Securing web application code by static analysis and runtime protection Export

@inproceedings{citeulike:462418, abstract = {Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities have been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named. WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities. After notifying the developers, 38 acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4\%.}, address = {New York, NY, USA}, author = {Huang, Yao W. and Yu, Fang and Hang, Christian and Tsai, Chung H. and Lee, Der T. and Kuo, Sy Y.}, booktitle = {WWW '04: Proceedings of the 13th international conference on World Wide Web}, citeulike-article-id = {462418}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=988679}, citeulike-linkout-1 = {http://dx.doi.org/10.1145/988672.988679}, doi = {10.1145/988672.988679}, isbn = {1-58113-844-X}, keywords = {information\_flow\_control, joe\_e, security, static\_analysis, web\_application\_security, web\_applications}, location = {New York, NY, USA}, pages = {40--52}, posted-at = {2009-10-16 22:53:34}, priority = {2}, publisher = {ACM}, title = {Securing web application code by static analysis and runtime protection}, url = {http://dx.doi.org/10.1145/988672.988679}, year = {2004} }

TY - CONF ID - citeulike:462418 L3 - citeulike-article-id:462418 N2 - Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities have been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named. WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities. After notifying the developers, 38 acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%. CY - New York, NY, USA SN - 1-58113-844-X AD - New York, NY, USA EP - 52 TI - Securing web application code by static analysis and runtime protection PB - ACM T2 - WWW '04: Proceedings of the 13th international conference on World Wide Web SP - 40 KW - information_flow_control KW - joe_e KW - security KW - static_analysis KW - web_application_security KW - web_applications AU - Huang, Yao AU - Yu, Fang AU - Hang, Christian AU - Tsai, Chung AU - Lee, Der AU - Kuo, Sy PY - 2004/// UR - http://dx.doi.org/10.1145/988672.988679 ER -