Merlin: specification inference for explicit information flow problems
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Static and dynamic analysis for web security in industry applications
International Journal of Electronic Security and Digital Forensics
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
| Hi-index | 0.00 |
The landscape of security vulnerabilities has changed dramatically in the last several years. While buffer overruns and format string violations accounted for a large fraction of all security exploits in the 1990s, recently the picture started to change. As Web-based applications became more prominent, familiar buffer overruns are now far outnumbered by Web application vulnerabilities such as SQL injections and cross-site scripting attacks. These vulnerabilities have lead to a multitude of attacks against e-commerce sites, financial institutions, etc., leading to millions of dollars in damages. In this thesis, we describe the Griffin project, which provides a comprehensive static and runtime compiler-based solution to a wide range of Web application vulnerabilities. Our approach targets large real-life Web-based Java applications. To make our approach to both extensible and user-friendly, vulnerability specifications are expressed in PQL, a Program Query Language. The static checker generated based on the PQL, specification finds vulnerabilities by analyzing the Web-based applications. We evaluate analysis features such as context-, object- and map sensitivity that help keep the number of false positives low. As an alternative to static analysis, secured application executables can be generated based on the same PQL vulnerability specification. Moreover, runtime vulnerability recovery rules may be provided. Our experimental results show that Griffin provides effective and practical tools for finding and preventing security vulnerabilities. We were able to find a total of 98 security errors, and all but one of our 11 large real-life benchmark applications were vulnerable. Two vulnerabilities were located in commonly used libraries, thus subjecting applications using the libraries to potential vulnerabilities. Most of the security errors we reported were confirmed as exploitable vulnerabilities by their maintainers, resulting in more than a dozen code fixes. The static analysis reported false positives for only one of 11 applications we have analyzed. While the runtime overhead can be quite high for our runtime protection, information we compute statically reduces the number of necessary instrumentation points dramatically, causing the overhead to drop below 10% in most cases. Finally, our runtime system was able to recover from all exploits we performed against it in practice.