AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
The analysis described in Section 3 has been implemented as two separate parts: a frontend based on the open source PHP 5.0.5 distribution that parses the source files into abstract syntax trees and a backend written in O’Caml that reads the abstract syntax trees into memory and ...

Static detection of security vulnerabilities in scripting languages

USENIX Security, pp.179-192, (2006)

Cited by: 508|Views173
EI
Full Text
Bibtex
Weibo

Abstract

We present a static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications. Our analysis employs a novel three-tier architecture to capture information at decreasing levels of granularity at the intrablock, intraprocedural, and interprocedural level. This ar...More

Code:

Data:

Introduction
  • Web-based applications have experienced exponential growth during the past few years and have become the de facto standard for delivering online services ranging from discussion forums to security sensitive areas such as banking and retailing.
  • PHP was created a decade ago by Rasmus Lerdorf as a simple set of Perl scripts for tracking accesses to his online resume.
  • It has since evolved into one of the most popular server-side scripting languages for building web applications.
  • Using inline variables in strings, most SQL queries can be concisely expressed with a simple function call
Highlights
  • Web-based applications have experienced exponential growth during the past few years and have become the de facto standard for delivering online services ranging from discussion forums to security sensitive areas such as banking and retailing
  • We focus on SQL injections in this work, we believe that, with small modifications, the same techniques can be applied to detecting other vulnerabilities such as cross site scripting (XSS) and code injection in web applications
  • The analysis described in Section 3 has been implemented as two separate parts: a frontend based on the open source PHP 5.0.5 distribution that parses the source files into abstract syntax trees and a backend written in O’Caml that reads the abstract syntax trees into memory and carries out the analysis
  • To make it easy for the user to specify the sanitization effects of regular expressions, the checker has an interactive mode where the user is prompted when the analysis encounters a previously unseen regular expression and the user’s answers are recorded for future reference. We found this approach to be very effective and it helped us find at least two vulnerabilities caused by overly lenient regular expressions being used for sanitization.4
  • We demonstrated the effectiveness of our approach by running our tool on six popular open source PHP code bases and finding 105 previously unknown security vulnerabilities, most of which we believe are remotely exploitable
Results
  • The analysis described in Section 3 has been implemented as two separate parts: a frontend based on the open source PHP 5.0.5 distribution that parses the source files into abstract syntax trees and a backend written in O’Caml that reads the ASTs into memory and carries out the analysis.
  • The checker is largely automatic and requires little human intervention for use.
Conclusion
  • The authors have presented a static analysis algorithm for detecting security vulnerabilities in PHP.
  • The authors' analysis employs a novel three-tier architecture that enables them to handle dynamic features unique to scripting languages such as dynamic typing and code inclusion.
  • The authors demonstrated the effectiveness of the approach by running the tool on six popular open source PHP code bases and finding 105 previously unknown security vulnerabilities, most of which the authors believe are remotely exploitable
Tables
  • Table1: Summary of experiments. Err Msgs: number of reported errors. Bugs: number of confirmed bugs from error reports. FP: number of false positives. Warn: number of unique warning messages for variables of unresolved origin (uninspected)
Download tables as Excel
Related work
  • UPDATE users SET user password=md5(’???????’) WHERE user id=’userid’

    5.1 Static techniques

    However, a malicious user can simply add a new pass field to his HTTP request by appending, for example, the following string to the URL for the password reminder site: WebSSARI is a type qualifier based analyzer for PHP [7]. It uses a standard intraprocedural tainting analysis to find cases where user controlled values flow into functions that re-

    &new pass=abc%27%29%2cuser level=%27103%27%2cuser aim=%28%27 quire trusted input (sensitive functions). The analysis relies

    The extract operation described above will magically introon three user written “prelude” files to provide information duce new pass in the current variable scope with the folregarding: 1) the set of all sensitive functions–those require lowing initial value: sanitized input; 2) the set of all untainting operations; and abc ), user level = 103 , user aim = (

    3) the set of untrusted input variables. Incomplete specifi-

    The SQL request is now constructed as: cation will result in both false positives and false negatives.

    UPDATE users SET user password=md5(’abc’), The key limitation of WebSSARI is its analysis power: 1)

    user level=’103’, user aim=(’???????’)

    the analysis is intraprocedural and does not infer function

    WHERE user id=’userid’
Reference
  • A. Aiken, E. Wimmers, and T. Lakshman. Soft typing with conditional types. In Proceedings of the 21st Annual Symposium on Principles of Programming Languages, 1994.
    Google ScholarLocate open access versionFindings
  • K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In 2002 IEEE Symposium on Security and Privacy, 2002.
    Google ScholarLocate open access versionFindings
  • A. Christensen, A. Moller, and M. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th Static Analysis Symposium, 2003.
    Google ScholarLocate open access versionFindings
  • J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 1–12, June 2002.
    Google ScholarLocate open access versionFindings
  • C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering, 2004.
    Google ScholarLocate open access versionFindings
  • S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, Berlin, Germany, June 2002.
    Google ScholarLocate open access versionFindings
  • Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International World Wide Web Conference, 2004.
    Google ScholarLocate open access versionFindings
  • V. Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the 14th Usenix Security Symposium, 2005.
    Google ScholarLocate open access versionFindings
  • Y. Minamide. Approximation of dynamically generated web pages. In Proceedings of the 14th International World Wide Web Conference, 2005.
    Google ScholarLocate open access versionFindings
  • A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the 20th International Information Security Conference, 2005.
    Google ScholarLocate open access versionFindings
  • Perl documentation: Perlsec. http://search.cpan.org/dist/perl/pod/perlsec.pod.
    Findings
  • PHP: Hypertext Preprocessor. http://www.php.net/.
    Findings
  • PHP usage statistics. http://www.php.net/usage.php.
    Findings
  • D. Scott and R. Sharp. Abstracting application-level web security. In Proceedings of the 11th International World Wide Web Conference, 2002.
    Google ScholarLocate open access versionFindings
  • Security space apache module survey (Oct 2005). http://www.securityspace.com/s survey/data/man.200510/apachemods.html.
    Findings
  • Symantec Internet security threat report: Vol. VII. Technical report, Symantec Inc., Mar. 2005.
    Google ScholarFindings
  • TIOBE programming community index for November 2005. http://www.tiobe.com/tpci.htm.
    Findings
  • J. Whaley and M. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, 2004.
    Google ScholarLocate open access versionFindings
  • A. Wright and R. Cartwright. A practical soft type system for Scheme. ACM Trans. Prog. Lang. Syst., 19(1):87–152, Jan. 1997.
    Google ScholarLocate open access versionFindings
  • J. Yang, T. Kremenek, Y. Xie, and D. Engler. MECA: an extensible, expressive system and language for statically checking security properties. In Proceedings of the 10th Conference on Computer and Communications Security, 2003.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科