skip to main content
10.1145/2931037.2931050acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Optimal sanitization synthesis for web application vulnerability repair

Published:18 July 2016Publication History

ABSTRACT

We present a code- and input-sensitive sanitization synthesis approach for repairing string vulnerabilities that are common in web applications. The synthesized sanitization patch modifies the user input in an optimal way while guaranteeing that the repaired web application is not vulnerable. Given a web application, an input pattern and an attack pattern, we use automata-based static string analysis techniques to compute a sanitization signature that characterizes safe input values that obey the given input pattern and are safe with respect to the given attack pattern. Using the sanitization signature, we synthesize an optimal sanitization patch that converts malicious user inputs to benign ones with minimal editing. When the generated patch is added to the web application, it is guaranteed that the repaired web application is no longer vulnerable. We present refinements to previous sanitization synthesis algorithms that reduce the runtime sanitization cost significantly. We evaluate our approach on open source web applications using common input and attack patterns, demonstrating the effectiveness of our approach.

References

  1. P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In Computer Aided Verification - 26th International Conference, CAV 2014, Vienna, Austria, July 18-22, 2014. Proceedings, pages 150–166, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. C. Allauzen and M. Mohri. Linear-space computation of the edit-distance between a string and a finite automaton. In In London Algorithmics 2008: Theory and Practice, 2008.Google ScholarGoogle Scholar
  3. A. Aydin, L. Bang, and T. Bultan. Automata-based model counting for string constraints. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I, pages 255–272, 2015.Google ScholarGoogle Scholar
  4. C. Bartzis and T. Bultan. Widening arithmetic automata. In CAV, pages 321–333, 2004.Google ScholarGoogle Scholar
  5. BRICS. The MONA project. http://www.brics.dk/mona/.Google ScholarGoogle Scholar
  6. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In SAS, pages 1–18, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Cucerzan and E. Brill. Spelling correction as an iterative process that exploits the collective knowledge of web users. In D. Lin and D. Wu, editors, Proceedings of EMNLP 2004, pages 293–300, Barcelona, Spain, July 2004. Association for Computational Linguistics.Google ScholarGoogle Scholar
  8. A. Doupé, W. Cui, M. H. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna. dedacota: toward preventing server-side xss via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security, CCS ’13, pages 1205–1216, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting sql injection vulnerabilities. In COMPSAC, pages 87–96, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In ICSE, pages 645–654, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with BLAST. In SPIN, pages 235–239, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. T. L. Hinrichs, D. Rossetti, G. Petronella, V. N. Venkatakrishnan, A. P. Sistla, and L. D. Zuck. Weblog: A declarative language for secure web development. In Proceedings of the Eighth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 59–70. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In 20th USENIX Security Symposium, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW ’04, pages 40–52, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In S&P, pages 258–263, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. R. L. Kashyap and B. J. Oommen. An effective algorithm for string correction using generalized edit distance - ii. computational complexity of the algorithm and some applications. Inf. Sci., 23(3):201–217, 1981.Google ScholarGoogle ScholarCross RefCross Ref
  17. A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: a solver for string constraints. In ISSTA, pages 105–116, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. G. Li and I. Ghosh. PASS: string solving with parameterized array and interval automaton. In Hardware and Software: Verification and Testing - 9th International Haifa Verification Conference, HVC 2013, Haifa, Israel, November 5-7, 2013, Proceedings, pages 15–31, 2013.Google ScholarGoogle Scholar
  19. T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. A DPLL(T) theory solver for a theory of strings and regular expressions. In Computer Aided Verification - 26th International Conference, CAV 2014, Vienna, Austria, July 18-22, 2014. Proceedings, pages 646–662, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. B. Livshits and S. Chong. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’13, pages 385–398, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Y. Minamide. Static approximation of dynamically generated web pages. In WWW, pages 432–441, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. K. Oflazer. Error-tolerant finite-state recognition with applications to morphological analysis and spelling correction. Comput. Linguist., 22(1):73–89, Mar. 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. OWASP. Top 10 2013. https://www.owasp.org/index.php/Top 10 2013-T10.Google ScholarGoogle Scholar
  24. Patcher. Patcher online service. http://soslab.nccu.edu.tw/patcher.Google ScholarGoogle Scholar
  25. M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the 18th ACM conference on Computer and communications security, CCS ’11, pages 587–600, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In S&P, pages 513–528, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. P. Saxena, D. Molnar, and B. Livshits. Scriptgard: automatic context-sensitive sanitization for large-scale legacy web applications. In CCS, pages 601–614, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In TAICPART-MUTATION, pages 13–22, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372–382, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. Veanes, T. Mytkowicz, D. Molnar, and B. Livshits. Data-parallel string-manipulating programs. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL, pages 139–152, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. R. A. Wagner. Order-n correction for regular languages. Commun. ACM, 17(5):265–268, May 1974. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, pages 171–180, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. F. Yu, M. Alkhalaf, and T. Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, pages 605–609, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automata-based string analysis tool for php. In TACAS, pages 154–157, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. F. Yu, M. Alkhalaf, and T. Bultan. Patching vulnerabilities with sanitization synthesis. In ICSE, pages 251–260, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. F. Yu, M. Alkhalaf, T. Bultan, and O. H. Ibarra. Automata-based symbolic string analysis for vulnerability detection. Formal Methods in System Design, 44(1):44–70, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. F. Yu, T. Bultan, and O. H. Ibarra. Relational string verification using multi-track automata. Int. J. Found. Comput. Sci., 22(8):1909–1924, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  39. F. Yu and Y.-Y. Tung. Patcher: An online service for detecting, viewing and patching web application vulnerabilities. In Proceedings of the 47th Hawaii International Conference on System Sciences, pages 4878–4886, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: a z3-based string solver for web application analysis. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE’13, Saint Petersburg, Russian Federation, August 18-26, 2013, pages 114–124, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Optimal sanitization synthesis for web application vulnerability repair

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Conferences
        ISSTA 2016: Proceedings of the 25th International Symposium on Software Testing and Analysis
        July 2016
        452 pages
        ISBN:9781450343909
        DOI:10.1145/2931037

        Copyright © 2016 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 18 July 2016

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

        Acceptance Rates

        Overall Acceptance Rate58of213submissions,27%

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader