Securing web applications with static and dynamic information flow tracking

SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a language called PQL (Program Query Language) that allows users to declare to specify information flow patterns succinctly and declaratively. We have developed a static context-sensitive, but flow-insensitive information flow tracking analysis that can be used to find all the vulnerabilities in a program. In the event that the analysis generates too many warnings, the result can be used to drive a model-checking system to analyze more precisely. Model checking is also used to automatically generate the input vectors that expose the vulnerability. Any remaining behavior these static analyses have not isolated may be checked dynamically. The results of the static analyses may be used to optimize these dynamic checks. Our experimental results indicate the language is expressive enough for describing a large number of vulnerabilities succinctly. We have analyzed over nine applications, detecting 30 serious security vulnerabilities. We were also able to automatically recover from attacks as they occurred using the dynamic checker.

[1]  Jeffrey D. Ullman,et al.  Principles Of Database And Knowledge-Base Systems , 1979 .

[2]  Peter C. Bates,et al.  Debugging heterogeneous distributed systems using event-based models of behavior , 1988, PADD '88.

[3]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[4]  Jeffrey D. Uuman Principles of database and knowledge- base systems , 1989 .

[5]  Richard H. Crawford,et al.  A dataflow approach to event‐based debugging , 1991, Softw. Pract. Exp..

[6]  Brenda S. Baker Parameterized pattern matching by Boyer-Moore-type algorithms , 1995, SODA '95.

[7]  Roger F. Crew ASTLOG: A Language for Examining Abstract Syntax Trees , 1997, DSL.

[8]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[9]  Ambuj K. Singh,et al.  Query-based debugging of object-oriented programs , 1997, OOPSLA '97.

[10]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[11]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[12]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[13]  James C. Corbett,et al.  A Language Framework for Expressing Checkable Properties of Dynamic Software , 2000, SPIN.

[14]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[15]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[16]  Steven Cook A Web Developer's Guide to Cross-Site Scripting , 2003 .

[17]  Kris De Volder,et al.  Navigating and querying code without getting lost , 2003, AOSD '03.

[18]  Yanhong A. Liu,et al.  Parametric regular path queries , 2004, PLDI '04.

[19]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[20]  Edith Schonberg,et al.  SABER: smart analysis based error reduction , 2004, ISSTA '04.

[21]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[22]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[23]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[24]  Robert J. Walker,et al.  Implementing protocols via declarative event patterns , 2004, SIGSOFT '04/FSE-12.

[25]  Sorin Lerner,et al.  Automated soundness proofs for dataflow analyses and transformations via local rules , 2005, POPL '05.

[26]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[27]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[28]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[29]  Alexander Aiken,et al.  Relational queries over program traces , 2005, OOPSLA '05.

[30]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[31]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[32]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[33]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[34]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[35]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.