skip to main content
10.1145/2048066.2048146acmconferencesArticle/Chapter ViewAbstractPublication PagessplashConference Proceedingsconference-collections
research-article

RoleCast: finding missing security checks when you do not know what checks are

Published: 22 October 2011 Publication History

Abstract

Web applications written in languages such as PHP and JSP are notoriously vulnerable to accidentally omitted authorization checks and other security bugs. Existing techniques that find missing security checks in library and system code assume that (1) security checks can be recognized syntactically and (2) the same pattern of checks applies universally to all programs. These assumptions do not hold for Web applications. Each Web application uses different variables and logic to check the user's permissions. Even within the application, security logic varies based on the user's role, e.g., regular users versus administrators. This paper describes ROLECAST, the first system capable of statically identifying security logic that mediates security-sensitive events (such as database writes) in Web applications, rather than taking a specification of this logic as input. We observe a consistent software engineering pattern-the code that implements distinct user role functionality and its security logic resides in distinct methods and files-and develop a novel algorithm for discovering this pattern in Web applications. Our algorithm partitions the set of file contexts (a coarsening of calling contexts) on which security-sensitive events are control dependent into roles. Roles are based on common functionality and security logic. ROLECAST identifies security-critical variables and applies rolespecific variable consistency analysis to find missing security checks. ROLECAST discovered 13 previously unreported, remotely exploitable vulnerabilities in 11 substantial PHP and JSP applications, with only 3 false positives.
This paper demonstrates that (1) accurate inference of application- and role-specific security logic improves the security of Web applications without specifications, and (2) static analysis can discover security logic automatically by exploiting distinctive software engineering features.

References

[1]
D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of Web-based applications. In CCS, pages 25--35, 2007.
[2]
M. Bond, V. Srivastava, K. McKinley, and V. Shmatikov. Efficient, context-sensitive detection of real-world semantic attacks. In PLAS, pages 1--10, 2010.
[3]
W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS, pages 39--50, 2008.
[4]
A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In PLDI, pages 234--245, 2011.
[5]
R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, Oct. 1991.
[6]
M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing authentication and access control vulnerabilities in Web applications. In USENIX Security, pages 267--282, 2009.
[7]
D. Denning and P. Denning. Certification of programs for secure information flow. CACM, 20(7):504--513, 1977.
[8]
V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in Web applications. In USENIX Security, pages 143--160, 2010.
[9]
Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee, and S. Kuo. Securing Web application code by static analysis and runtime protection. In WWW, pages 40--52, 2004.
[10]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In S&P, pages 258--263, 2006.
[11]
JSP. http://java.sun.com/products/jsp.
[12]
L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In OOPSLA, pages 359--372, 2002.
[13]
B. Livshits, A. Nori, S. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In PLDI, pages 75--86, 2009.
[14]
B. Livshits and T. Zimmermann. Dynamine: Finding common error patterns by mining software revision histories. In ESEC/FSE, pages 296--305, 2005.
[15]
PHP. http://www.php.net.
[16]
PHP advent 2010: Usage statistics. http://phpadvent.org/2010/usage-statistics-by-ilia-alshanetsky.
[17]
M. Pistoia, R. Flynn, L. Koved, and V. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In ECOOP, pages 362--386, 2005.
[18]
Quercus. http://quercus.caucho.com.
[19]
A. Sistla, V. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ASIACCS, pages 100--111, 2008.
[20]
S. Son and V. Shmatikov. SAFERPHP: Finding semantic vulnerabilities in PHP applications. In PLAS, 2011.
[21]
Soot: A Java optimization framework. http://www.sable.mcgill.ca/soot/.
[22]
V. Srivastava, M. Bond, K. McKinley, and V. Shmatikov. A security policy oracle: Detecting security holes using multiple API implementations. In PLDI, pages 343--354, 2011.
[23]
L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security, pages 379--394, 2008.
[24]
Apache Tomcat. http://tomcat.apache.org.
[25]
G. Wasserman and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, pages 32--41, 2007.
[26]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, pages 179--192, 2006.
[27]
A. Yip, X. Wang, N. Zeldovich, and F. Kaashoek. Improving application security with data flow assertions. In SOSP, pages 291--304, 2009.

Cited By

View all
  • (2024)Cut to the Chase: An Error-Oriented Approach to Detect Error-Handling BugsProceedings of the ACM on Software Engineering10.1145/36607871:FSE(1796-1818)Online publication date: 12-Jul-2024
  • (2024)Vulnerability detection in Java source code using a quantum convolutional neural network with self-attentive pooling, deep sequence, and graph-based hybrid feature extractionScientific Reports10.1038/s41598-024-56871-z14:1Online publication date: 28-Mar-2024
  • (2023)SysXCHG: Refining Privilege with Adaptive System Call FiltersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623137(1964-1978)Online publication date: 15-Nov-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
October 2011
1104 pages
ISBN:9781450309400
DOI:10.1145/2048066
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 46, Issue 10
    OOPSLA '11
    October 2011
    1063 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2076021
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 October 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. JSP
  2. PHP
  3. access control
  4. interprocedural analysis
  5. security
  6. security checks
  7. static analysis
  8. user roles

Qualifiers

  • Research-article

Conference

SPLASH '11
Sponsor:

Acceptance Rates

Overall Acceptance Rate 268 of 1,244 submissions, 22%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)46
  • Downloads (Last 6 weeks)3
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Cut to the Chase: An Error-Oriented Approach to Detect Error-Handling BugsProceedings of the ACM on Software Engineering10.1145/36607871:FSE(1796-1818)Online publication date: 12-Jul-2024
  • (2024)Vulnerability detection in Java source code using a quantum convolutional neural network with self-attentive pooling, deep sequence, and graph-based hybrid feature extractionScientific Reports10.1038/s41598-024-56871-z14:1Online publication date: 28-Mar-2024
  • (2023)SysXCHG: Refining Privilege with Adaptive System Call FiltersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623137(1964-1978)Online publication date: 15-Nov-2023
  • (2023)DetAC: Approach to Detect Access Control Vulnerability in Web Application Based on Sitemap Model with Global Information RepresentationInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402350029833:09(1327-1354)Online publication date: 31-Aug-2023
  • (2023)ErrHunter: Detecting Error-Handling Bugs in the Linux Kernel Through Systematic Static AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2022.316015549:2(684-698)Online publication date: 1-Feb-2023
  • (2023)A security vulnerability predictor based on source code metricsJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00469-y19:4(615-633)Online publication date: 17-Feb-2023
  • (2022)Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud SystemsProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560589(2145-2158)Online publication date: 7-Nov-2022
  • (2021)ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilitiesProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468627(316-327)Online publication date: 20-Aug-2021
  • (2021)Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug SymptomsProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453115(731-743)Online publication date: 24-May-2021
  • (2021)RBAC protection-impacting changes identificationInformation and Software Technology10.1016/j.infsof.2021.106630139:COnline publication date: 23-Aug-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media