Improving application security with data flow assertions

SOSP'09 - Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles

Volumn , Issue , 2009, Pages 291-304

  Yip, Alexander ^a   Wang, Xi ^a   Zeldovich, Nickolai ^a   Kaashoek, M Frans ^a  

^a MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

PHP; Privacy; Python; Security; SQL injection; Web; XSS

Indexed keywords

APPLICATION CODES; APPLICATION DATA; APPLICATION SECURITY; CONFERENCE MANAGEMENT; CROSS SITE SCRIPTING; DATA FLOW; DATA-TRACKING; LINES OF CODE; RUN-TIME CHECKS; RUNTIMES; SECURITY VULNERABILITIES; SQL INJECTION; WEB APPLICATION; WEB FORUMS;

ACCESS CONTROL; COMPUTER OPERATING SYSTEMS; DATA STRUCTURES; HIGH LEVEL LANGUAGES; METADATA; NETWORK SECURITY; SECURITY SYSTEMS;

RESINS;

EID: 72249104474     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1629575.1629604     Document Type: Conference Paper

References (52)

1. G. Ahn, X. Zhang, and W. Xu. Systematic policy analysis for high-assurance services in SELinux. In Proc. of the 2008 POLICY Workshop, pages 3-10, Palisades, NY, June 2008.
2. A. H. Anderson. An introduction to the web services policy language (WSPL). In Proc. of the 2004 POLICY Workshop, pages 189-192, Yorktown Heights, NY, June 2004.
3. J. Bae. Vulnerability of uploading files with multiple extensions in phpBB attachment mod. http://seclists. org/fulldisclosure/2004/Dec/0347.html. CVE-2004-1404.
4. S. Barker. The next 700 access control models or a unifying meta-model? In Proc. of the 14th ACM Symposium on Access Control Models and Technologies, pages 187-196, Stresa, Italy, June 2009.
5. M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. of the 4th International Symposium on Formal Methods for Components and Objects, pages 364-387, Amsterdam, The Netherlands, November 2005.
6. M. Barnett, K. Rustan, M. Leino, and W. Schulte. The Spec# programming system: An overview. In Proc. of the Workshop on Construction and Analysis of Safe, Secure and Interoperable Smart devices, pages 49-69, Marseille, France, March 2004.
7. L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. of the 2005 PLDI, pages 305-314, Chicago, IL, June 2005.
8. W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proc. of the 15th CCS, pages 39-50, Alexandria, VA, October 2008.
9. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In Proc. of the 21st SOSP, pages 31-44, Stevenson, WA, October 2007.
10. S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. of the 16th USENIX Security Symposium, pages 1-16, Boston, MA, August 2007.
11. CWH Underground. Kwalbum arbitrary file upload vulnerabilities. http://www.milw0rm.com/exploits/6664. CVE-2008-5677.
12. N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policy specification language. In Proc. of the 2001 POLICY Workshop, pages 18-38, Bristol, UK, January 2001.
13. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-243, May 1976.
14. P. Efstathopoulos and E. Kohler. Manageable fine-grained information flow. In Proc. of the 3rd ACM EuroSys conference, pages 301-313, Glasgow, UK, April 2008.
15. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proc. of the 20th SOSP, pages 17-30, Brighton, UK, October 2005.
16. Emory University. Multiple vulnerabilities in AWStats Totals. http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt. CVE-2008-3922.
17. D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proc. of the 4th OSDI, pages 1-16, San Diego, CA, October 2000.
18. D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42-51, January/February 2002.
19. D. F. Ferraiolo and D. R. Kuhn. Role-based access control. In Proc. of the 15th National Computer Security Conference, pages 554-563, Baltimore, MD, October 1992.
20. S. Garriss, L. Bauer, and M. K. Reiter. Detecting and resolving policy misconfigurations in access-control systems. In Proc. of the 13th ACM Symposium on Access Control Models and Technologies, pages 185-194, Estes Park, CO, June 2008.
21. W. G. J. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proc. of the 20th ACM International Conference on Automated Software Engineering, pages 174-183, Long Beach, CA, November 2005.
