Static analysis for detecting taint-style vulnerabilities in web applications

Journal of Computer Security

Volumn 18, Issue 5, 2010, Pages 861-907

  Jovanovic, Nenad ^a   Kruegel, Christopher ^b   Kirda, Engin ^c  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c EURECOM   (France)

Author keywords

alias analysis; cross site scripting; data flow analysis; PHP; Program analysis; scripting languages security; SQL injection; static analysis; web application security

Indexed keywords

ALIAS ANALYSIS; CROSS SITE SCRIPTING; DATA FLOW; PHP; PROGRAM ANALYSIS; SCRIPTING LANGUAGES; SQL INJECTION; WEB APPLICATION SECURITY;

LINGUISTICS; SECURITY OF DATA; STATIC ANALYSIS; WORLD WIDE WEB;

DATA FLOW ANALYSIS;

EID: 77957112438     PISSN: 0926227X     EISSN: None     Source Type: Journal    
DOI: 10.3233/JCS-2009-0385     Document Type: Article

References (46)

1. A.V. Aho, R. Sethi and J.D. Ullman, Compilers: Principles, Techniques, and Tools, Addison-Wesley, Boston, MA, USA, 1986.
2. L.O. Andersen, Program analysis and specialization for the C programming language, PhD thesis, University of Copenhagen, 1994.
3. K. Ashcraft and D. Engler, Using programmer-written compiler extensions to catch security holes, in: IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2002.
4. BugTraqr, BugTraq Mailing List Archive, 2005, http://www.securityfocus. com/archive/1.
5. CERT, CERT Advisory CA-2000-02: Malicious HTML tags embedded in client web requests, 2005, http://www.cert.org/advisories/CA-2000-02.html.
6. D. Chase, M. Wegman and F.K. Zadeck, Analysis of pointers and structures, in: PLDI'90: Proceedings of the ACM SIGPLAN'90 Conference on Programming Language Design and Implementation, White Plains, NY, USA, 1991.
7. A. Christensen, A. Møller and M. Schwartzbach, Precise analysis of string expressions, in: International Static Analysis Symposium (SAS), San Diego, CA, USA, 2003.
8. CUP, CUP: LALR parser generator in Java, 2005, http://www2.cs.tum.edu/ projects/cup/.
9. M. Das, Unification-based pointer analysis with directional assignments, in: PLDI'00: Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, Vancouver, BC, Canada, 2000.
10. D. Engler, B. Chelf, A. Chou and S. Hallem, Checking system rules using system-specific, programmer-written compiler extensions, in: OSDI 2000, Denver, CO, USA, 2000.
11. D. Engler, D.Y. Chen, S. Hallem, A. Chou and B. Chelf, Bugs as deviant behavior: A general approach to inferring errors in systems code, in: SOSP'01: Proceedings of the 18th ACM Symposium on Operating Systems Principles, Banff, Canada, 2001.
12. J.S. Foster, M. Faehndrich and A. Aiken, A theory of type qualifiers, in: PLDI'99: Proceedings of the ACM SIGPLAN 1999 Conference on Programming Language Design and Implementation, Atlanta, GA, USA, 1999.
13. W. Halfond and A. Orso, AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, in: International Conference on Automated Software Engineering (ASE), Long Beach, CA, USA, 2005.
14. M. Hind, Pointer analysis: Haven't we solved this problem yet?, in: PASTE'01: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, Snowbird, UT, USA, 2001.
15. Y.-W. Huang, S.-K. Huang, T.-P. Lin and C.-H. Tsai, Web application security assessment by fault injection and behavior monitoring, in: WWW'03: Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, 2003.
16. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee and S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: WWW'04: Proceedings of the 13th International Conference on World Wide Web, New York, NY, USA, 2004.
17. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee and S.-Y. Kuo, Verifying web applications using bounded model checking, in: DSN, Florence, Italy, 2004.
18. JFlex, JFlex: The fast scanner generator for Java, 2005, http://jflex.de.
19. R. Johnson and D. Wagner, Finding user/kernel pointer bugs with type inference, in: 13th USENIX Security Symposium, San Diego, CA, USA, 2004.
20. N. Jovanovic, C. Kruegel and E. Kirda, Pixy: A static analysis tool for detecting web application vulnerabilities (Short paper), in: IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2006.
