AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
In this paper we showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules
Finding security vulnerabilities in java applications with static analysis
USENIX Security, pp.18-18, (2005)
This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. ...More
PPT (Upload PPT)
- The security of Web applications has become increasingly important in the last decade.
- A recent penetration testing study performed by the Imperva Application Defense Center included more than 250 Web applications from e-commerce, online banking, enterprise collaboration, and supply chain management sites .
- Their vulnerability assessment concluded that at least 92% of Web applications are vulnerable to some form of hacker attacks.
- Security compliance of application vendors is especially important in light of recent U.S industry regulations such as the Sarbanes-Oxley act pertaining to information security [4, 19]
- The security of Web applications has become increasingly important in the last decade
- The benchmark applications are briefly described below. jboard, blueblog, blojsom, personalblog, snipsnap, pebble, and roller are Web-based bulletin board and blogging applications. webgoat is a J2EE application designed by the Open Web Application Security Project [40, 41] as a test case and a teaching tool for Web application security
- The static analysis described in this paper reports a total of 41 potential security violations in our nine benchmarks, out of which 29 turn out to be security errors, while 12 are false positives
- In this paper we showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules
- We were able to find a total of 29 security errors, and all but one of our nine large real-life benchmark applications were vulnerable
- Most of the security errors we reported were confirmed as exploitable vulnerabilities by their maintainers, resulting in more than a dozen code fixes
- The implementation of the system is based on the joeq Java compiler and analysis framework.
- The authors applied static analysis to look for all tainted object propagation problems described in this paper, and the authors used a total of 28 source, 18 sink, and 29 derivation descriptors in the experiments.
- Source and sink descriptors correspond to methods declared in 19 different J2EE classes, as is further described in .
- The authors used four different variations of the static analysis, obtained by either enabling or disabling context sensitivity and improved object naming.
- The authors summarize the experiments the authors performed and described the security violations the authors found.
- While there is a fair number of commercial and opensource tools available for testing Web application security, there are no established benchmarks for comparing tools’ effectiveness.
- The task of finding suitable benchmarks for the experiments was especially complicated by the fact that most Web-based applications are proprietary software, whose vendors are understandably reluctant to reveal their code, not to mention the vulnerabilities found.
- The authors focused on a set of large, representative open-source Webbased J2EE applications, most of which are available on SourceForge.
- Road2hibernate is a test program developed for hibernate, a popular object persistence library
- In this paper the authors showed how a general class of security errors in Java applications can be formulated as instances of the general tainted object propagation problem, which involves finding all sink objects derivable from source objects via a set of given derivation rules.
- The authors' experimental results showed that the analysis is an effective practical tool for finding security vulnerabilities.
- Most of the security errors the authors reported were confirmed as exploitable vulnerabilities by their maintainers, resulting in more than a dozen code fixes.
- The authors determined that the false warnings reported can be eliminated with improved object naming
- In this section, we first discuss penetration testing and runtime monitoring, two of the most commonly used approaches for finding vulnerabilities besides manual code reviews. We also review the relevant literature on static analysis for improving software security.
7.1 Penetration Testing
Current practical solutions for detecting Web application security problems generally fall into the realm of penetration testing [3, 5, 15, 36, 44]. Penetration testing involves attempting to exploit vulnerabilities in a Web application or crashing it by coming up with a set of appropriate malicious input values. Penetration reports usually include a list of identified vulnerabilities . However, this approach is incomplete. A penetration test can usually reveal only a small sample of all possible security risks in a system without identifying the parts of the system that have not been adequately tested. Generally, there are no standards that define which tests to run and which inputs to try. In most cases this approach is not effective and considerable program knowledge is needed to find application-level security errors successfully.
- Finally, this material is based upon work supported by the National Science Foundation under Grant No 0326227
- C. Anley. Advanced SQL injection in SQL Server applications. http://www.nextgenss.com/papers/advanced sql injection.pdf, 2002.
- C. Anley. (more) advanced SQL injection. http://www.nextgenss. com/papers/more advanced sql injection.pdf, 2002.
- B. Arkin, S. Stender, and G. McGraw. Software penetration testing. IEEE Security and Privacy, 3(1):84–87, 2005.
- K. Beaver. Achieving Sarbanes-Oxley compliance for Web applications through security testing. http://www.spidynamics.com/ support/whitepapers/WI SOXwhitepaper.pdf, 2003.
- B. Buege, R. Layman, and A. Taylor. Hacking Exposed: J2EE and Hill/Osborne, 2002.
- W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software - Practice and Experience (SPE), 30:775–802, 2000.
- CGI Security. The cross-site scripting FAQ. http://www.
- B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, 2(6):76–79, 2004.
- Chinotec Technologies. Paros—a tool for Web application security assessment. http://www.parosproxy.org, 2004.
- Computer Security Institute. Computer crime and security survey. http://www.gocsi.com/press/20020407.jhtml?
- requestid=195148, 2002.
-  S. Cook. A Web developers guide to cross-site scripting. http://www. giac.org/practical/GSEC/Steve Cook GSEC.pdf, 2003.
-  C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference, pages 63–78, January 1998.
-  J. D’Anjou, S. Fairbrother, D. Kehn, J. Kellerman, and P. McCarthy. Java Developer’s Guide to Eclipse. Addison-Wesley Professional, 2004.
-  S. Friedl. SQL injection attacks by example. http://www.unixwiz. net/techtips/sql-injection.html, 2004.
-  D. Geer and J. Harthorne. Penetration testing: A duet. http://www. acsac.org/2002/papers/geer.pdf, 2002.
-  Gentoo Linux Security Advisory. SnipSnap: HTTP response splitting. http://www.gentoo.org/security/en/glsa/
- glsa-200409-23.xml, 2004.
-  C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering, pages 645–654, 2004.
- and XSS. http://www.cgisecurity.com/whitehat-mirror/
- WhitePaper screen.pdf, 2003.
-  J. Grossman. WASC activities and U.S. Web application security trends. http://www.whitehatsec.com/presentations/ WASC WASF 1.02.pdf, 2004.
-  S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIG- PLAN 2002 Conference on Programming language Design and Implementation, pages 69–82, 2002.
-  M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, 2001.
-  D. Hu. Preventing cross-site scripting vulnerability. http://www. giac.org/practical/GSEC/Deyu Hu GSEC.pdf, 2004.
-  Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the 13th conference on World Wide Web, pages 40–52, 2004. //www.informationweek.com/story/IWK20010209S0003, 2001.
-  Imperva, Inc. SuperVeda penetration test. http://www.imperva.
-  R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, pages www.cgisecurity.com/lib/CookiePoisoningByline.pdf, 2002.
- whitepaper httpresponse.pdf, 2004.
-  S. Kost. An introduction to SQL injection attacks for Oracle developers. http://www.net-security.org/dl/articles/ IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004.
-  M. Krax. Mozilla foundation security advisory 2005-38. http://www. mozilla.org/security/announce/mfsa2005- 38.html, 2005.
- 2004-12-20/2004-12-26/0, 2003.
-  D. Litchfield. SQL Server Security. McGraw-Hill Osborne Media, 2003.
-  V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In Proceedings of the ACM 317–326, Sept. 2003.
-  V. B. Livshits and M. S. Lam. Detecting security vulnerabilities in Java applications with static analysis. Technical report. Stanford University. http://suif.stanford.edu/∼livshits/papers/tr/
- webappsec tr.pdf, 2005.
-  M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language (to be published). In Proceedings of the
- ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Oct. 2005.
-  J. Melbourne and D. Jorm. Penetration testing for Web applications. http://www.securityfocus.com/infocus/1704, 2003.
-  J. S. Miller, S. Ragsdale, and J. Miller. The Common Language Infrastructure Annotated Standard. Addison-Wesley Professional, 2003.
-  A. C. Myers. JFlow: practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228–241, Jan. 1999.
-  NetContinuum, Inc. The 21 primary classes of Web application threats. https://www.netcontinuum.com/securityCentral/
- TopThreatTypes/index.cfm, 2004.
-  Open Web Application Security Project. A guide to building secure Web applications. http://voxel.dl.sourceforge.net/ sourceforge/owasp/OWASPGuideV1.1.pdf, 2004.
-  Open Web Application Security Project. The ten most critical Web application security vulnerabilities. http://umn.dl.sourceforge.net/ sourceforge/owasp/OWASPTopTen2004.pdf, 2004.
-  Open Web Application Security Project. WebScarab. http://www. owasp.org/software/webscarab.html, 2004.
-  S. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages, pages 105–118, Jan. 1999.
-  J. Scambray and M. Shema. Web Applications (Hacking Exposed). Addison-Wesley Professional, 2002.
-  U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 2001 Usenix Security Conference, pages 201–220, Aug. 2001. http://www.spidynamics.com/support/whitepapers/
- SPIcross-sitescripting.pdf, 2002.
-  K. Spett. SQL injection: Are your Web applications vulnerable? http://downloads.securityfocus.com/library/ SQLInjectionWhitePaper.pdf, 2002.
-  B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th ACM Symposium on Principles of Programming Languages, pages 32–41, Jan. 1996.
-  M. Surf and A. Shulman. How safe is it out there? http://www. imperva.com/download.asp?id=23, 2004.
-  J. D. Ullman. Principles of Database and Knowledge-Base Systems. Computer Science Press, Rockville, Md., volume II edition, 1989.
-  D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3–17, Feb. 2000.
-  L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O’Reilly and Associates, Sebastopol, CA, 1996.
-  G. Wassermann and Z. Su. An analysis framework for security in Web applications. In Proceedings of the Specification and Verification of Component-Based Systems Workshop, Oct. 2004.
-  WebCohort, Inc. Only 10% of Web applications are secured against common hacking techniques. http://www.imperva.com/company/ news/2004-feb-02.html, 2004.
-  J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIG- PLAN 2004 conference on Programming Language Design and Implementation, pages 131–144, June 2004.