Efficient patch-based auditing for web application vulnerabilities

Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2012

Volumn , Issue , 2012, Pages 193-206

  Kim, Taesoo ^a   Chandra, Ramesh ^a   Zeldovich, Nickolai ^a  

^a MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SOFTWARE;

CONTROL FLOWS; INTERMEDIATE RESULTS; MEMOIZATION; NORMAL OPERATIONS; PATCH BASED; SECURITY VULNERABILITIES; WEB APPLICATION; WEB APPLICATION VULNERABILITY;

SYSTEMS ANALYSIS;

EID: 85076887884     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (33)

1. Wikimedia labs database dump. http://dumps.wikimedia.org/en_labswikimedia/20111228/, December 2011.
2. U. Acar, A. Ahmed, and M. Blume. Imperative self-adjusting computation. In Proceedings of the 35th ACM Symposium on Principles of Programming Languages, San Francisco, CA, January 2008.
3. H. Agrawal and J. R. Horgan. Dynamic program slicing. In Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation, pages 246-256, 1990.
4. H. Agrawal, J. R. Horgan, E. W. Krauser, and S. A. London. Incremental regression testing. In Proceedings of the IEEE Conference on Software Maintenance, September 1993.
5. F. E. Allen. Control flow analysis. In Proceedings of the Symposium on Compiler Optimization, 1970.
6. S. Biswas, R. Mall, M. Satpathy, and S. Sukumaran. Regression test selection techniques: A survey. Informatica, 35(3):289-321, October 2011.
7. A. B. Brown and D. A. Patterson. Undo for operators: Building an undoable e-mail store. In Proceedings of the 2003 USENIX Annual Technical Conference, pages 1-14, San Antonio, TX, June 2003.
8. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006.
9. R. Chandra, T. Kim, M. Shah, N. Narula, and N. Zeldovich. Intrusion recovery for database-backed web applications. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), pages 101-114, Cascais, Portugal, October 2011.
10. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK, October 2005.
11. G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. Re-Virt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI), pages 211-224, Boston, MA, December 2002.
12. W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI), Vancouver, Canada, October 2010.
13. Github. SSH key audit. https://github.com/settings/ssh/ audit, 2012.
14. A. Goel, K. Po, K. Farhadi, Z. Li, and E. D. Lara. The Taser intrusion recovery system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), pages 163-176, Brighton, UK, October 2005.
15. P. J. Guo and D. Engler. Using automatic persistent memoization to facilitate data analysis scripting. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, July 2011.
16. F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su. Back to the future: A framework for automatic malware removal and system repair. In 22nd Annual Computer Security Applications Conference (AC-SAC), pages 257-268, December 2006.
17. A. Joshi, S. King, G. Dunlap, and P. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), pages 91-104, Brighton, UK, October 2005.
18. S. A. Khalek and S. Khurshid. Efficiently running test suites using abstract undo operations. IEEE International Symposium on Software Reliability Engineering, pages 110-119, 2011.
19. T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. Intrusion recovery using selective re-execution. In Proceedings of the 9th Symposium on Operating Systems Design and Implementation (OSDI), pages 89-104, Vancouver, Canada, October 2010.
20. S. T. King and P. M. Chen. Backtracking intrusions. ACM Transactions on Computer Systems, 23(1):51-76, February 2005.
21. E. Kohler. Hot crap! In Proceedings of the Workshop on Organizing Workshops, Conferences, and Symposia for Computer Systems, San Francisco, CA, April 2008.
22. E. Kohler. Correct humiliating information flow exposure of comments. http://www.read.cs.ucla.edu/gitweb?p=hotcrp;a=commit;h= f30eb4e52e91ab230944eebe8f31bf61e9783d3a, March 2012.
23. M. Maurer and D. Brumley. TACHYON: Tandem execution for efficient live patch testing. In Proceedings of the 21st Usenix Security Symposium, Bellevue, WA, August 2012.
24. MediaWiki. MediaWiki. http://www.mediawiki.org, 2012.
25. J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2005.
26. S. Park, Y. Zhou, W. Xiong, Z. Yin, R. Kaushik, K. H. Lee, and S. Lu. PRES: probabilistic replay with execution sketching on multiprocessors. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), Big Sky, MT, October 2009.
27. T. Preston-Werner. Public key security vulnerability and mitigation. https://github.com/blog/1068, March 2012.
28. D. Rethans. Vulcan logic dumper. http://derickrethans.nl/vld.php, 2009.
29. The Open Web Application Security Project. OWASP top 10. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf, 2010.
30. J. Tucek, W. Xiong, and Y. Zhou. Efficient online validation with delta execution. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Washington, DC, March 2009.
31. G. Urdaneta, G. Pierre, and M. van Steen. Wikipedia workload analysis for decentralized hosting. Computer Networks, 53(11): 1830-1845, 2009.
32. A. Vahdat and T. Anderson. Transparent result caching. In Proceedings of the 1998 USENIX Annual Technical Conference, New Orleans, LA, June 1998.
33. X. Wang, N. Zeldovich, and M. F. Kaashoek. Retroactive auditing. In Proceedings of the 2nd Asia-Pacific Workshop on Systems, Shanghai, China, July 2011. 5 pages.