Assisting Programmers Resolving Vulnerabilities in Java Web Applications

We present in this paper a new approach towards detection and correction of security vulnerabilities in Java Web applications using program slicing and transformation. Our vulnerability detector is based on an extended program slicing algorithm and handles taint propagation through strings. Our prototype is implemented as an Eclipse plug-in and leverages the WALA library to fix XSS Vulnerabilities in an interactive manner. We also show that our approach offers a good performance, both computationally and in terms of vulnerabilities found.

[1]  Ugo Montanari,et al.  International Symposium on Programming , 1982, Lecture Notes in Computer Science.

[2]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[3]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[4]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[5]  Jeffrey S. Foster,et al.  A comparison of bug finding tools for Java , 2004, 15th International Symposium on Software Reliability Engineering.

[6]  Ondrej Lhoták,et al.  Jedd: a BDD-based relational extension of Java , 2004, PLDI '04.

[7]  Eelco Visser,et al.  Program Transformation with Stratego/XT: Rules, Strategies, Tools, and Systems in Stratego/XT 0.9 , 2003, Domain-Specific Program Generation.

[8]  Pierre-Etienne Moreau,et al.  Tom: Piggybacking Rewriting on Java , 2007, RTA.

[9]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[10]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[11]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[12]  Ralph E. Johnson,et al.  Improving perimeter security with security-oriented program transformations , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[13]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[14]  Renaud Pawlak,et al.  Spoon: Program Analysis and Transformation in Java , 2006 .

[15]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[16]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.

[17]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[18]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[19]  Spiros Mancoridis,et al.  Using program transformation to secure C programs against buffer overflows , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[20]  Martin Odersky,et al.  Domain-Specific Program Generation , 2004, Lecture Notes in Computer Science.

[21]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .