
Bibtex
Weibo

Abstract

This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. ...More

Code:

Data:

0
Introduction
  • The security of Web applications has become increasingly important in the last decade.
  • A recent penetration testing study performed by the Imperva Application Defense Center included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites [54].
  • Their vulnerability assessment concluded that at least 92% of Web applications are vulnerable to some form of hacker attacks.
  • Security compliance of application vendors is especially important in light of recent U.S industry regulations such as the Sarbanes-Oxley act pertaining to information security [4, 19]
Highlights
  • The security of Web applications has become increasingly important in the last decade
  • The benchmark applications are briefly described below. jboard, blueblog, blojsom, personalblog, snipsnap, pebble, and roller are Web-based bulletin board and blogging applications. webgoat is a J2EE application designed by the Open Web Application Security Project [40, 41] as a test case and a teaching tool for Web application security
  • The static analysis described in this paper reports a total of 41 potential security violations in our nine benchmarks, out of which 29 turn out to be security errors, while 12 are false positives
  • In this paper we showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules
  • We were able to find a total of 29 security errors, and all but one of our nine large real-life benchmark applications were vulnerable
  • Most of the security errors we reported were confirmed as exploitable vulnerabilities by their maintainers, resulting in more than a dozen code fixes
Methods
  • The implementation of the system is based on the joeq Java compiler and analysis framework.
  • The authors applied static analysis to look for all tainted object propagation problems described in this paper, and the authors used a total of 28 source, 18 sink, and 29 derivation descriptors in the experiments.
  • Source and sink descriptors correspond to methods declared in 19 different J2EE classes, as is further described in [34].
  • The authors used four different variations of the static analysis, obtained by either enabling or disabling context sensitivity and improved object naming.
Results
  • The authors summarize the experiments the authors performed and described the security violations the authors found.
  • While there is a fair number of commercial and opensource tools available for testing Web application security, there are no established benchmarks for comparing tools’ effectiveness.
  • The task of finding suitable benchmarks for the experiments was especially complicated by the fact that most Web-based applications are proprietary software, whose vendors are understandably reluctant to reveal their code, not to mention the vulnerabilities found.
  • The authors focused on a set of large, representative open-source Webbased J2EE applications, most of which are available on SourceForge.
  • Road2hibernate is a test program developed for hibernate, a popular object persistence library
Conclusion
  • In this paper the authors showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules.
  • The authors' experimental results showed that the analysis is an effective practical tool for finding security vulnerabilities.
  • Most of the security errors the authors reported were confirmed as exploitable vulnerabilities by their maintainers, resulting in more than a dozen code fixes.
  • The authors determined that the false warnings reported can be eliminated with improved object naming
Related work
  • In this section, we first discuss penetration testing and runtime monitoring, two of the most commonly used approaches for finding vulnerabilities besides manual code reviews. We also review the relevant literature on static analysis for improving software security.

