Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

Web applications are widely adopted and their correct functioning is mission critical for many businesses. At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper, we focus on one specific type of implementation vulnerability, namely, broken dependencies on session data. This vulnerability can lead to a variety of erroneous behavior at runtime and can easily be triggered by a malicious user by applying attack techniques such as forceful browsing. This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. The proposed solution combines development-time program annotation, static verification, and runtime checking to provably protect against broken data dependencies. We have developed a prototype implementation of our approach, building on the JML annotation language and the existing static verification tool ESC/Java2, and we successfully applied our approach to a representative J2EE-based e-commerce application. We show that the annotation overhead is very small, that the performance of the fully automatic static verification is acceptable, and that the performance overhead of the runtime checking is limited.

[1]  Gary T. Leavens,et al.  Desugaring JML Method Specifications , 2005 .

[2]  Frank Piessens,et al.  Safe concurrency for aggregate objects with invariants , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[3]  Ernst-Erich Doberkat Ernst-Erich Doberkat über Mary Shaw und David Garlan: Software Architecture - Perspectives on an Emerging Discipline , 2000, Softwaretechnik-Trends.

[4]  Tomás E. Uribe,et al.  Automatic analysis of firewall and network intrusion detection system configurations , 2004, FMSE '04.

[5]  Joseph R. Kiniry,et al.  Soundness and completeness warnings in ESC/Java2 , 2006, SAVCBS '06.

[6]  Jean-Louis Lanet,et al.  Enforcing High-Level Security Properties for Applets , 2004, CARDIS.

[7]  V. Stavridou,et al.  Abstraction and specification in program development , 1988 .

[8]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[9]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[10]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[11]  Jonathan Aldrich,et al.  Using Types to Enforce Architectural Structure , 2008, Seventh Working IEEE/IFIP Conference on Software Architecture (WICSA 2008).

[12]  Jos C. M. Baeten,et al.  Specifying internet applications with DiCons , 2001, SAC.

[13]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[14]  A. Jefferson Offutt,et al.  Web application bypass testing , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[15]  Richard N. Taylor,et al.  A Classification and Comparison Framework for Software Architecture Description Languages , 2000, IEEE Trans. Software Eng..

[16]  Alexander L. Wolf,et al.  Acm Sigsoft Software Engineering Notes Vol 17 No 4 Foundations for the Study of Software Architecture , 2022 .

[17]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[18]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[19]  Zhendong Su,et al.  Static Checking of Dynamically Generated Queries in Database Applications , 2004, ICSE 2004.

[20]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[21]  Wouter Joosen,et al.  Static Verification of Indirect Data Sharing in Loosely-coupled Component Systems , 2006, SC@ETAPS.

[22]  Gary T. Leavens Tutorial on JML, the java modeling language , 2007, ASE '07.

[23]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[24]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[25]  Peter G. Neumann,et al.  System and network trustworthiness in perspective , 2006, CCS '06.

[26]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[27]  Luca Cardelli Transitions in programming models: 2 , 2005, ICSE '05.

[28]  Mary Shaw,et al.  Software architecture - perspectives on an emerging discipline , 1996 .

[29]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[30]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[31]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[32]  Vipin Samar,et al.  Unified login with pluggable authentication modules (PAM) , 1996, CCS '96.

[33]  Clemens A. Szyperski,et al.  Component software - beyond object-oriented programming , 2002 .

[34]  Paul C. Clements,et al.  A survey of architecture description languages , 1996, Proceedings of the 8th International Workshop on Software Specification and Design.

[35]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[36]  Wouter Joosen,et al.  Dependency analysis of the GatorMail webmail application , 2005 .

[37]  Jean-Marc Jézéquel,et al.  Design by Contract to Improve Software Vigilance , 2006, IEEE Transactions on Software Engineering.

[38]  Ken Arnold,et al.  JavaSpaces¿ Principles, Patterns, and Practice , 1999 .

[39]  Mehdi T. Harandi,et al.  Workshop on software specification and design , 1988, SOEN.

[40]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[41]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[42]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.