Sound and precise analysis of web applications for injection vulnerabilities

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protection for deployed software, static approaches can detect potential vulnerabilities before software deployment. Previous static approaches are mostly based on tainted information flow tracking and have at least some of the following limitations: (1) they do not model the precise semantics of input sanitization routines; (2) they require manually written specifications, either for each query or for bug patterns; or (3) they are not fully automated and may require user intervention at various points in the analysis. In this paper, we address these limitations by proposing a precise, sound, and fully automated analysis technique for SQL injection. Our technique avoids the need for specifications by consideringas attacks those queries for which user input changes the intended syntactic structure of the generated query. It checks conformance to this policy byconservatively characterizing the values a string variable may assume with a context free grammar, tracking the nonterminals that represent user-modifiable data, and modeling string operations precisely as language transducers. We have implemented the proposed technique for PHP, the most widely-used web scripting language. Our tool successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs (with approx. 100K loc).

[1]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[2]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[3]  Christian Kirkegaard,et al.  Static Analysis for Java Servlets and JSP , 2006 .

[4]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[6]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[7]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[8]  Larry Wall,et al.  Programming Perl , 1991 .

[9]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[10]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[11]  Peter Thiemann Grammar-based analysis of string expressions , 2005, TLDI '05.

[12]  Benjamin C. Pierce,et al.  XDuce: A Typed XML Processing Language (Preliminary Report) , 2000, WebDB.

[13]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[14]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[15]  Zhendong Su,et al.  Static Checking of Dynamically Generated Queries in Database Applications , 2004, ICSE 2004.

[16]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[17]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[18]  Thomas Reps,et al.  Interconveritibility of Set Constraints and Context-Free Language Reachability , 1997, PEPM.

[19]  Paul Barry,et al.  Programming Perl 3rd Edition , 2000 .

[20]  Richard Sproat,et al.  An Efficient Compiler for Weighted Rewrite Rules , 1996, ACL.

[21]  Akinori Yonezawa,et al.  Regular Expression Types for Strings in a Text Processing Language , 2002, Electron. Notes Theor. Comput. Sci..

[22]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[23]  Mark-Jan Nederhof,et al.  Regular Approximation of Context-Free Grammars through Transformation , 2001 .

[24]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[25]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[26]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[27]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[28]  Jay Earley,et al.  An efficient context-free parsing algorithm , 1970, Commun. ACM.

[29]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[30]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[31]  Tony Mobily Cross-Site Scripting Attacks , 2004 .

[32]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.