Mohamed Almorsy
John Grundy
ABSTRACT
Adopting publicly accessible platforms such as cloud computing model to host IT systems has become a leading trend. Although this helps to minimize cost and increase availability and reachability of applications, it has serious implications on applications’ security. Hackers can easily exploit vulnerabilities in such publically accessible services. In addition to, 75% of the total reported application vulnerabilities are web application specific. Identifying such known vulnerabilities as well as newly discovered vulnerabilities is a key challenging security requirement. However, existing vulnerability analysis tools cover no more than 47% of the known vulnerabilities. We introduce a new solution that supports automated vulnerability analysis using formalized vulnerability signatures. Instead of depending on formal methods to locate vulnerability instances where analyzers have to be developed to locate specific vulnerabilities, our approach incorporates a formal vulnerability signature described using OCL. Using this formal signature, we perform program analysis of the target system to locate signature matches (i.e. signs of possible vulnerabilities). A newly–discovered vulnerability can be easily identified in a target program provided that a formal signature for it exists. We have developed a prototype static vulnerability analysis tool based on our formalized vulnerability signatures specification approach. We have validated our approach in capturing signatures of the OWSAP Top10 vulnerabilities and applied these signatures in analyzing a set of seven benchmark applications.
- BALZAROTTI, D., COVA, et al, 2008. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proc. of 2008 IEEE Symposium on Security and Privacy, 387-401. Google Scholar
Digital Library
- BAU, J., BURSZTEIN, E., GUPTA, D., and MITCHELL, J., 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proc. of 2010 IEEE Symposium on Security and Privacy, 332-345. Google ScholarDigital Library
- CENGARLE, M.V. and KNAPP, A., 2004. OCL 1.4/5 vs. 2.0 Expressions Formal semantics and expressiveness. Software and Systems Modeling 3, 1, 9-30.Google ScholarDigital Library
- DASGUPTA, A., NARASAYYA, V., and SYAMALA, M., 2009. A Static Analysis Framework for Database Applications. In Proc. of 2009 IEEE Int. Conf. on Data Engineering, 1403-1414. Google ScholarDigital Library
- FELMETSGER, V., et al, 2010. Toward automated detection of logic vulnerabilities in web applications. In 19th USENIX Conf. on Security, Washington, DC. Google ScholarDigital Library
- GANESH, V., et al, 2011. HAMPI: a string solver for testing, analysis and vulnerability detection. In Proc. of 23rd Int. Conf. on Computer aided verification Springer-Verlag, Snowbird, UT, 1-19. Google ScholarDigital Library
- HALFOND, W.G.J., ORSO, A., and MANOLIOS, P., 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In 14th ACM Int. symposium on Foundations of software engineering, Oregon, 175-185. Google ScholarDigital Library
- HOOIMEIJER, P., et al, 2011. Fast and precise sanitizer analysis with BEK. In 20th USENIX Conf. on Security (San Francisco, CA2011). Google ScholarDigital Library
- JOVANOVIC, N., KRUEGEL, C., et al, 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, 258-263. Google ScholarDigital Library
- KALS, S., et al, 2006. SecuBat: a web vulnerability scanner. In 15th Int. Conf. on World Wide Web. Edinburgh , 247-256. Google ScholarDigital Library
- KIEYZUN, et al, 2009. Automatic creation of SQL Injection and cross-site scripting attacks. In Proc. of 31st Int.Conf. on Software Engineering, 199-209. Google ScholarDigital Library
- LAM, M.S., MARTIN, M., LIVSHITS, B., and WHALEY, J., 2008. Securing web applications with static and dynamic information flow tracking. In 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, California, USA, 3-12. Google ScholarDigital Library
- LEI, W., QIANG, Z., and PENGCHAO, Z., 2008. Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking. In 8th IEEE Int. Conf. on Source Code Analysis and Manipulation, 165-173.Google Scholar
- MANADHATA, P.K. and WING, J.M., 2011. An Attack Surface Metric. IEEE Transactions on Software Engineering 37,3, 371-386. Google ScholarDigital Library
- MARTIN, M., LIVSHITS, B., and LAM, M.S., 2005. Finding application errors and security flaws using PQL: a program query language. In 20th annual Conf. on Objectoriented programming, systems, languages, and applications ACM, CA, USA, 365-383. Google ScholarDigital Library
- MONGA, M., PALEARI, R., and PASSERINI, E., 2009. A hybrid analysis framework for detecting web application vulnerabilities. In Proc. 2009 ICSE Workshop on Software Engineering for Secure Systems, 1656378, 25-32. Google ScholarDigital Library
- NIST, May 2007, Accessed 2011. Source Code Security Analysis Tool Functional Specification Version 1.1.Google Scholar
- WASSERMANN, G. and SU, Z., 2008. Static detection of cross-site scripting vulnerabilities. In Proc. 30th Int. Conf. on Software engineering ACM, Leipzig, Germany, 171-180. Google ScholarDigital Library
- WEINBERGER, J., SAXENA, P., et al, 2011. A systematic analysis of XSS sanitization in web application frameworks. In 16th European Conf. on Research in computer security,Belgium, 150-171. Google ScholarDigital Library
- WILLY JIMENEZ, A.M., ANA CAVALLI 2009. Software Vulnarabilities, Prevention and Detection Methods: A Reviw. In 2009 European Workshop on Security in Model Driven Architecture, Enschede, The Netherlands, 6—13.Google Scholar
- ZHANG, R., HUANG, S., et al, 2012. Static program analysis assisted dynamic taint tracking for software vulnerability discovery. Computers & Mathematics with Application 63, 2, 469-480. Google ScholarDigital Library
- VAJK, T., MEZEI, G., and LEVEDOVSZKY T., 2008. An Incremental OCL Compiler for Modelling Environments. In Electronic Communications of the EASST, vol. Volume 15: OCL Concepts and Tools.Google Scholar
Index Terms
- Supporting automated vulnerability analysis using formalized vulnerability signatures
Recommendations
History and Future of Automated Vulnerability Analysis
SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and TechnologiesThe software upon which our modern society operates is riddled with security vulnerabilities. These vulnerabilities allow hackers access to our sensitive data and make our system insecure. To identify vulnerabilities in software, human experts, or ...
Measuring and ranking attacks based on vulnerability analysis
As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...
Demo: Large Scale Analysis on Vulnerability Remediation in Open-source JavaScript Projects
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityGiven the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and ...
Comments