Static detection of access control vulnerabilities in web applications

Proceedings of the 20th USENIX Security Symposium

Volumn , Issue , 2011, Pages 155-170

  Sun, Fangqi ^a   Xu, Liang ^a   Su, Zhendong ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

SPECIFICATIONS; STATIC ANALYSIS;

APPLICATION SPECIFIC; BASED SPECIFICATION; EVALUATION RESULTS; REAL WORLD WEB; RUNTIME ENFORCEMENTS; STATIC DETECTIONS; WEB APPLICATION; WRITING SPECIFICATIONS;

ACCESS CONTROL;

EID: 85076454876     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (32)

1. D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-Module Vulnerability Analysis of Webbased Applications. In Proceedings of ACM Conference on Computer and Communications Security, pages 25-35, 2007.
2. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of IEEE Symposium on Security and Privacy, pages 387-401, 2008.
3. W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In Proceedings of ACM Conference on Computer and Communications Security, pages 39-50, 2008.
4. S. Chen, J. Dunagan, C. Verbowski, and Y.-M.Wang. A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. In Proceedings of Network and Distributed System Security Symposium, 2005.
5. S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing Confidentiality and Integrity in Web Applications. In Proceedings of the Conference on USENIX Security Symposium, 2007.
6. M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 63-86, 2007.
7. M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication and Access Control Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, pages 267-282, 2009.
8. L. De Moura and N. Bjørner. Z3: An Efficient SMT Solver. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337-340, 2008.
9. D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code. In Proceedings of the ACM Symposium on Operating Systems Principles, pages 57-72, 2001.
10. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, pages 143-160, 2010.
11. A. Guha, S. Krishnamurthi, and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In Proceedings of the International Conference on World Wide Web, pages 561-570, 2009.
12. W. G. J. Halfond and A. Orso. Automated identification of parameter mismatches in web applications. In Proceedings of the Symposium on Foundations of software engineering, 2008.
13. S. Hallé, T. Ettema, C. Bunch, and T. Bultan. Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines. In Proceedings of the International Conference on Automated Software Engineering, pages 235-244, 2010.
14. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (short paper). In Proceedings of IEEE Symposium on Security and Privacy, pages 258-263, 2006.
15. A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A Solver for String Constraints. In Proceedings of the International Symposium on Software Testing and Analysis, 2009.
16. T. Kremenek, P. Twohey, G. Back, A. Ng, and D. Engler. From Uncertainty to Belief: Inferring the Specification Within. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 12-12, 2006.
17. A. Krishnamurthy, A. Mettler, and D. Wagner. Fine-Grained Privilege Separation for Web Applications. In Proceedings of the International Conference on World Wide Web, pages 551-560, 2010.
18. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification Inference for Explicit Information Flow Problems. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 75-86, 2009.
19. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the Conference on USENIX Security Symposium, pages 18-18, 2005.
20. D. Melski and T. Reps. Interconvertbility of Set Constraints and Context-Free Language Reachability. In Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, 1997.
21. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In Proceedings of the International Conference on World Wide Web, pages 432-441, 2005.
22. A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the IFIP International Information Security Conference, pages 372-382, 2005.
23. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. CLAMP: Practical Prevention of Large-Scale Data Leaks. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154-169, 2009.
24. R. Sekar. An Efficient Black-box Technique for Defeating Web Application Attacks. In Proceedings of the Network and Distributed System Security Symposium, 2009.
25. Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the Annual Symposium on Principles of Programming Languages, pages 372-382, 2006.
26. L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically Inferring Security Specifications and Detecting Violations. In Proceedings of the USENIX Security Symposium, pages 379-394, 2008.
27. O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 87-97, 2009.
28. D. Wagner and D. Dean. Intrusion Detection via Static Analysis. In Proceedings of the IEEE Symposium on Security and Privacy, pages 156-168, 2001.
29. G.Wassermann and Z. Su. Sound and Precise Analysis ofWeb Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 32-41, 2007.
30. G.Wassermann and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In Proceedings of International Conference on Software Engineering, pages 171-180, 2008.
31. Y. wen Huang, F. Yu, C. Hang, C. hung Tsai, D. T. Lee, and S. yen Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the International Conference on World Wide Web, pages 40-52, 2004.
32. Y. Xie and A. Aiken. Static Detection of Security vulnerabilities in Scripting Languages. In Proceedings of the Conference on USENIX Security Symposium, 2006.