DCAFixer: An Automatic Tool for Bug Detection and Repair for Database Java Client Applications
Pages 327 - 342
Abstract
Application programs are a possible source of attacks to databases. SQL injection is a well-known attack that exploits the lack of user input sanitization by applications. Following secure code practices to avoid vulnerabilities is the best way to prevent attacks. However, developers usually make mistakes either due to a lack of knowledge (i.e., a beginner developer) or due to bad code practices like copy-paste, which duplicates bugs and vulnerabilities in the code. Detecting such vulnerabilities manually is expensive and time-consuming, especially for very large code bases. Fixing vulnerabilities is also expensive as it requires manual interventions. It is thus clear that in order to systematically find and fix vulnerabilities we need automatic tools. In this article, we address such a need. We propose the <bold>D</bold>atabase <bold>C</bold>lient <bold>A</bold>pplications <bold>F</bold>ixer (DCAFixer) tool, which automatically detects and repairs three types of common vulnerabilities in SQL application programs, namely unsanitized user inputs, insecure credentials handling, and unencrypted connections. DCAFixer operates in three phases: fault localization, patch generation and selection, and patch validation.
References
[1]
S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan, “CANDID: Preventing SQL injection attacks using dynamic candidate evaluations,” in Proc. ACM Conf. Comput. Commun. Secur., P. Ning, S. D. C. di Vimercati, and P. F. Syverson, Eds., Alexandria, Virginia, USA, 2007, pp. 12–24.
[2]
G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, “Using parse tree validation to prevent SQL injection attacks,” in Proc. 5th Int. Workshop Softw. Eng. Middleware, E. D. Nitto and A. L. Murphy, Eds., Lisbon, Portugal, 2005, pp. 106–113.
[3]
A. Chen, J. Lee, B. Chaulagain, Y. Kwon, and K. H. Lee, “SynthDB: Synthesizing database via program analysis for security testing of web applications,” in Proc. 30th Annu. Netw. Distrib. Syst. Secur. Symp., San Diego, CA, USA, 2023.
[4]
Z. Chen, S. Kommrusch, M. Tufano, L.-N. Pouchet, D. Poshyvanyk, and M. Monperrus, “SequenceR: Sequence-to-sequence learning for end-to-end program repair,” IEEE Trans. Softw. Eng., vol. 47, no. 9, pp. 1943–1959, Sep. 2021.
[5]
J. Chi, Y. Qu, T. Liu, Q. Zheng, and H. Yin, “SeqTrans: Automatic vulnerability fix via sequence to sequence learning,” 2020,.
[6]
J. Clarke, SQL Injection Attacks and Defense. Amsterdam, Netherlands: Elsevier, 2009.
[7]
cve.mitre.org, “CVE records,” 2023. [Online]. Available: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sqlinjection
[8]
Cwe.mitre.org., “2022 CWE top 25 most dangerous software errors,” 2022. [Online]. Available: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
[9]
L. Deng et al., “Securing sensitive data in Java virtual machines,” in Proc. IEEE/ACIS 20th Int. Conf. Softw. Eng. Res., Manage. Appl., 2022, pp. 128–131.
[10]
docs.oracle.com., “The jmap utility,” 2022. [Online]. Available: https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/tooldescr014.html
[11]
J.-R. Falleri, F. Morandat, X. Blanc, M. Martinez, and M. Monperrus, “Fine-grained and accurate source code differencing,” in Proc. Int. Conf. Autom. Softw. Eng., 2014, pp. 313–324.
[12]
github.com/payloadbox., “SQL injection payload list,” 2019. [Online]. Available: https://github.com/payloadbox/sql-injection-payload-list
[13]
C. L. Goues, T. Nguyen, S. Forrest, and W. Weimer, “GenProg: A generic method for automatic software repair,” IEEE Trans. Softw. Eng., vol. 38, no. 1, pp. 54–72, Jan./Feb. 2012.
[14]
W. G. Halfond et al., “A classification of SQL-injection attacks and countermeasures,” in Proc. Int. Symp. Secure Softw. Eng., Washington D.C., USA, 2006, pp. 13–15.
[15]
W. G. J. Halfond and A. Orso, “AMNESIA: Analysis and monitoring for neutralizing SQL-injection attacks,” in Proc. IEEE/ACM 20th Int. Conf. Autom. Softw. Eng., D. F. Redmiles, T. Ellman, and A. Zisman, Eds., Long Beach, CA, USA, 2005, pp. 174–183.
[16]
I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos, “Dowsing for overflows: A guided fuzzer to find buffer boundary violations,” in Proc. 22th USENIX Secur. Symp., S. T. King, Ed., Washington, DC, USA, 2013, pp. 49–64.
[17]
https://owasp.org., “Blind SQL injection,” 2023. [Online]. Available: https://owasp.org/www-community/attacks/Blind_SQL_Injection
[18]
Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee, and S. Kuo, “Securing web application code by static analysis and runtime protection,” in Proc. 13th Int. Conf. World Wide Web, in S. I. Feldman, M. Uretsky, M. Najork, and C. E. Wills, Eds., New York, NY, USA, 2004, pp. 40–52.
[19]
JavaParser, “Javaparser,” 2023. [Online]. Available: https://javaparser.org
[20]
N. Jiang, T. Lutellier, and L. Tan, “CURE: Code-aware neural machine translation for automatic program repair,” 2021,.
[21]
JSqlParser, “Jsqlparser,” 2023. [Online]. Available: https://github.com/JSQLParser
[22]
D. Kim, J. Nam, J. Song, and S. Kim, “Automatic patch generation learned from human-written patches,” in Proc. IEEE 35th Int. Conf. Softw. Eng., D. Notkin, B. H. C. Cheng, and K. Pohl, Eds., San Francisco, CA, USA, 2013, pp. 802–811.
[23]
X. D. Le, D. Chu, D. Lo, C. L. Goues, and W. Visser, “S3: Syntax- and semantic-guided repair synthesis via programming by examples,” in Proc. 11th Joint Meeting Found. Softw. Eng., E. Bodden, W. Schäfer, A. van Deursen, and A. Zisman, Eds., Paderborn, Germany, 2017, pp. 593–604.
[24]
X. D. Le, D. Lo, and C. L. Goues, “History driven program repair,” in Proc. IEEE 23rd Int. Conf. Softw. Anal. Evol. Reengineering, Suita, Osaka, Japan, 2016, pp. 213–224.
[25]
I. Lee, S. Jeong, S. Yeo, and J. Moon, “A novel method for SQL injection attack detection based on removing SQL query attribute values,” Math. Comput. Model., vol. 55, no. 1/2, pp. 58–68, 2012.
[26]
K. Liu, A. Koyuncu, D. Kim, and T. F. Bissyandé, “TBar: Revisiting template-based automated program repair,” in Proc. 28th ACM SIGSOFT Int. Symp. Softw. Testing Anal., D. Zhang and A. Møller, Eds., Beijing, China, 2019, pp. 31–42.
[27]
V. B. Livshits, “Finding security errors in Java programs with static analysis,” in Proc. 14th USENIX Secur. Symp., 2005, Art. no.
[28]
S. Ma, D. Lo, T. Li, and R. H. Deng, “CDRep: Automatic repair of cryptographic misuses in android applications,” in Proc. 11th ACM Asia Conf. Comput. Commun. Secur., 2016, pp. 711–722.
[29]
S. Ma, F. Thung, D. Lo, C. Sun, and R. H. Deng, “VuRLE: Automatic vulnerability detection and repair by learning from examples,” in Proc. Eur. Symp. Res. Comput. Secur., S. N. Foley, D. Gollmann, and E. Snekkenes, Eds., Springer International Publishing, 2017, pp. 229–246.
[30]
N. Meng, M. Kim, and K. S. McKinley, “LASE: Locating and applying systematic edits by learning from examples,” in Proc. 35th Int. Conf. Softw. Eng., D. Notkin, B. H. C. Cheng, and K. Pohl, Eds., San Francisco, CA, USA, 2013, pp. 502–511.
