Finding security vulnerabilities in Java applications with static analysis

14th USENIX Security Symposium

Volumn , Issue , 2005, Pages 271-286

  Benjamin Livshits, V ^a   Lam, Monica S ^a  

^a Stanford University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BENCHMARKING; HTTP; JAVA PROGRAMMING LANGUAGE; OPEN SOURCE SOFTWARE; SECURITY OF DATA; SPECIFICATIONS;

ANALYSIS APPROACH; ANALYSIS TECHNIQUES; CROSS SITE SCRIPTING; JAVA APPLICATIONS; OPEN SOURCE APPLICATION; POINTS-TO ANALYSIS; SECURITY VULNERABILITIES; STATIC ANALYZERS;

STATIC ANALYSIS;

EID: 84923564816     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (56)

1. C. Anley. Advanced SQL injection in SQL Server applications. http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
2. C. Anley. (more) advanced SQL injection. http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf, 2002.
3. B. Arkin, S. Stender, and G. McGraw. Software penetration testing. IEEE Security and Privacy, 3(1):84–87, 2005.
4. K. Beaver. Achieving Sarbanes-Oxley compliance for Web applications through security testing. http://www.spidynamics.com/support/whitepapers/WI_SOXwhitepaper.pdf, 2003.
5. B. Buege, R. Layman, and A. Taylor. Hacking Exposed: J2EE and Java: Developing Secure Applications with Java Technology. McGraw-Hill/Osborne, 2002.
6. W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software - Practice and Experience (SPE), 30:775–802, 2000.
7. CGI Security. The cross-site scripting FAQ. http://www.cgisecurity.net/articles/xss- faq.shtml.
8. B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, 2(6):76–79, 2004.
9. Chinotec Technologies. Paros—a tool for Web application security assessment. http://www.parosproxy.org, 2004.
10. Computer Security Institute. Computer crime and security survey. http://www.gocsi.com/press/20020407.jhtml?_requestid=195148, 2002.
11. S. Cook. A Web developers guide to cross-site scripting. http://www.giac.org/practical/GSEC/Steve_Cook_GSEC.pdf, 2003.
12. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference, pages 63–78, January 1998.
13. J. D’Anjou, S. Fairbrother, D. Kehn, J. Kellerman, and P. McCarthy. Java Developer’s Guide to Eclipse. Addison-Wesley Professional, 2004.
14. S. Friedl. SQL injection attacks by example. http://www.unixwiz.net/techtips/sql-injection.html, 2004.
15. D. Geer and J. Harthorne. Penetration testing: A duet. http://www.acsac.org/2002/papers/geer.pdf, 2002.
16. Gentoo Linux Security Advisory. SnipSnap: HTTP response splitting. http://www.gentoo.org/security/en/glsa/glsa-200409-23.xml, 2004.
17. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering, pages 645–654, 2004.
18. J. Grossman. Cross-site tracing (XST): The new techniques and emerging threats to bypass current Web security measures using TRACE and XSS. http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf, 2003.
19. J. Grossman. WASC activities and U.S. Web application security trends. http://www.whitehatsec.com/presentations/ WASC_WASF_1.02.pdf, 2004.
20. S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIG-PLAN 2002 Conference on Programming language Design and Implementation, pages 69–82, 2002.
21. M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, 2001.
22. D. Hu. Preventing cross-site scripting vulnerability. http://www.giac.org/practical/GSEC/Deyu_Hu_GSEC.pdf, 2004.
23. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the 13th conference on World Wide Web, pages 40–52, 2004.
24. G. Hulme. New software may improve application security. http://www.informationweek.com/story/IWK20010209S0003, 2001.
25. Imperva, Inc. SuperVeda penetration test. http://www.imperva.com/download.asp?id=3.
26. R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In Proceedings of the 2004 Usenix Security Conference, pages 119–134, 2004.
27. A. Klein. Hacking Web applications using cookie poisoning. http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf, 2002.
28. A. Klein. Divide and conquer: HTTP response splitting, Web cache poisoning attacks, and related topics. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf, 2004.
29. S. Kost. An introduction to SQL injection attacks for Oracle developers. http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004.
30. M. Krax. Mozilla foundation security advisory 2005-38. http://www.mozilla.org/security/announce/mfsa2005-38.html, 2005.
31. D. Litchfield. Oracle multiple PL/SQL injection vulnerabilities. http://www.securityfocus.com/archive/1/385333/2004-12-20/2004-12-26/0, 2003.
32. D. Litchfield. SQL Server Security. McGraw-Hill Osborne Media, 2003.
33. V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 317–326, Sept. 2003.
34. V. B. Livshits and M. S. Lam. Detecting security vulnerabilities in Java applications with static analysis. Technical report. Stanford University. http://suif.stanford.edu/∼livshits/papers/tr/webappsec_tr.pdf, 2005.
35. M. Martin, V. B. Livshits, and M. S. Lam. Finding application errors using PQL: a program query language (to be published). In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), Oct. 2005.
36. J. Melbourne and D. Jorm. Penetration testing for Web applications. http://www.securityfocus.com/infocus/1704, 2003.
37. J. S. Miller, S. Ragsdale, and J. Miller. The Common Language Infrastructure Annotated Standard. Addison-Wesley Professional, 2003.
38. A. C. Myers. JFlow: practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228–241, Jan. 1999.
39. NetContinuum, Inc. The 21 primary classes of Web application threats. https://www.netcontinuum.com/securityCentral/TopThreatTypes/index.cfm, 2004.
40. Open Web Application Security Project. A guide to building secure Web applications. http://voxel.dl.sourceforge.net/sourceforge/owasp/OWASPGuideV1.1.pdf, 2004.
41. Open Web Application Security Project. The ten most critical Web application security vulnerabilities. http://umn.dl.sourceforge.net/sourceforge/owasp/OWASPTopTen2004.pdf, 2004.
42. Open Web Application Security Project. WebScarab. http://www.owasp.org/software/webscarab.html, 2004.
43. S. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages, pages 105–118, Jan. 1999.
44. J. Scambray and M. Shema. Web Applications (Hacking Exposed). Addison-Wesley Professional, 2002.
45. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 2001 Usenix Security Conference, pages 201–220, Aug. 2001.
46. K. Spett. Cross-site scripting: are your Web applications vulnerable. http://www.spidynamics.com/support/whitepapers/SPIcross-sitescripting.pdf, 2002.
47. K. Spett. SQL injection: Are your Web applications vulnerable? http://downloads.securityfocus.com/library/SQLInjectionWhitePaper.pdf, 2002.
48. B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th ACM Symposium on Principles of Programming Languages, pages 32–41, Jan. 1996.
49. M. Surf and A. Shulman. How safe is it out there? http://www.imperva.com/download.asp?id=23, 2004.
50. J. D. Ullman. Principles of Database and Knowledge-Base Systems. Computer Science Press, Rockville, Md., volume II edition, 1989.
51. D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3–17, Feb. 2000.
52. L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O’Reilly and Associates, Sebastopol, CA, 1996.
53. G. Wassermann and Z. Su. An analysis framework for security in Web applications. In Proceedings of the Specification and Verification of Component-Based Systems Workshop, Oct. 2004.
54. WebCohort, Inc. Only 10% of Web applications are secured against common hacking techniques. http://www.imperva.com/company/news/2004-feb-02.html, 2004.
55. J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIG-PLAN 2004 conference on Programming Language Design and Implementation, pages 131–144, June 2004.
56. J. Wilander and M. Kamkar. A comparison of publicly available tools for static intrusion prevention. In Proceedings of 7th Nordic Workshop on Secure IT Systems, Nov. 2002.