Detecting Privilege Escalation Attacks through Instrumenting Web Application Source Code

Privilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

[1]  Bill Chu,et al.  Supporting secure programming in web applications through interactive static analysis , 2013, Journal of advanced research.

[2]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[3]  Thierry Lavoie,et al.  Uncovering access control weaknesses and flaws with security-discordant software clones , 2013, ACSAC.

[4]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[5]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[6]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[7]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[8]  Jun Zhu,et al.  Mitigating Access Control Vulnerabilities through Interactive Static Analysis , 2015, SACMAT.

[9]  Emerson R. Murphy-Hill,et al.  A study of interactive code annotation for access control vulnerabilities , 2015, 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[10]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[11]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[12]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[13]  Prasad Naldurg,et al.  MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications , 2014, CCS.

[14]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.

[15]  Vitaly Shmatikov,et al.  SAFERPHP: finding semantic vulnerabilities in PHP applications , 2011, PLAS '11.