Skip to main content
SpringerLink
Log in

Type-Based Enforcement of Secure Programming Guidelines — Code Injection Prevention at SAP

  • Conference paper
Book cover Formal Aspects of Security and Trust (FAST 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7140))

Included in the following conference series:

Abstract

Code injection and cross-site scripting belong to the most common security vulnerabilities in modern software, usually caused by incorrect string processing. These exploits are often addressed by formulating programming guidelines or “best practices”.

In this paper, we study the concrete example of a guideline used at SAP for the handling of untrusted, potentially executable strings that are embedded in the output of a Java servlet. To verify adherence to the guideline, we present a type system for a Java-like language that is extended with refined string types, output effects, and polymorphic method types.

The practical suitability of the system is demonstrated by an implementation of a corresponding string type verifier and context-sensitive inference for real Java programs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Open Web Application Security Project: The OWASP Application Security Verification Standard Project, http://www.owasp.org/index.php/ASVS

  2. Wiegenstein, A.: A short story about Cross Site Scripting SAP Blog, http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/2422

  3. Hildenbrand, P.: Guard your web applications against XSS attacks: Output encoding functionality from SAP. SAP Insider 8(2) (2007)

    Google Scholar 

  4. Open Web Application Security Project: The OWASP ten most critical web application security risks, http://owasptop10.googlecode.com/

  5. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: 2006 IEEE Symp. on Security and Privacy (SP 2006), pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)

    Google Scholar 

  6. Wikipedia: Cross-site scripting (2011), http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=417581017 (online accessed March 14, 2011)

  7. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Symposium on Principles of Programming Languages (POPL 2006), Charleston, SC, pp. 372–382. ACM Press, New York (2006)

    Google Scholar 

  8. Crégut, P., Alvarado, C.: Improving the Security of Downloadable Java Applications With Static Analysis. Electr. Notes Theor. Comp. Sci. 141(1), 129–144 (2005)

    Article  Google Scholar 

  9. Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Conf. on Prog. Lang. Design and Implementation (PLDI 2007), San Diego, CA. ACM Press, New York (2007)

    Google Scholar 

  10. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: 14th USENIX Security Symposium (SSYM 2005), p. 18. USENIX Association, Berkeley (2005)

    Google Scholar 

  11. Pierce, B.C.: Types and Programming Languages. MIT Press (2002)

    Google Scholar 

  12. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)

    MATH  Google Scholar 

  13. SAP AG: SAP NetWeaver 7.0 Knowledge Center, http://help.sap.com/content/documentation/netweaver/

  14. Hofmann, M.O., Jost, S.: Type-Based Amortised Heap-Space Analysis. In: Sestoft, P. (ed.) ESOP 2006. LNCS, vol. 3924, pp. 22–37. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  15. Igarashi, A., Pierce, B., Wadler, P.: Featherweight Java: A minimal core calculus for Java and GJ. In: 1999 Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 1999). ACM (1999)

    Google Scholar 

  16. Beringer, L., Grabowski, R., Hofmann, M.: Verifying Pointer and String Analyses with Region Type Systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  17. Shivers, O.: Control-Flow Analysis of Higher-Order Languages, or Taming Lambda. PhD thesis. Carnegie Mellon University, Pittsburgh, PA, USA (1991)

    Google Scholar 

  18. Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: Conf. on Programming language design and implementation (PLDI 1994), pp. 242–256. ACM, New York (1994)

    Chapter  Google Scholar 

  19. Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. SIGPLAN Not. 39(6), 131–144 (2004)

    Article  Google Scholar 

  20. Grabowski, R.: Type-Based Java String Analysis (2011), http://jsa.tcs.ifi.lmu.de/

  21. Tse, S., Zdancewic, S.: Fjavac: a functional Java compile (2006), http://www.cis.upenn.edu/~stevez/stse-work/javac/index.html

  22. Nielson, F., Nielson, H.R., Seidl, H.: A succinct solver for alfp. Nordic J. of Computing 9, 335–372 (2002)

    MathSciNet  MATH  Google Scholar 

  23. Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  24. Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  25. Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An Interactive Tool for Analyzing Embedded SQL Queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  26. Tabuchi, N., Sumii, E., Yonezawa, A.: Regular expression types for strings in a text processing language. Electr. Notes Theor. Comput. Sci. 75 (2002)

    Google Scholar 

  27. Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Local policies for resource usage analysis. ACM Trans. Program. Lang. Syst. 31, 23:1–23:43 (2009)

    Google Scholar 

  28. Skalka, C., Smith, S.: History effects and verification. In: Asian Programming Languages Symposium (November 2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institut für Informatik, Ludwig-Maximilians-Universität, Oettingenstrasse 67, D-80538, München, Germany

    Robert Grabowski & Martin Hofmann

  2. SAP Research, France, 805 Avenue du Dr Maurice Donat, 06254, Mougins Cedex, France

    Keqin Li

Authors
  1. Robert Grabowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Hofmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Keqin Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Universidad Politecnica de Madrid, Campus Montegancedo, 28660, Boadilla del Monte, Madrid, Spain

    Gilles Barthe

  2. Carnegie Mellon University, NASA Research Park, Bldg. 23 (MS 23-11), P.O. Box 1, 94035-0001, Moffet Field, CA, USA

    Anupam Datta

  3. Faculty of Mathematics and Computer Science, Embedded Systems Security Group, Technical University of Eindhoven, P.O. Box 513, 5600 MB, Eindhoven, The Netherlands

    Sandro Etalle

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Grabowski, R., Hofmann, M., Li, K. (2012). Type-Based Enforcement of Secure Programming Guidelines — Code Injection Prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29420-4_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29419-8

  • Online ISBN: 978-3-642-29420-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation