Symbolic security analysis of Ruby-on-Rails web applications

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 585-594

  Chaudhuri, Avik ^a   Foster, Jeffrey S ^a  

^a UNIVERSITY OF MARYLAND   (United States)

Author keywords

Automated analysis; Symbolic execution; Web application security

Indexed keywords

APPLICATION-SPECIFIC; AUTOMATED ANALYSIS; CROSS SITE SCRIPTING; MALICIOUS ADVERSARIES; OBJECT INVARIANTS; SECRET INFORMATION; SECURITY ANALYSIS; SECURITY PROPERTIES; SECURITY VULNERABILITIES; SYMBOLIC EXECUTION; WEB APPLICATION; WEB-APPLICATION SECURITY;

ACCESS CONTROL; RUBY; SECURITY SYSTEMS; SPECIFICATIONS; WORLD WIDE WEB;

NETWORK SECURITY;

EID: 78650012964     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866373     Document Type: Conference Paper

References (38)

1. Jong-hoon An, Avik Chaudhuri, and Jeffrey S. Foster. Static typing for Ruby on Rails. In ASE, 2009.
2. S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M.D. Ernst. Finding bugs in web applications using dynamic test generation and explicit state model checking. IEEE Transactions on Software Engineering, 2010.
3. I.G. Baltopoulos and A.D. Gordon. Secure compilation of a multi-tier web language. In TLDI, 2009.
4. A. Barth, C. Jackson, and J.C. Mitchell. Robust defenses for cross-site request forgery. In CCS. ACM, 2008.
5. Jesper Bengtson, Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. Refinement types for secure implementations. In CSF, 2008.
6. Gavin M. Bierman, Andrew D. Gordon, Cǎtǎlin Hriţcu, and David Langworthy. Semantic subtyping with an SMT solver. In ICFP, 2010.
7. Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur., 13(2), 2010.
8. Adam Chlipala. Ur: Statically-typed metaprogramming with type-level record computation. In PLDI, 2010.
9. S. Chong, K. Vikram, A.C. Myers, et al. SIF: Enforcing confidentiality and integrity in web applications. In USENIX Security, 2007.
10. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. Cross-tier, label-based security enforcement for web applications. In SIGMOD, 2009.
11. M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. In USENIX Security, 2009.
12. Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5), 1976.
13. U. Erlingsson, B. Livshits, and Y. Xie. End-to-end web application security. In HOTOS, 2007.
14. Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. A type discipline for authorization in distributed systems. In CSF, 2007.
15. P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005.
16. Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In WWW, 2009.
17. M. Johns. SessionSafe: Implementing XSS immune session handling. ESORICS, 2006.
18. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In S&P, 2006.
19. James C. King. Symbolic execution and program testing. Commun. ACM, 19(7), 1976.
20. S. Maffeis, J.C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In S&P, 2010.
21. J. Magazinius, A. Askarov, and A. Sabelfeld. A Lattice-based Approach to Mashup Security. In ASIACCS, 2010.
22. Z. Mao, N. Li, and I. Molloy. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. Financial Cryptography and Data Security, 2009.
23. M. Martin, B. Livshits, and M.S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA, 2005.
24. J. McCarthy. Towards a mathematical science of computation. Information Processing, 62, 1962.
25. G. Naumovich and P. Centonze. Static analysis of role-based access control in J2EE applications. ACM SIGSOFT Software Engineering Notes, 29(5), 2004.
26. OWASP. The ten most critical web application risks, 2010. http://www.owasp.org/images/0/0f/OWASP-T10---2010-rc1.pdf.
27. Sam Ruby, Dave Thomas, and David Heinemeier Hansson. Agile Web Development with Rails. The Pragmatic Bookshelf, 2009.
28. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript, 2010. Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley.
29. SRI. Yices: An SMT solver. http://yices.csl.sri.com/.
30. Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In POPL, 2006.
31. Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. TAJ: Effective taint analysis for Java. In PLDI, 2009.
32. K. Vikram, A. Prateek, and B. Livshits. Ripley: automatically securing web 2.0 applications through replicated execution. In CCS, 2009.
33. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007.
34. Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007.
35. Web Application Security Consortium. Web application security statistics, 2008. http://projects.webappsec.org/Web-Application-Security-Statistics.
36. Heiko Webers. Ruby on rails security, v2. OWASP report: http://www.owasp.org/images/2/26/Owasp-rails-security.pdf.
37. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, 2006.
38. Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. Javascript instrumentation for browser security. In POPL, 2007.