21. N. Jovanovic, C. Kruegel and E. Kirda, Precise alias analysis for static detection of web application vulnerabilities. in: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada, 2006.
22. G.A. Kildall, A unified approach to global program optimization, in: POPL'73: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, Boston, MA, USA, 1973.
23. E. Kirda, C. Kruegel, G. Vigna and N. Jovanovic, Noxes: A client-side solution for mitigating cross-site scripting attacks, in: The 21st ACM Symposium on Applied Computing (SAC 2006), Dijon, France, 2006.
24. W. Landi and B.G. Ryder, A safe approximate algorithm for interprocedural aliasing, in: PLDI'92: Proceedings of the ACM SIGPLAN 1992 Conference on Programming Language Design and Implementation, San Francisco, CA, USA, 1992.
25. Y.A. Liu, S.D. Stoller, M. Gorbovitski, T. Rothamel and Y.E. Liu, Incrementalization across object abstraction, in: OOPSLA'05: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, San Diego, CA, USA, 2005.
26. V.B. Livshits and M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th Usenix Security Symposium, Baltimore, MD, USA, August 2005.
27. Y. Minamide, Static approximation of dynamically generated web pages, in: WWW'05: Proceedings of the 14th International Conference on World Wide Web, Chiba, Japan, 2005.
28. S.S. Muchnick, Advanced Compiler Design and Implementation, Morgan Kaufmann, San Fransisco, CA, USA, 1997.
29. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley and D. Evans, Automatically hardening web applications using precise tainting, in: IFIP Security 2005, Chiba, Japan, 2005.
30. F. Nielson, H.R. Nielson and C. Hankin, Principles of Program Analysis, Springer-Verlag, New York, USA, 1999.
31. PAG/WWW: Static program analysis, 2005, http://www.program-analysis.com.
32. PHP: Hypertext preprocessor, 2005, http://www.php.net.
33. T. Pietraszek and C.V. Berghe, Defending against injection attacks through context-sensitive string evaluation, in: Recent Advances in Intrusion Detection 2005 (RAID), Seattle, WA, USA, 2005.
34. Secure Systems Lab, Technical University of Vienna, 2006, http://www.seclab.tuwien.ac.at.
35. SecurityFocus: 99 potential SQL injection vulnerabilities, 2005, http://www.securityfocus.com/ archive/1/419280/30/0/threaded.
36. U. Shankar, K. Talwar, J.S. Foster and D. Wagner, Detecting format string vulnerabilities with type qualifiers, in: Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA, 2001.
37. S. Shankland, Andreessen: PHP succeeding where Java isn't, 2005, available at: http://www.zdnet. com.au/news/software/soa/Andreessen-PHP- succeeding-where-Java-isn-t/0,2000061733,392181 71,00.htm.
38. M. Sharir and A. Pnueli, Two Approaches to Interprocedural Data Flow Analysis, Prentice-Hall, Upper Saddle River, NJ, USA, 1981, Chapter 7.
39. B. Steensgaard, Points-to analysis in almost linear time, in: POPL'96: Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, St. Petersburg Beach, FL, USA, 1996.
40. Z. Su and G. Wassermann, The essence of command injection attacks in web applications, in: Symposium on Principles of Programming Languages (POPL), Charleston, SC, USA, 2006.
41. L. Wall, T. Christiansen, R.L. Schwartz and S. Potter, Programming Perl, 2nd edn, O'Reilly & Associates, Sebastopol, CA, USA, 1996.
42. G. Wassermann and Z. Su, Sound and precise analysis of web applications for injection vulnerabilities, in: Conference on Programming Language Design and Implementation (PLDI), San Diego, CA, USA, 2007.
43. J. Whaley and M.S. Lam, Cloning-based context-sensitive pointer alias analysis using binary decision diagrams, in: PLDI'04: Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, Washington, DC, USA, 2004.
44. Wikipedia, Hasse diagram, 2005, http://en.wikipedia.org/wiki/Hasse- diagram.
45. R.P. Wilson and M.S. Lam, Efficient context-sensitive pointer analysis for c programs, in: PLDI'95: Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation, La Jolla, CA, USA, 1995.
46. Y. Xie and A. Aiken, Static detection of security vulnerabilities in scripting languages, in: Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, 2006.