×

Context-oriented web application protection model. (English) Zbl 1410.68042

Summary: Due to growing user demand, web application development is becoming increasingly complicated. Multiple programming languages along with the complex multi-tier architecture commonly involved in web application development contribute to the probability of programming mistakes. Such mistakes may cause serious security vulnerabilities, which can then be exploited by malicious users. Current classifications include a wide variety of web application vulnerabilities, such as SQL injections, cross-site scripting and file inclusion. Various different protections exist against attacks associated with these vulnerabilities making it difficult to apply a single universal solution. This paper takes an alternative view of the core root of the vulnerabilities. Based on the discovered common traits, a unified extensible context-based model of web applications is proposed. A concept of context is introduced and different attacks are reformulated in terms of context boundary violation. The proposed model can be used to implement a more universal web application protection suitable against different types of attacks.

MSC:

68M11 Internet topics
68U35 Computing methodologies for information systems (hypertext navigation, interfaces, decision support, etc.)
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Halfond, W. G.J.; Orso, A., Preventing SQL injection attacks using AMNESIA, (Proceedings of the Twenty-eight International Conference on Software Engineering (ICSE’06) (2006))
[2] Minamide, Y., Static approximation of dynamically generated Web pages, (Proceedings of the Fourteenth International Conference on World Wide Web (WWW’05) (2005))
[3] Chomsky, N., Three models for the description of language, IRE Trans. Inf. Theory, 3, 113-124 (1956) · Zbl 0156.25401
[4] Tripp, O.; Pistoia, M.; Fink, S. J.; Sridharan, M.; Weisman, O., TAJ: effective taint analysis of web applications, (Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09) (2009), ACM: ACM New York, NY, USA), 87-97
[5] Halfond, W. G.J.; Orso, A.; Manolios, P., Using positive tainting and syntax-aware evaluation to counter SQL injection attacks, (Proceedings of the Fourteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT’06/FSE-14) (2006))
[6] Skrupsky, N.; Bisht, P.; Hinrichs, T.; Venkatakrishnan, V. N.; Zuck, L., TamperProof: A server-agnostic defense for parameter tampering attacks on web applications, (Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY’13) (2013))
[7] Bisht, P.; Hinrichs, T.; Skrupsky, N.; Venkatakrishnan, V. N., WAPTEC: White box analysis of web applications for parameter tampering exploit construction, (Proceedings of the Eighteenth ACM Conference on Computer and Communications Security (CCS’11) (2011))
[8] Srivastava, V.; Bond, M. D.; McKinley, K. S.; Shmatikov, V., A security policy oracle: Detecting security holes using multiple API implementations, (Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’11) (2011), ACM: ACM New York, NY, USA), 343-354
[9] Livshits, B.; Nori, A. V.; Rajamani, S. K.; Banerjee, A., Merlin: Specification inference for explicit information flow problems, (Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09) (2009), ACM: ACM New York, NY, USA), 75-86
[10] Saxena, P.; Molnar, D.; Livshits, B., SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications, (Proceedings of the Eighteenth ACM Conference on Computer and Communications Security (CCS’11) (2011))
[11] Yu, F.; Alkhalaf, M.; Bultan, T., STRANGER: An automata-based string analysis tool for PHP, (Proceedings of the Sixteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’10) (2010))
[12] Jovanovic, N.; Kirda, E.; Kruegel, C., Precise alias analysis for syntactic detection of web application vulnerabilities, (Proceedings of the 2006 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (2006))
[13] Pietraszek, T.; Berghe, C. V., Defending against injection attacks through context-sensitive string evaluation, (Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection (RAID’05) (2005))
[14] Su, Z.; Wassermann, G., The essence of command injection attacks in web applications, (Proceedings of the 2006 Conference Record of the Thirty-third ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’06) (2006)) · Zbl 1369.68158
[15] Balzarotti, D.; Cova, M.; Felmetsger, V.; Jovanovic, N.; Kirda, E.; Kruegel, C.; Vigna, G., Saner: Composing static and dynamic analysis to validate sanitization in web applications, (Proceedings of the Twenty-ninth IEEE Symposium on Security and Privacy (Oakland’08) (2008))
[16] Barresi, A.; Kaveh, R.; Mathias, P.; Gross, T. R., Cain: Silently breaking ASLR in the cloud, (Proceedings of the Ninth USENIX Workshop on Offensive Technologies (WOOT 15) (2015))
[17] Shacham, H.; Matthew, P.; Ben, P.; Eu-Jin, G.; Nagendra, M.; Dan, B., On the effectiveness of address-space randomization, (Proceedings of the Eleventh ACM Conference on Computer and Communications Security (2004), ACM), 298-307
[18] Ferrie, P., Attacks on more virtual machine emulators, Symantec Technology Exchange, 55 (2007)
[19] Buehrer, G.; Weide, B. W.; Sivilotti Paolo, A. G., Using parse tree validation to prevent SQL injection attacks, (Proceedings of the Fifth International Workshop on Software Engineering and Middleware (SEM’05) (2005))
[20] Huang, Y.-W.; Yu, F.; Hang, C.; Tsai, C.-H.; Lee, D.-T.; Kuo, S-Y., Securing web application code by static analysis and runtime protection, (Proceedings of the Thirteenth International Conference on World Wide Web (WWW’04) (2004))
[21] Merlo, E.; Letarte, D.; Antoniol, G., Automated protection of PHP applications against SQL-injection attacks, (Proceedings of the Eleventh European Conference on Software Maintenance and Reengineering (CSMR’07) (2007))
[22] Prokhorenko, V.; Choo, K. K.; Ashman, H., Web application protection techniques: A taxonomy, J. Netw. Comput. Appl., 60, 95-112 (2016)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.