    7.1 Penetration Testing

    Current practical solutions for detecting Web application security problems generally fall into the realm of penetration testing [3, 5, 15, 36, 44]. Penetration testing involves attempting to exploit vulnerabilities in a Web application or crashing it by coming up with a set of appropriate malicious input values. Penetration reports usually include a list of identified vulnerabilities [25]. However, this approach is incomplete. A penetration test can usually reveal only a small sample of all possible security risks in a system without identifying the parts of the system that have not been adequately tested. Generally, there are no standards that define which tests to run and which inputs to try. In most cases this approach is not effective and considerable program knowledge is needed to find application-level security errors successfully.
Funding
  • Finally, this material is based upon work supported by the National Science Foundation under Grant No 0326227
Reference
  • C. Anley. Advanced SQL injection in SQL Server applications. http://www.nextgenss.com/papers/advanced sql injection.pdf, 2002.
    Locate open access versionFindings
  • C. Anley. (more) advanced SQL injection. http://www.nextgenss. com/papers/more advanced sql injection.pdf, 2002.
    Findings
  • B. Arkin, S. Stender, and G. McGraw. Software penetration testing. IEEE Security and Privacy, 3(1):84–87, 2005.
    Google ScholarLocate open access versionFindings
  • K. Beaver. Achieving Sarbanes-Oxley compliance for Web applications through security testing. http://www.spidynamics.com/ support/whitepapers/WI SOXwhitepaper.pdf, 2003.
    Findings
  • B. Buege, R. Layman, and A. Taylor. Hacking Exposed: J2EE and Hill/Osborne, 2002.
    Google ScholarLocate open access versionFindings
  • W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software - Practice and Experience (SPE), 30:775–802, 2000.
    Google ScholarLocate open access versionFindings
  • CGI Security. The cross-site scripting FAQ. http://www.
    Findings
  • B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, 2(6):76–79, 2004.
    Google ScholarLocate open access versionFindings
  • Chinotec Technologies. Paros—a tool for Web application security assessment. http://www.parosproxy.org, 2004.
    Findings
  • Computer Security Institute. Computer crime and security survey. http://www.gocsi.com/press/20020407.jhtml?
    Findings
  • requestid=195148, 2002.
    Google ScholarFindings
  • [11] S. Cook. A Web developers guide to cross-site scripting. http://www. giac.org/practical/GSEC/Steve Cook GSEC.pdf, 2003.
    Findings
  • [12] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference, pages 63–78, January 1998.
    Google ScholarLocate open access versionFindings
  • [13] J. D’Anjou, S. Fairbrother, D. Kehn, J. Kellerman, and P. McCarthy. Java Developer’s Guide to Eclipse. Addison-Wesley Professional, 2004.
    Google ScholarFindings
  • [14] S. Friedl. SQL injection attacks by example. http://www.unixwiz. net/techtips/sql-injection.html, 2004.
    Findings
  • [15] D. Geer and J. Harthorne. Penetration testing: A duet. http://www. acsac.org/2002/papers/geer.pdf, 2002.
    Findings
  • [16] Gentoo Linux Security Advisory. SnipSnap: HTTP response splitting. http://www.gentoo.org/security/en/glsa/
    Findings
  • glsa-200409-23.xml, 2004.
    Google ScholarFindings
  • [17] C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering, pages 645–654, 2004.
    Google ScholarLocate open access versionFindings
  • and XSS. http://www.cgisecurity.com/whitehat-mirror/
    Findings
  • WhitePaper screen.pdf, 2003.
    Google ScholarFindings
  • [19] J. Grossman. WASC activities and U.S. Web application security trends. http://www.whitehatsec.com/presentations/ WASC WASF 1.02.pdf, 2004.
    Findings
  • [20] S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIG- PLAN 2002 Conference on Programming language Design and Implementation, pages 69–82, 2002.
    Google ScholarLocate open access versionFindings
  • [21] M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, 2001.
    Google ScholarFindings
  • [22] D. Hu. Preventing cross-site scripting vulnerability. http://www. giac.org/practical/GSEC/Deyu Hu GSEC.pdf, 2004.
    Findings
  • [23] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the 13th conference on World Wide Web, pages 40–52, 2004. //www.informationweek.com/story/IWK20010209S0003, 2001.
    Locate open access versionFindings
  • [25] Imperva, Inc. SuperVeda penetration test. http://www.imperva.
    Findings
  • [26] R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, pages www.cgisecurity.com/lib/CookiePoisoningByline.pdf, 2002.
    Locate open access versionFindings
  • //www.packetstormsecurity.org/papers/general/
    Findings
