Static Detection of Logic Vulnerabilities in Java Web Applications

Logic vulnerabilities occur when mistakes arise in the control flow associated to critical functionalities. We propose a lightweight static analysis approach to detect logic vulnerabilities in Java Web applications. The core idea of our approach is to discover deviant behaviors among duplication samples. Program slicing technique is leveraged to extract duplicated invocations targeted similar functionalities. Subsequently, path exploration is conducted to split slices into several path sensitive slices. Then we make comparison between any two similar slices on their path condition, and report the slices with abnormal path condition as logic vulnerabilities. We implemented our approach in a prototype tool named LVD (Logic Vulnerability Detector), and evaluated it on seven real world applications scaled from thousands to million lines of code. The evaluation results show that our approach achieves bigger coverage with acceptable cost and better scalability than previous approaches.

[1]  Tevfik Bultan,et al.  Eliminating navigation errors in web applications via model checking and runtime enforcement of navigation state machines , 2010, ASE '10.

[2]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[3]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[4]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[5]  Jim Conallen,et al.  Modeling Web application architectures with UML , 1999, CACM.

[6]  Chao Liu,et al.  Mining Control Flow Abnormality for Logic Error Isolation , 2006, SDM.

[7]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[8]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[9]  Suresh Jagannathan,et al.  Static specification inference using predicate mining , 2007, PLDI '07.

[10]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[11]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[12]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[14]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[15]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[16]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[17]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[18]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[19]  Susan Horwitz,et al.  Using Slicing to Identify Duplication in Source Code , 2001, SAS.

[20]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[21]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[22]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[23]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.