Deriving Static Security Testing from Runtime Security Protection for Web Applications

Context: Static Application Security Testing (SAST) and Runtime Application Security Protection (RASP) are important and complementary techniques used for detecting and enforcing application-level security policies in web applications. Inquiry: The current state of the art, however, does not allow a safe and efficient combination of SAST and RASP based on a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both tools. Approach: In this work, we present a novel technique for deriving SAST from an existing RASP mechanism by using a two-phase abstract interpretation approach in the SAST component that avoids duplicating the effort of specifying security policies and implementing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The static analysis of security policies is then obtained from the RASP mechanism by first statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code. Knowledge: Splitting the analysis into two phases enables running each phase with a specific analysis configuration, rendering the static analysis approach tractable while maintaining sufficient precision. Grounding:We validate the applicability of our two-phase analysis approach by using it to both dynamically enforce and statically detect a range of security policies found in related work. Our experiments suggest that our two-phase analysis can enable faster and more precise policy violation detection compared to analyzing the full instrumented application under a single analysis configuration. Importance: Deriving a SAST component from a RASP mechanism enables equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development lifecycle. Moreover, our two-phase abstract interpretation approach does not require RASP developers to reimplement the enforcement code for static analysis. ACM CCS 2012 Security and privacy→ Information flow control; Web application security;

[1]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[2]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[3]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[4]  Thomas H. Austin,et al.  Virtual values for language extension , 2011, OOPSLA '11.

[5]  David A. Naumann,et al.  Inlined Information Flow Monitoring for JavaScript , 2015, CCS.

[6]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[7]  Coen De Roover,et al.  Purity analysis for JavaScript through abstract interpretation , 2017, J. Softw. Evol. Process..

[8]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[9]  Manu Sridharan,et al.  DLint: dynamically checking bad coding practices in JavaScript , 2015, ISSTA.

[10]  Eric Bodden,et al.  Clara: A Framework for Partially Evaluating Finite-State Runtime Monitors Ahead of Time , 2010, RV.

[11]  Omer Tripp,et al.  Hybrid Analysis for JavaScript Security Assessment , 2011 .

[12]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[13]  Gordon J. Pace,et al.  A Unified Approach for Static and Runtime Verification: Framework and Applications , 2012, ISoLA.

[14]  Armin Biere,et al.  Combined Static and Dynamic Analysis , 2005, AIOOL@VMCAI.

[15]  Issa Traoré,et al.  If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript , 2018, Comput. Secur..

[16]  Ruth Breu,et al.  Security Testing: A Survey , 2016, Adv. Comput..

[17]  Salvatore Guarnieri GULFSTREAM: Staged Static Analysis for Streaming JavaScript Applications , 2010, WebApps.

[18]  Elisa Gonzalez Boix,et al.  GUARDIA: specification and enforcement of javascript security policies without VM modifications , 2018, ManLang '18.

[19]  Eric Bodden,et al.  Finding programming errors earlier by evaluating runtime monitors ahead-of-time , 2008, SIGSOFT '08/FSE-16.

[20]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[21]  Michael Pradel,et al.  An Empirical Study of Information Flows in Real-World JavaScript , 2019, PLAS@CCS.

[22]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[23]  Matthias Felleisen,et al.  A calculus for assignments in higher-order languages , 1987, POPL '87.

[24]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  Barbara G. Ryder,et al.  Practical blended taint analysis for JavaScript , 2013, ISSTA.

[26]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[27]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[28]  Ondrej Lhoták,et al.  A Staged Static Program Analysis to Improve the Performance of Runtime Monitoring , 2007, ECOOP.

[29]  Barbara G. Ryder,et al.  Blended analysis for performance understanding of framework-based applications , 2007, ISSTA '07.

[30]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[31]  David Van Horn,et al.  Abstracting abstract control , 2013, 1305.3163.

[32]  Coen De Roover,et al.  Static Detection of User-specified Security Vulnerabilities in Client-side JavaScript , 2016, PLAS@CCS.

[33]  Sebastian Lekies,et al.  Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets , 2017, CCS.

[34]  Christian Hammer Flexible access control for javascript , 2014, Software Engineering.

[35]  Ben Stock,et al.  Reining in the Web's Inconsistencies with Site Policy , 2021 .

[36]  Quang Tran Minh,et al.  A User-Oriented Approach and Tool for Security and Privacy Protection on the Web , 2020, SN Comput. Sci..

[37]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[38]  Pietro Ferrara,et al.  Hybrid security analysis of web JavaScript code via dynamic partial evaluation , 2014, ISSTA 2014.

[39]  Phu H. Phung,et al.  HybridGuard: A Principal-Based Permission and Fine-Grained Policy Enforcement Framework for Web-Based Mobile Applications , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[40]  Koushik Sen,et al.  JITProf: pinpointing JIT-unfriendly JavaScript code , 2015, ESEC/SIGSOFT FSE.

[41]  Abhishek Bichhawat,et al.  Exception handling for dynamic information flow control , 2014, ICSE Companion.

[42]  Alejandro Russo,et al.  A Better Facet of Dynamic Information Flow Control , 2018, WWW.

[43]  Coen De Roover,et al.  Practical Information Flow Control for Web Applications , 2018, RV.

[44]  Gordon J. Pace,et al.  A Specification Language for Static and Runtime Verification of Data and Control Properties , 2015, FM.

[45]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[46]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.