  • whitepaper httpresponse.pdf, 2004.
    Google ScholarFindings
  • [29] S. Kost. An introduction to SQL injection attacks for Oracle developers. http://www.net-security.org/dl/articles/ IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004.
    Findings
  • [30] M. Krax. Mozilla foundation security advisory 2005-38. http://www. mozilla.org/security/announce/mfsa2005- 38.html, 2005.
    Findings
  • http://www.securityfocus.com/archive/1/385333/
    Findings
  • 2004-12-20/2004-12-26/0, 2003.
    Google ScholarFindings
  • [32] D. Litchfield. SQL Server Security. McGraw-Hill Osborne Media, 2003.
    Google ScholarLocate open access versionFindings
  • [33] V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In Proceedings of the ACM 317–326, Sept. 2003.
    Google ScholarFindings
  • [34] V. B. Livshits and M. S. Lam. Detecting security vulnerabilities in Java applications with static analysis. Technical report. Stanford University. http://suif.stanford.edu/∼livshits/papers/tr/
    Findings
  • webappsec tr.pdf, 2005.
    Google ScholarLocate open access versionFindings
  • [35] M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language (to be published). In Proceedings of the
    Google ScholarLocate open access versionFindings
  • ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Oct. 2005.
    Google ScholarFindings
  • [36] J. Melbourne and D. Jorm. Penetration testing for Web applications. http://www.securityfocus.com/infocus/1704, 2003.
    Findings
  • [37] J. S. Miller, S. Ragsdale, and J. Miller. The Common Language Infrastructure Annotated Standard. Addison-Wesley Professional, 2003.
    Google ScholarLocate open access versionFindings
  • [38] A. C. Myers. JFlow: practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228–241, Jan. 1999.
    Google ScholarFindings
  • [39] NetContinuum, Inc. The 21 primary classes of Web application threats. https://www.netcontinuum.com/securityCentral/
    Findings
  • TopThreatTypes/index.cfm, 2004.
    Google ScholarFindings
  • [40] Open Web Application Security Project. A guide to building secure Web applications. http://voxel.dl.sourceforge.net/ sourceforge/owasp/OWASPGuideV1.1.pdf, 2004.
    Findings
  • [41] Open Web Application Security Project. The ten most critical Web application security vulnerabilities. http://umn.dl.sourceforge.net/ sourceforge/owasp/OWASPTopTen2004.pdf, 2004.
    Locate open access versionFindings
  • [42] Open Web Application Security Project. WebScarab. http://www. owasp.org/software/webscarab.html, 2004.
    Locate open access versionFindings
  • [43] S. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages, pages 105–118, Jan. 1999.
    Google ScholarFindings
  • [44] J. Scambray and M. Shema. Web Applications (Hacking Exposed). Addison-Wesley Professional, 2002.
    Google ScholarLocate open access versionFindings
  • [45] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 2001 Usenix Security Conference, pages 201–220, Aug. 2001. http://www.spidynamics.com/support/whitepapers/
    Findings
  • SPIcross-sitescripting.pdf, 2002.
    Google ScholarFindings
  • [47] K. Spett. SQL injection: Are your Web applications vulnerable? http://downloads.securityfocus.com/library/ SQLInjectionWhitePaper.pdf, 2002.
    Locate open access versionFindings
  • [48] B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th ACM Symposium on Principles of Programming Languages, pages 32–41, Jan. 1996.
    Google ScholarFindings
  • [49] M. Surf and A. Shulman. How safe is it out there? http://www. imperva.com/download.asp?id=23, 2004.
    Findings
  • [50] J. D. Ullman. Principles of Database and Knowledge-Base Systems. Computer Science Press, Rockville, Md., volume II edition, 1989.
    Google ScholarLocate open access versionFindings
  • [51] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3–17, Feb. 2000.
    Google ScholarFindings
  • [52] L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O’Reilly and Associates, Sebastopol, CA, 1996.
    Google ScholarLocate open access versionFindings
  • [53] G. Wassermann and Z. Su. An analysis framework for security in Web applications. In Proceedings of the Specification and Verification of Component-Based Systems Workshop, Oct. 2004.
    Google ScholarFindings
  • [54] WebCohort, Inc. Only 10% of Web applications are secured against common hacking techniques. http://www.imperva.com/company/ news/2004-feb-02.html, 2004.
    Locate open access versionFindings
  • [55] J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIG- PLAN 2004 conference on Programming Language Design and Implementation, pages 131–144, June 2004.
    Google ScholarLocate open access versionFindings
0
Your rating :

No Ratings

Tags
Comments
avatar
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn