[en] XML, XPath, and SQL injection vulnerabilities are among the most common and serious security issues for Web applications and Web services. Thus, it is important for security auditors to ensure that the implemented code is, to the extent pos- sible, free from these vulnerabilities before deployment. Although existing taint analysis approaches could automatically detect potential vulnerabilities in source code, they tend to generate many false warnings. Furthermore, the produced traces, i.e. data- flow paths from input sources to security-sensitive operations, tend to be incomplete or to contain a great deal of irrelevant infor- mation. Therefore, it is difficult to identify real vulnerabilities and determine their causes. One suitable approach to support security auditing is to compute a program slice for each security-sensitive operation, since it would contain all the information required for performing security audits (Soundness). A limitation, however, is that such slices may also contain information that is irrelevant to security (Precision), thus raising scalability issues for security audits. In this paper, we propose an approach to assist security auditors by defining and experimenting with pruning techniques to reduce original program slices to what we refer to as security slices, which contain sound and precise information. To evaluate the proposed pruning mechanism by using a number of open source benchmarks, we compared our security slices with the slices generated by a state-of-the-art program slicing tool. On average, our security slices are 80% smaller than the original slices, thus suggesting significant reduction in auditing costs.
Research center :
SnT - Interdisciplinary Centre for Security, Reliability and Trust
Disciplines :
Computer science
Author, co-author :
THOME, Julian ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
SHAR, Lwin Khin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
no
Language :
English
Title :
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Publication date :
2015
Event name :
26th IEEE International Symposium on Software Reliability Engineering
Event place :
Gaithersburg, United States
Event date :
from 02-11-2015 to 05-11-2015
Audience :
International
Main work title :
26th IEEE International Symposium on Software Reliability Engineering
Publisher :
IEEE
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR9132112 - A Scalable And Accurate Hybrid Vulnerability Analysis Framework, 2014 (01/09/2014-14/04/2018) - Julian Thomé
Funders :
National Research Fund, Luxembourg (FNR/P10/03 and FNR9132112)
OWASP, "OWASP Top 10," https://www.owasp.org/index.php/Category:OWASP To p Ten Project, 2013.
N. Antunes and M. Vieira, "Soa-scanner: An integrated tool to detect vulnerabilities in service-based infrastructures," in Services Computing (SCC), 2013 IEEE International Conference on. IEEE, 2013, pp. 280-287.
D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, "Automated testing for sql injection vulnerabilities: An input mutation approach," in Proceedings of the 2014 International Symposium on Software Testing and Analysis, ser. ISSTA 2014. New York, NY, USA: ACM, 2014, pp. 259-269. [Online]. Available: http://doi.acm.org/10.1145/2610384.2610403
N. Laranjeiro, M. Vieira, and H. Madeira, "A technique for deploying robust web services," Services Computing, IEEE Transactions on, vol. 7, no. 1, pp. 68-81, Jan 2014.
J. Thomé, A. Gorla, and A. Zeller, "Search-based security testing of web applications," in Proceedings of the 7th International Workshop on Search-Based Software Testing, ser. SBST 2014. New York, NY, USA: ACM, 2014, pp. 5-14. [Online]. Available: http://doi.acm.org/10.1145/2593833.2593835
C. Mainka, M. Jensen, L. L. Iacono, and J. Schwenk, "Making xml signatures immune to xml signature wrapping attacks," in Cloud Computing and Services Science. Springer, 2013, pp. 151-167.
T. M. Rosa, A. O. Santin, and A. Malucelli, "Mitigating xml injection 0-day attacks through strategy-based detection systems," Security & Privacy, IEEE, vol. 11, no. 4, pp. 46-53, 2013.
A. Razzaq, K. Latif, H. F. Ahmad, A. Hur, Z. Anwar, and P. C. Bloodsworth, "Semantic security against web application attacks," Information Sciences, vol. 254, pp. 19-38, 2014.
Z. Su and G. Wassermann, "The essence of command injection attacks in web applications," in Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ser. POPL '06. New York, NY, USA: ACM, 2006, pp. 372-382. [Online]. Available: http://doi.acm.org/10.1145/1111037. 1111070
W. Halfond, A. Orso, and P. Manolios, "Wasp: Protecting web applications using positive tainting and syntax-aware evaluation," Software Engineering, IEEE Transactions on, vol. 34, no. 1, pp. 65-81, Jan 2008.
H. Shahriar and M. Zulkernine, "Information-theoretic detection of sql injection attacks," in High-Assurance Systems Engineering (HASE), 2012 IEEE 14th International Symposium on, Oct 2012, pp. 40-47.
Z. Tao, "Detection and service security mechanism of xml injection attacks," in Information Computing and Applications. Springer, 2013, pp. 67-75.
V. B. Livshits and M. S. Lam, "Finding security vulnerabilities in java applications with static analysis," in Proceedings of the 14th Conference on USENIX Security Symposium-Volume 14, ser. SSYM'05. Berkeley, CA, USA: USENIX Association, 2005, pp. 18-18. [Online]. Available: http://dl.acm.org/citation.cfm?id=1251398. 1251416
N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: a static analysis tool for detecting web application vulnerabilities," in Security and Privacy, 2006 IEEE Symposium on, May 2006, pp. 6 pp.-263.
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman, "Taj: Effective taint analysis of web applications," in Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI '09. New York, NY, USA: ACM, 2009, pp. 87-97. [Online]. Available: http://doi.acm.org/10. 1145/1542476.1542486
P. M. Pérez, J. Filipiak, and J. M. Sierra, "LAPSE+ static analysis security software: Vulnerabilities detection in java ee applications," in Future Information Technology. Springer, 2011, pp. 148-156.
O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri, "Andromeda: Accurate and scalable security analysis of web applications," in Proceedings of the 16th International Conference on Fundamental Approaches to Software Engineering, ser. FASE'13. Berlin, Heidelberg: Springer-Verlag, 2013, pp. 210-225. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-37057-1 15
W. Huang, Y. Dong, and A. Milanova, "Type-based taint analysis for java web applications," in Fundamental Approaches to Software Engineering, ser. Lecture Notes in Computer Science, S. Gnesi and A. Rensink, Eds. Springer Berlin Heidelberg, 2014, vol. 8411, pp. 140-154. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-54804-8 10
A. Kiezun, P. Guo, K. Jayaraman, and M. Ernst, "Automatic creation of sql injection and cross-site scripting attacks," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, May 2009, pp. 199-209.
Y. Zheng and X. Zhang, "Path sensitive static analysis of web applications for remote code execution vulnerability detection," in Software Engineering (ICSE), 2013 35th International Conference on, May 2013, pp. 652-661.
G. Yang, S. Person, N. Rungta, and S. Khurshid, "Directed incremental symbolic execution," ACM Trans. Softw. Eng. Methodol., vol. 24, no. 1, pp. 3:1-3:42, Oct. 2014. [Online]. Available: http://doi.acm.org/10.1145/2629536
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, "Modeling and discovering vulnerabilities with code property graphs," in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP '14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 590-604. [Online]. Available: http://dx.doi.org/10.1109/SP.2014.44
M. Weiser, "Program slicing," in Proceedings of the 5th International Conference on Software Engineering, ser. ICSE '81. Piscataway, NJ, USA: IEEE Press, 1981, pp. 439-449. [Online]. Available: http://dl. acm.org/citation.cfm?id=800078.802557
C. Hammer, "Information flow control for java-a comprehensive approach based on path conditions in dependence graphs," Ph.D. dissertation, Universität Karlsruhe (TH), Fak. F. Informatik, Jul. 2009, iSBN 978-3-86644-398-3. [Online]. Available: http://digbib. ubka.uni-karlsruhe.de/volltexte/1000012049
J. Thomé, "JoanAudit: a security slicing tool," http://wwwen.uni.lu/snt/research/software verification and validation lab/tools from svv lab, 2015.
S. Horwitz, T. Reps, and D. Binkley, "Interprocedural slicing using dependence graphs," ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 12, no. 1, pp. 26-60, 1990.
K. J. Ottenstein and L. M. Ottenstein, "The program dependence graph in a software development environment," SIGPLAN Not., vol. 19, no. 5, pp. 177-184, Apr. 1984. [Online]. Available: http://doi.acm.org/10.1145/390011.808263
J. Ferrante, K. J. Ottenstein, and J. D. Warren, "The program dependence graph and its use in optimization," ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 9, no. 3, pp. 319-349, 1987.
J.-F. Bergeretti and B. A. Carré, "Information-flow and data-flow analysis of while-programs," ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 7, no. 1, pp. 37-61, 1985.
D. Jackson and E. J. Rollins, "Chopping: A generalization of slicing," DTIC Document, Tech. Rep., 1994.
T. Reps and G. Rosay, "Precise interprocedural chopping," in ACM SIGSOFT Software Engineering Notes, vol. 20, no. 4. ACM, 1995, pp. 41-52.
A. C. Myers, A. Sabelfeld, and S. Zdancewic, "Enforcing robust declassification and qualified robustness," J. Comput. Secur., vol. 14, no. 2, pp. 157-196, Apr. 2006. [Online]. Available: http://dl.acm.org/citation.cfm?id=1150577.1150580
A. Sabelfeld and A. C. Myers, "Language-based information-flow security," IEEE J. Sel. A. Commun., vol. 21, no. 1, pp. 5-19, Sep. 2006. [Online]. Available: http://dx.doi.org/10.1109/JSAC.2002.806121
A. Sabelfeld and D. Sands, "Dimensions and principles of declassifi-cation," in Computer Security Foundations, 2005. CSFW-18 2005. 18th IEEE Workshop. IEEE, 2005, pp. 255-269.
G. Snelting, "Combining slicing and constraint solving for validation of measurement software," in Static Analysis, ser. Lecture Notes in Computer Science, R. Cousot and D. Schmidt, Eds. Springer Berlin Heidelberg, 1996, vol. 1145, pp. 332-348. [Online]. Available: http://dx.doi.org/10.1007/3-540-61739-6 51
PubSubHubbub, "A simple, open, webhook based pubsub protocol & open source reference implementation," https://code.google.com/p/pubsubhubbub/, 2015.
J. Xie, B. Chu, H. R. Lipford, and J. T. Melton, "Aside: Ide support for web application security," in Proceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC '11. New York, NY, USA: ACM, 2011, pp. 267-276. [Online]. Available: http://doi.acm.org/10.1145/2076732.2076770
Y. Liu and A. Milanova, "Practical static analysis for inference of security-related program properties," in Program Comprehension, 2009. ICPC '09. IEEE 17th International Conference on, May 2009, pp. 50-59.
A. Møller and M. Schwarz, "Automated detection of client-state manipulation vulnerabilities," Transactions on Software Engineering and Methodology, vol. 23, no. 4, August 2014, earlier version in Proc. 34th International Conference on Software Engineering (ICSE) 2012.
T. Teitelbaum, "Codesurfer," SIGSOFT Softw. Eng. Notes, vol. 25, no. 1, pp. 99-, Jan. 2000. [Online]. Available: http://doi.acm.org.proxy. bnl.lu/10.1145/340855.341076
M. Almorsy, J. Grundy, and A. S. Ibrahim, "Supporting automated vulnerability analysis using formalized vulnerability signatures," in Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. ACM, 2012, pp. 100-109.
L. K. Shar and H. B. K. Tan, "Auditing the XSS defence features implemented in web application programs," IET Software, vol. 6, no. 4, pp. 377-390, 2012.
J. Krinke, "Slicing, Chopping, and Path Conditions with Barriers," Software Quality Journal, vol. 12, no. 4, pp. 339-360, Dec. 2004. [Online]. Available: http://link.springer.com/10.1023/B:SQJO. 0000039792.93414.a5
G. Jayaraman, V. P. Ranganath, and J. Hatcliff, "Kaveri: Delivering the indus java program slicer to eclipse," in Fundamental Approaches to Software Engineering. Springer, 2005, pp. 269-272.
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, "Soot-a java bytecode optimization framework," in Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research, ser. CASCON '99. IBM Press, 1999, pp. 13-. [Online]. Available: http://dl.acm.org/citation.cfm?id=781995. 782008
F. Yamaguchi, C. Wressnegger, H. Gascon, and K. Rieck, "Chucky: Exposing missing checks in source code for vulnerability discovery," in Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '13. New York, NY, USA: ACM, 2013, pp. 499-510. [Online]. Available: http://doi.acm.org/10. 1145/2508859.2516665
