Static Detection of Logic Vulnerabilities in Java Web Applications

Logic vulnerabilities occur when mistakes arise in the control flow associated to critical functionalities. We propose a lightweight static analysis approach to detect logic vulnerabilities in Java Web applications. The core idea of our approach is to discover deviant behaviors among duplication samples. Program slicing technique is leveraged to extract duplicated invocations targeted similar functionalities. Subsequently, path exploration is conducted to split slices into several path sensitive slices. Then we make comparison between any two similar slices on their path condition, and report the slices with abnormal path condition as logic vulnerabilities. We implemented our approach in a prototype tool named LVD (Logic Vulnerability Detector), and evaluated it on seven real world applications scaled from thousands to million lines of code. The evaluation results show that our approach achieves bigger coverage with acceptable cost and better scalability than previous approaches.

[1]  Tevfik Bultan,et al.  Eliminating navigation errors in web applications via model checking and runtime enforcement of navigation state machines , 2010, ASE '10.

[2]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[3]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[4]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[5]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[6]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[7]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[8]  Chao Liu,et al.  Mining Control Flow Abnormality for Logic Error Isolation , 2006, SDM.

[9]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[10]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[11]  Susan Horwitz,et al.  Using Slicing to Identify Duplication in Source Code , 2001, SAS.

[12]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[13]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..