Towards fully automatic placement of security sanitizers and declassifiers

ACM SIGPLAN Notices

Volumn 48, Issue 1, 2013, Pages 385-398

  Livshits, Benjamin ^a   Chong, Stephen ^b  

^a MICROSOFT RESEARCH   (United States)

^b HARVARD UNIVERSITY   (United States)

Author keywords

Security analysis; Vulnerability prevention

Indexed keywords

AUTOMATIC PLACEMENT; AUTOMATIC TECHNIQUE; LARGE-SCALE APPLICATIONS; RUNTIME MONITORING; SECURITY ANALYSIS; SECURITY VULNERABILITIES; TRACKING TECHNIQUES; VULNERABILITY PREVENTION;

COMPUTER PROGRAMMING; COMPUTER SCIENCE;

STATIC ANALYSIS;

EID: 84877914008     PISSN: 15232867     EISSN: None     Source Type: Journal    
DOI: 10.1145/2480359.2429115     Document Type: Conference Paper

References (48)

1. A. V. Aho, M. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2007.
2. D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the International Conference on Software Engineering, May 2005.
3. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008.
4. D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the International World Wide Web Conference, 2010.
5. P. Briggs and K. D. Cooper. Effective partial redundancy elimination. In Proceedings of the Conference on Programming Language Design and Implementation, 1994.
6. B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Reports, 13, January 2008.
7. E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proceedings of the Workshop on Secure Web Services, 2009.
8. S. Chong, K. Vikram, and A. C. Myers. Sif: enforcing confidentiality and integrity in Web applications. In Proceedings of Usenix Security Symposium, 2007.
9. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the Annual Network and Distributed System Security Symposium, Feb. 2011.
10. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc-Daniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the Usenix Conference on Operating Systems Design and Implementation, 2010.
11. V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, Dec. 2005.
12. C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 8(6):399-422, Dec. 2009.
13. C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, Nov. 2006.
14. C. Hammer, J. Krinke, and G. Snelting. Information flow control for java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, Mar. 2006.
15. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, Aug. 2011.
16. A. L. Hosking, N. Nystrom, D. Whitlock, Q. Cutts, and A. Diwan. Partial redundancy elimination for access path expressions. Software Practice and Experience, 31, May 2001.
17. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web, 2004.
18. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, 2006.
19. D. King, S. Jha, D. Muthukumaran, T. Jaeger, S. Jha, and S. A. Seshia. Automating security mediation placement. In Proceedings of the European Symposium on Programming, 2010.
20. J. Knoop, O. Rüthing, and B. Steffen. Lazy code motion. SIGPLAN Notes, 39:460-472, April 2004.
21. T. Kremenek, P. Twohey, G. Back, A. Y. Ng, and D. R. Engler. From uncertainty to belief: Inferring the specification within. In Symposium on Operating Systems Design and Implementation, Nov. 2006.
22. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005.
23. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proceedings of the Conference on Programming Language Design and Implementation, June 2009.
24. M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In Proceedings of the Conference on Object Oriented Programming Systems Languages and Applications, pages 365-383, 2005.
25. M. Martin, B. Livshits, and M. S. Lam. SecuriFly: runtime vulnerability protection for Web applications. Technical report, Stanford University, 2006.
26. Microsoft Corporation. Microsoft Code Analysis Tool .NET (CAT.NET). http://www.microsoft.com/en-us/download/details.aspx?id=19968, 3 2009.
27. Microsoft Corporation. Microsoft web protection library. http://wpl.codeplex.com/, 2012.
28. N. Mitchell, G. Sevitsky, and H. Srinivasan. The diary of a datum: an approach to modeling runtime complexity in framework-based applications. In Proceedings of the European Conference on Object-Oriented Programming, Systems, Languages, and Applications, 2005.
29. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, 2005.
30. OWASP. OWASP-Java-HTML-sanitizer. http://code.google.com/p/owasp-java- html-sanitizer/, 2011.
31. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005.
32. W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, 2009.
33. W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, Aug. 2009.
34. RSnake. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html.
35. O. Rüthing, J. Knoop, and B. Steffen. Sparse code motion. In Proceedings of the Symposium on Principles of Programming Languages, 2000.
36. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5-19, Jan. 2003.
37. A. Sabelfeld and D. Sands. Dimensions and principles of declas-sification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255-269. IEEE Computer Society, June 2005.
38. M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011.
39. P. Saxena, D. Molnar, and B. Livshits. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011.
40. B. Scholz, C. Zhang, and C. Cifuentes. User-input dependence analysis via graph reachability. Technical Report 2008-171, Sun Microsystems Labs, 2008.
41. V. Srivastava, M. D. Bond, K. S. McKinley, and V. Shmatikov. A security policy oracle: detecting security holes using multiple API implementations. In Proceedings of the Conference on Programming Language Design and Implementation, 2011.
42. Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In Proceedings of the Symposium on Principles of Programming Languages, 2006.
43. O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the Conference on Programming Language Design and Implementation, 2009.
44. J. Vaughan and S. Chong. Inference of expressive declassification policies. In Proceedings of IEEE Symposium on Security and Privacy, May 2011.
45. M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjorner. Symbolic finite state transducers: Algorithms and applications. In Proceedings of the Sympolisium on Principles of Programming Languages, Jan. 2012.
46. J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in web application frameworks. In Proceedings of the European Symposium on Research in Computer Security, Sept. 2011.
47. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006.
48. E. Z. Yang. HTML purifier. http://code.google.com/p/owasp-java-html- sanitizer/, 2011.