ABSTRACT
We present a code- and input-sensitive sanitization synthesis approach for repairing string vulnerabilities that are common in web applications. The synthesized sanitization patch modifies the user input in an optimal way while guaranteeing that the repaired web application is not vulnerable. Given a web application, an input pattern and an attack pattern, we use automata-based static string analysis techniques to compute a sanitization signature that characterizes safe input values that obey the given input pattern and are safe with respect to the given attack pattern. Using the sanitization signature, we synthesize an optimal sanitization patch that converts malicious user inputs to benign ones with minimal editing. When the generated patch is added to the web application, it is guaranteed that the repaired web application is no longer vulnerable. We present refinements to previous sanitization synthesis algorithms that reduce the runtime sanitization cost significantly. We evaluate our approach on open source web applications using common input and attack patterns, demonstrating the effectiveness of our approach.
- P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In Computer Aided Verification - 26th International Conference, CAV 2014, Vienna, Austria, July 18-22, 2014. Proceedings, pages 150–166, 2014. Google ScholarDigital Library
- C. Allauzen and M. Mohri. Linear-space computation of the edit-distance between a string and a finite automaton. In In London Algorithmics 2008: Theory and Practice, 2008.Google Scholar
- A. Aydin, L. Bang, and T. Bultan. Automata-based model counting for string constraints. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I, pages 255–272, 2015.Google Scholar
- C. Bartzis and T. Bultan. Widening arithmetic automata. In CAV, pages 321–333, 2004.Google Scholar
- BRICS. The MONA project. http://www.brics.dk/mona/.Google Scholar
- A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In SAS, pages 1–18, 2003. Google ScholarDigital Library
- S. Cucerzan and E. Brill. Spelling correction as an iterative process that exploits the collective knowledge of web users. In D. Lin and D. Wu, editors, Proceedings of EMNLP 2004, pages 293–300, Barcelona, Spain, July 2004. Association for Computational Linguistics.Google Scholar
- A. Doupé, W. Cui, M. H. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna. dedacota: toward preventing server-side xss via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security, CCS ’13, pages 1205–1216, 2013. Google ScholarDigital Library
- X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting sql injection vulnerabilities. In COMPSAC, pages 87–96, 2007. Google ScholarDigital Library
- C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In ICSE, pages 645–654, 2004. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with BLAST. In SPIN, pages 235–239, 2003. Google ScholarDigital Library
- T. L. Hinrichs, D. Rossetti, G. Petronella, V. N. Venkatakrishnan, A. P. Sistla, and L. D. Zuck. Weblog: A declarative language for secure web development. In Proceedings of the Eighth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 59–70. ACM, 2013. Google ScholarDigital Library
- P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW ’04, pages 40–52, 2004. Google ScholarDigital Library
- N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In S&P, pages 258–263, 2006. Google ScholarDigital Library
- R. L. Kashyap and B. J. Oommen. An effective algorithm for string correction using generalized edit distance - ii. computational complexity of the algorithm and some applications. Inf. Sci., 23(3):201–217, 1981.Google ScholarCross Ref
- A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: a solver for string constraints. In ISSTA, pages 105–116, 2009. Google ScholarDigital Library
- G. Li and I. Ghosh. PASS: string solving with parameterized array and interval automaton. In Hardware and Software: Verification and Testing - 9th International Haifa Verification Conference, HVC 2013, Haifa, Israel, November 5-7, 2013, Proceedings, pages 15–31, 2013.Google Scholar
- T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. A DPLL(T) theory solver for a theory of strings and regular expressions. In Computer Aided Verification - 26th International Conference, CAV 2014, Vienna, Austria, July 18-22, 2014. Proceedings, pages 646–662, 2014. Google ScholarDigital Library
- B. Livshits and S. Chong. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’13, pages 385–398, 2013. Google ScholarDigital Library
- Y. Minamide. Static approximation of dynamically generated web pages. In WWW, pages 432–441, 2005. Google ScholarDigital Library
- K. Oflazer. Error-tolerant finite-state recognition with applications to morphological analysis and spelling correction. Comput. Linguist., 22(1):73–89, Mar. 1996. Google ScholarDigital Library
- OWASP. Top 10 2013. https://www.owasp.org/index.php/Top 10 2013-T10.Google Scholar
- Patcher. Patcher online service. http://soslab.nccu.edu.tw/patcher.Google Scholar
- M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the 18th ACM conference on Computer and communications security, CCS ’11, pages 587–600, 2011. Google ScholarDigital Library
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In S&P, pages 513–528, 2010. Google ScholarDigital Library
- P. Saxena, D. Molnar, and B. Livshits. Scriptgard: automatic context-sensitive sanitization for large-scale legacy web applications. In CCS, pages 601–614, 2011. Google ScholarDigital Library
- D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In TAICPART-MUTATION, pages 13–22, 2007. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372–382, 2006. Google ScholarDigital Library
- M. Veanes, T. Mytkowicz, D. Molnar, and B. Livshits. Data-parallel string-manipulating programs. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL, pages 139–152, 2015. Google ScholarDigital Library
- R. A. Wagner. Order-n correction for regular languages. Commun. ACM, 17(5):265–268, May 1974. Google ScholarDigital Library
- G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41, 2007. Google ScholarDigital Library
- G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, pages 171–180, 2008. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, and T. Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, pages 605–609, 2009. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automata-based string analysis tool for php. In TACAS, pages 154–157, 2010. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, and T. Bultan. Patching vulnerabilities with sanitization synthesis. In ICSE, pages 251–260, 2011. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra. Automata-based symbolic string analysis for vulnerability detection. Formal Methods in System Design, 44(1):44–70, 2014. Google ScholarDigital Library
- F. Yu, T. Bultan, and O. H. Ibarra. Relational string verification using multi-track automata. Int. J. Found. Comput. Sci., 22(8):1909–1924, 2011.Google ScholarCross Ref
- F. Yu and Y.-Y. Tung. Patcher: An online service for detecting, viewing and patching web application vulnerabilities. In Proceedings of the 47th Hawaii International Conference on System Sciences, pages 4878–4886, 2014. Google ScholarDigital Library
- Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: a z3-based string solver for web application analysis. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE’13, Saint Petersburg, Russian Federation, August 18-26, 2013, pages 114–124, 2013. Google ScholarDigital Library
Index Terms
Optimal sanitization synthesis for web application vulnerability repair
Recommendations
Patching vulnerabilities with sanitization synthesis
ICSE '11: Proceedings of the 33rd International Conference on Software EngineeringWe present automata-based static string analysis techniques that automatically generate sanitization statements for patching vulnerable web applications. Our approach consists of three phases: Given an attack pattern we first conduct a vulnerability ...
A Review on 0-day Vulnerability Testing in Web Application
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesIn recent year a lot of web applications have been released in the world. At the same time, Zero-Day attacks against web application vulnerabilities have also increased. In such a scenario, it is necessary to make web applications more secure. However ...
Automata-based symbolic string analysis for vulnerability detection
Verifying string manipulating programs is a crucial problem in computer security. String operations are used extensively within web applications to manipulate user input, and their erroneous use is the most common cause of security vulnerabilities in ...
Comments