More Web Proxy on the site http://driver.im/

short-paper

JoanAudit: a tool for auditing common injection vulnerabilities

Authors:

Lwin Khin Shar,

Domenico Bianculli,

Lionel C. BriandAuthors Info & Claims

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Pages 1004 - 1008

https://doi.org/10.1145/3106237.3122822

Published: 21 August 2017 Publication History

Abstract

JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide security auditors audit the source code in a scalable way. JoanAudit is configured with various security-sensitive input sources and sinks relevant to injection vulnerabilities and standard sanitization procedures that prevent these vulnerabilities. It can also automatically fix some cases of vulnerabilities in source code — cases where inputs are directly used in sinks without any form of sanitization — by using standard sanitization procedures. Our evaluation shows that by using JoanAudit, security auditors are required to inspect only 1% of the total code for auditing common injection vulnerabilities. The screen-cast demo is available at https://github.com/julianthome/joanaudit.

References

[1]

Nuno Antunes and Marco Vieira. 2013. SOA-Scanner: An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures. In Proceedings of SCC 2013. IEEE Computer Society, Washington, DC, USA, 280–287.

Digital Library

[2]

Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: an input mutation approach. In Proceedings of ISSTA 2014. ACM, New York, NY, USA, 259–269.

Digital Library

[3]

Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Experiences Using Static Analysis to Find Bugs. IEEE Softw. JoanAudit: A Tool for Auditing Common Injection Vulnerabilities ESEC/FSE’17, September 4–8, 2017, Paderborn, Germany 25, 5 (2008), 22–29.

Digital Library

[4]

Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (2013), 82–90.

Digital Library

[5]

Stephen Cass. 2016. The 2016 Top Programming Languages. http://spectrum. ieee.org/computing/software/the-2016-top-programming-languages. (2016).

[6]

Johannes Dahse. 2016. Static detection of complex vulnerabilities in modern PHP applications. Ph.D. Dissertation. Ruhr University Bochum.

[7]

Adam Hans Dockter, Szczepan Murdoch, Peter Faber, Daz Niederwieser, Luke Daley Deboer, and Rene Gröschke. 2017. The Gradle Build Tool. https://gradle. org. (2017).

[8]

Apache Software Foundation. 2017. The Apache Maven Project. https://maven. apache.org/. (2017).

[9]

Jürgen Graf, Martin Mohr, Martin Hecker, Simon Bischof, and Tobias Blaschke. 2017.

[10]

Joana - Information Flow Control for Java. https://github.com/ joana-team/joana. (2017).

[11]

William G. J. Halfond, Alessandro Orso, and Pete Manolios. 2008. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. IEEE Trans. Softw. Eng. 34, 1 (2008), 65–81.

Digital Library

[12]

Christian Hammer. 2009. Information flow control for Java: a comprehensive approach based on path conditions in dependence graphs. Ph.D. Dissertation. Karlsruhe Institute of Technology.

[13]

Susan Horwitz, Thomas W. Reps, and David Binkley. 1990. Interprocedural Slicing Using Dependence Graphs. ACM Trans. Program. Lang. Syst. 12, 1 (1990), 26–60.

Digital Library

[14]

David Hovemeyer and William Pugh. 2004. Finding Bugs is Easy. SIGPLAN Not. 39, 12 (2004), 92–106.

Digital Library

[15]

Wei Huang, Yao Dong, and Ana Milanova. 2014. Type-Based Taint Analysis for Java Web Applications. In Proceedings of FASE 2014. Springer, New York, NY, USA, 140–154.

Digital Library

[16]

IBM. 2017. T. J. Watson Libraries for Analysis (WALA). http://wala. sourceforge.net. (2017).

[17]

Sadeeq Jan, Cu D. Nguyen, and Lionel C. Briand. 2016. Automated and Effective Testing of Web Services for XML Injection Attacks. In Proceedings of ISSTA 2016.

Digital Library

[18]

ACM, New York, NY, USA, 12–23.

[19]

Ganeshan Jayaraman, Venkatesh Prasad Ranganath, and John Hatcliff. 2005. Kaveri: Delivering the Indus Java Program Slicer to Eclipse. In Proceedings of FASE 2005. Springer, Berlin, Heidelberg, 269–272.

Digital Library

[20]

Nenad Jovanovic, Christopher Krügel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of SP 2006. IEEE Computer Society, Washington, DC, USA, 258–263.

Digital Library

[21]

Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL Injection and cross-site scripting attacks. In Proceedings of ICSE 2009. IEEE Computer Society, Washington, DC, USA, 199–209.

Digital Library

[22]

Nuno Laranjeiro, Marco Vieira, and Henrique Madeira. 2014. A Technique for Deploying Robust Web Services. IEEE Trans. Serv. Comput. 7, 1 (2014), 68–81.

Digital Library

[23]

Johannes Lerch, Ben Hermann, Eric Bodden, and Mira Mezini. 2014. FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases. In Proceedings of SIGSOFT FSE 2014. ACM, New York, NY, USA, 98–108.

Digital Library

[24]

Lightbend and Zengularity. 2017. The Play Framework. https://www. playframework.com/. (2017).

[25]

V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of USENIX Security 2005.

Digital Library

[26]

USENIX Association, Berkeley, CA, USA, 18–18.

[27]

Christian Mainka, Meiko Jensen, Luigi Lo Iacono, and Jörg Schwenk. 2013. Making XML Signatures Immune to XML Signature Wrapping Attacks. In Proceedings of CLOSER 2013. Springer, New York, NY, USA, 151–167.

[28]

Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. DEKANT: A Static Analysis Tool That Learns to Detect Web Application Vulnerabilities. In Proceedings of ISSTA 2016. ACM, New York, NY, USA, 1–11.

Digital Library

[29]

Karl J. Ottenstein and Linda M. Ottenstein. 1984. The Program Dependence Graph in a Software Development Environment. In Proceedings of SIGSOFT/SIGPLAN PSDE 1984. ACM, New York, NY, USA, 177–184.

Digital Library

[30]

OWASP. 2017. OWASP Top 10. https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project. (2017).

[31]

OWASP. 2017. Static Code Analysis. https://www.owasp.org/index.php/ Static_Code_Analysis. (2017).

[32]

Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks. In Proceedings of WebApps 2011. USENIX Association, Berkeley, CA, USA, 2–2.

Digital Library

[33]

Pablo Martín Pérez, Joanna Filipiak, and José María Sierra. 2011. LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications. In Proceedings of FutureTech 2011. Springer, Berlin, Heidelberg, 148–156.

[34]

Abdul Razzaq, Khalid Latif, Hafiz Farooq Ahmad, Ali Hur, Zahid Anwar, and Peter Charles Bloodsworth. 2014. Semantic security against Web application attacks. Inf. Sci. 254 (2014), 19–38.

Digital Library

[35]

Thiago Mattos Rosa, Altair Olivo Santin, and Andreia Malucelli. 2013. Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems. IEEE Secur. & Priv. 11, 4 (2013), 46–53.

Digital Library

[36]

Hossain Shahriar and Mohammad Zulkernine. 2012. Information-Theoretic Detection of SQL Injection Attacks. In Proceedings of HASE 2012. IEEE Computer Society, Washington, DC, USA, 40–47.

Digital Library

[37]

SpringSource. 2017. The Spring Framework. https://spring.io/. (2017).

[38]

Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in Web applications. In Proceedings of POPL 2006. ACM, New York, NY, USA, 372–382.

Digital Library

[39]

Zhao Tao. 2013. Detection and Service Security Mechanism of XML Injection Attacks. In Proceedings of ICICA 2013. Springer, Berlin, Heidelberg, 67–75.

[40]

Julian Thomé, Alessandra Gorla, and Andreas Zeller. 2014. Search-based security testing of Web applications. In Proceedings of SBST Workshop 2014. ACM, New York, NY, USA, 5–14.

Digital Library

[41]

Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel C. Briand. 2017. Search-driven String Constraint Solving for Vulnerability Detection. In Proceedings of ICSE 2017. ACM, New York, NY, USA, 198–208.

Digital Library

[42]

Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel C. Briand. 2017. Security slicing for auditing common injection vulnerabilities. (2017).

[43]

Julian Thomé, Lwin Khin Shar, and Lionel C. Briand. 2015. Security slicing for auditing XML, XPath, and SQL injection vulnerabilities. In Proceedings of ISSRE 2015. IEEE Computer Society, Washington, DC, USA, 553–564.

Digital Library

[44]

Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. 2013. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Proceedings of FASE 2013. Springer, Berlin, Heidelberg, 210–225.

Digital Library

[45]

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of Web applications. In Proceedings of PLDI 2009. ACM, New York, NY, USA, 87–97.

Digital Library

[46]

Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie J. Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot - a Java bytecode optimization framework. In Proceedings of CASCON 1999. IBM, Indianapolis, Indiana, USA, 13.

Digital Library

[47]

Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of SP 2014. IEEE Computer Society, Washington, DC, USA, 590–604.

Digital Library

[48]

Guowei Yang, Suzette Person, Neha Rungta, and Sarfraz Khurshid. 2014. Directed Incremental Symbolic Execution. ACM Trans. Softw. Eng. Methodol. 24, 1 (2014), 3:1–3:42.

Digital Library

[49]

Fang Yu, Muath Alkhalaf, and Tevfik Bultan. 2010. STRANGER: An Automatabased String Analysis Tool for PHP. In Proceedings of TACAS 2010. Springer, Berlin, Heidelberg, 154–157.

Digital Library

[50]

Yunhui Zheng and Xiangyu Zhang. 2013. Path sensitive static analysis of Web applications for remote code execution vulnerability detection. In Proceedings of ICSE 2013. IEEE Computer Society, Washington, DC, USA, 652–661. Abstract 1 Introduction 2 Security Slicing with JoanAudit 3 Implementation 4 Summary of the Evaluation Results 5 Tool and Data Availability 6 Related Work 7 Conclusion Acknowledgments References

Digital Library

Cited By

Misu MAchar RLopes C(2024)SourcererJBF: A Java Build Framework For Large-Scale CompilationACM Transactions on Software Engineering and Methodology10.1145/363571033:3(1-35)Online publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1145/3635710
Chen XWang BJin ZFeng YLi XFeng XLiu Q(2023)Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00028(179-192)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00028
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Show More Cited By

Index Terms

JoanAudit: a tool for auditing common injection vulnerabilities
1. Security and privacy
  1. Systems security
    1. Information flow control
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Detecting security vulnerabilities with vulnerability nets
Highlights
- Vulnerability nets are special Petri nets for representing source code.
- Vulnerability nets are used to detect security vulnerabilities in programs.
- A graphical view can aid security analysts in manual audits.
- Taint analysis is ...
Abstract
Detecting security vulnerabilities is a crucial part in secure software development. Many static analysis tools have proved to be effective in finding vulnerabilities, but generally there are some complex and subtle vulnerabilities that can ...
Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Off-path packet injection attacks are still serious threats to the Internet and network security. In recent years, a number of studies have discovered new variations of packet injection attacks, targeting critical protocols such as TCP. We argue that ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

August 2017

1073 pages

ISBN:9781450351058

DOI:10.1145/3106237

General Chairs:
Eric Bodden
Paderborn University, Germany / Fraunhofer IEM, Germany
,
Wilhelm Schäfer
Paderborn University, Germany
,
Program Chairs:
Arie van Deursen
Delft University of Technology, Netherlands
,
Andrea Zisman
Open University, UK

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Fonds National de la Recherche Luxembourg

Conference

ESEC/FSE'17

Sponsor:

SIGSOFT

ESEC/FSE'17: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 4 - 8, 2017

Paderborn, Germany

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
302
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)9

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Misu MAchar RLopes C(2024)SourcererJBF: A Java Build Framework For Large-Scale CompilationACM Transactions on Software Engineering and Methodology10.1145/363571033:3(1-35)Online publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1145/3635710
Chen XWang BJin ZFeng YLi XFeng XLiu Q(2023)Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00028(179-192)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00028
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Salimi SKharrazi M(2022)VulSlicerJournal of Systems and Software10.1016/j.jss.2022.111450193:COnline publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1016/j.jss.2022.111450
Piskachev GSpäth JBudde IBodden E(2022)Fluently specifying taint-flow queries with TQLEmpirical Software Engineering10.1007/s10664-022-10165-y27:5Online publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1007/s10664-022-10165-y
Piskachev GDo LBodden EZhang DMøller A(2019)Codebase-adaptive detection of security-relevant methodsProceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3293882.3330556(181-191)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.1145/3293882.3330556
Piskachev GDo LJohnson OBodden EZimmermann TLawall JMarinov D(2019)SWANAssistProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00110(1094-1097)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00110
Marin VRivero CBaysal OMenzies T(2018)Towards a framework for generating program dependence graphs from source codeProceedings of the 4th ACM SIGSOFT International Workshop on Software Analytics10.1145/3278142.3278144(30-36)Online publication date: 5-Nov-2018
https://dl.acm.org/doi/10.1145/3278142.3278144

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents