A Framework for Secure Information Flow Analysis in Web Applications

Huge amounts of data and personal information are being sent to and retrieved from web applications on daily basis. Every application has its own confidentiality and integrity policies. Violating these policies can have broad negative impact on the involved company's financial status, while enforcing them is very hard even for the developers with good security background. In this paper, we propose a framework that enforces security-by-construction in web applications. Minimal developer effort is required, in a sense that the developer only needs to annotate database attributes by a security class. The web application code is then converted into an intermediary representation, called Extended Program Dependence Graph (EPDG). Using the EPDG, the provided annotations are propagated to the application code and run against generic security enforcement rules that were carefully designed to detect insecure information flows as early as they occur. As a result, any violation in the data's confidentiality or integrity policies is reported. As a proof of concept, two PHP web applications, Hotel Reservation and Auction, were used for testing and validation. The proposed system was able to catch all the existing insecure information flows at their source. Moreover and to highlight the simplicity of the suggested approaches vs. Existing approaches, two professional web developers assessed the annotation tasks needed in the presented case studies and provided a very positive feedback on the simplicity of the annotation task.

[1]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[2]  Paolo Tonella,et al.  Construction of the system dependence graph for Web application slicing , 2002, Proceedings. Second IEEE International Workshop on Source Code Analysis and Manipulation.

[3]  Benjamin Livshits,et al.  Ripley: automatically securing web 2.0 applications through replicated execution , 2009, CCS.

[4]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[5]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1984, TOPL.

[6]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[7]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[8]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[11]  Russell W. Quong,et al.  ANTLR: A predicated‐LL(k) parser generator , 1995, Softw. Pract. Exp..

[12]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[13]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[14]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[15]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[16]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[17]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[18]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[19]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[20]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[21]  Gregor Snelting,et al.  On PDG-based noninterference and its modular proof , 2009, PLAS '09.

[22]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.

[23]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[24]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[26]  Wuu Yang,et al.  The Semantics of Program Slicing , 1988 .

[27]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.