22. W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proc. of the 14th FSE, pages 175-185, Portland, OR, November 2006.
23. N. Hippert. phpMyAdmin code execution vulnerability. http://fd.the- wildcat.de/pma-e36a091q11.php. CVE-2008-4096.
24. S. Kasatani. Safe ERB plugin. http://agilewebdevelopment.com/plugins/ safe-erb.
25. D. Kilpatrick. Privman: A library for partitioning applications. In Proc. of the 2003 USENIX Annual Technical Conference, FREENIX track, pages 273-284, San Antonio, TX, June 2003.
26. E. Kohler. Hot crap! In Proc. of the Workshop on Organizing Workshops, Conferences, and Symposia for Computer Systems, San Francisco, CA, April 2008.
27. M. Krohn. Building secure high-performance web services with OKWS. In Proc. of the 2004 USENIX Annual Technical Conference, pages 185-198, Boston, MA, June-July 2004.
28. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proc. of the 21st SOSP, pages 321-334, Stevenson, WA, October 2007.
29. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. of the 14th USENIX Security Symposium, pages 271-286, Baltimore, MD, August 2005.
30. M. Martin, B. Livshits, and M. Lam. Finding application errors and security flaws using PQL: a program query language. In Proc. of the 2005 OOPSLA, pages 365-383, San Diego, CA, October 2005.
31. MoinMoin. The MoinMoin wiki engine. http://moinmoin.wikiwikiweb.de/.
32. A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM TOCS, 9(4):410-442, October 2000.
33. myPHPscripts.net. Login session script. http://www.myphpscripts.net/?sid= 7. CVE-2008-5855.
34. A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proc. of the 20th IFIP International Information Security Conference, pages 295-307, Chiba, Japan, May 2005.
35. Osirys. myPHPscripts login session password disclosure. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5855. CVE-2008-5855.
36. Osirys. wPortfolio arbitrary file upload exploit. http: //www.milw0rm.com/exploits/7165. CVE-2008-5220.
37. Perl.org. Perl taint mode. http://perldoc.perl.org/perlsec.html.
38. phpMyAdmin. phpMyAdmin 3.1.0. http://www.phpmyadmin.net/.
39. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. of the 8th International Symposium on Recent Advances in Intrusion Detection, pages 124-145, Seattle, WA, September 2005.
40. N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In Proc. of the 2008 IEEE Symposium on Security and Privacy, pages 369-383, Oakland, CA, May 2008.
41. The MITRE Corporation. Common vulnerabilities and exposures (CVE) database. http://cve.mitre.org/data/downloads/.
42. D. Thomas, C. Fowler, and A. Hunt. Programming Ruby: The Pragmatic Programmers' Guide. Pragmatic Bookshelf, 2004.
43. M. C. Tschantz and S. Krishnamurthi. Towards reasonability properties for access-control policy languages. In Proc. of the 11th ACM Symposium on Access Control Models and Technologies, pages 160-169, Lake Tahoe, CA, June 2006.
44. W. Venema. Taint support for PHP. http://wiki.php. net/rfc/taint.
45. J. Viega, J. T. Bloch, and P. Chandra. Applying aspect-oriented programming to security. Cutter IT Journal, 14(2):31-39, February 2001.
46. T. Waldmann. Check the ACL of the included page when using the rst parser's include directive. http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546. CVE-2008-6548.
47. G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In Proc. of the 2007 PLDI, pages 32-41, San Diego, CA, June 2007.
48. Web Application Security Consortium. 2007 web application security statistics. http://www.webappsec.org/projects/statistics/wasc-wass-2007.pdf.
49. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. of the 15th USENIX Security Symposium, pages 179-192, Vancouver, BC, Canada, July 2006.
50. A. Yumerefendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. of the 4th NSDI, pages 159-172, Cambridge, MA, April 2007.
51. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. of the 7th OSDI, pages 263-278, Seattle, WA, November 2006.
52. N. Zeldovich, S. Boyd-Wickizer, and D. Mazières. Securing distributed systems with information flow control. In Proc. of the 5th NSDI, pages 293-308, San Francisco, CA, April 2008.