[31]
N. Meng, S. Nagy, D. Yao, W. Zhuang, and G. Arango-Argoty, “Secure coding practices in Java: Challenges and vulnerabilities,” in Proc. IEEE/ACM 40th Int. Conf. Softw. Eng., 2018, pp. 372–383.
[32]
N. Moshe, “js-on: Security-off: Abusing json-based SQL to bypass waf,” Dec. 2022. [Online]. Available: https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
[33]
owasp.org., “SQL injection,” 2022. [Online]. Available: https://owasp.org/www-community/attacks/SQL_Injection
[34]
Owasp.org, “SQL injection prevention cheat sheet,” 2021. [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
[35]
R. Padhye, C. Lemieux, and K. Sen, “JQF: Coverage-guided property-based testing in Java,” in Proc. 28th ACM SIGSOFT Int. Symp. Softw. Testing Anal., D. Zhang and A. Møller, Eds., Beijing, China, 2019, pp. 398–401.
[36]
W. Qiang, Y. Liao, G. Sun, L. T. Yang, D. Zou, and H. Jin, “Patch-related vulnerability detection based on symbolic execution,” IEEE Access, vol. 5, pp. 20777–20784, 2017.
[37]
L. K. Shar and H. B. K. Tan, “Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns,” Inf. Softw. Technol., vol. 55, no. 10, pp. 1767–1780, 2013.
[38]
L. K. Shar, H. B. K. Tan, and L. C. Briand, “Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis,” in Proc. 35th Int. Conf. Softw. Eng., D. Notkin, B. H. C. Cheng, and K. Pohl, Eds., San Francisco, CA, USA, 2013, pp. 642–651.
[39]
M. L. Siddiq, M. R. R. Jahin, M. R. U. Islam, R. Shahriyar, and A. Iqbal, “SQLIFIX: Learning based approach to fix SQL injection vulnerabilities in source code,” in Proc. IEEE 28th Int. Conf. Softw. Anal. Evol. Reengineering, Honolulu, HI, USA, 2021, pp. 354–364.
[40]
A. Smirnov and T. Chiueh, “DIRA: Automatic detection, identification and repair of control-hijacking attacks,” in Proc. Netw. Distrib. Syst. Secur. Symp., San Diego, CA, USA, 2005.
[41]
S. Son, K. S. McKinley, and V. Shmatikov, “Fix me up: Repairing access-control bugs in web applications,” in Proc. 20th Annu. Netw. Distrib. Syst. Secur. Symp., San Diego, CA, USA, 2013.
[42]
P. A. Sonewar and N. A. Mhetre, “A novel approach for detection of SQL injection and cross site scripting attacks,” in Proc. Int. Conf. Pervasive Comput., 2015, pp. 1–4.
[43]
Spotbugs, “Spotbugs,” 2023. [Online]. Available: https://spotbugs.github.io/
[44]
M. Sridharan, S. J. Fink, and R. Bodík, “Thin slicing,” in Proc. ACM SIGPLAN Conf. Program. Lang. Des. Implementation, J. Ferrante and K. S. McKinley, Eds., San Diego, CA, USA, 2007, pp. 112–122.
[45]
Z. Su and G. Wassermann, “The essence of command injection attacks in web applications,” in Proc. Conf. Rec. 33rd ACM SIGPLAN-SIGACT Symp. Princ. Program. Lang., New York, NY, USA, 2006, pp. 372–382.
[46]
V. Sunkari and C. Rao, “Preventing input type validation vulnerabilities using network based intrusion detection systems,” in Proc. Int. Conf. Contemporary Comput. Inform., 2014, pp. 702–706.
[47]
S. Thomas, L. A. Williams, and T. Xie, “On automated prepared statement generation to remove SQL injection vulnerabilities,” Inf. Softw. Technol., vol. 51, no. 3, pp. 589–598, 2009.
[48]
Ttiobe.com, “Tiobe index for August 2021,” 2021. [Online]. Available: https://www.tiobe.com/tiobe-index/
[49]
T. Wang, T. Wei, G. Gu, and W. Zou, “TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection,” in Proc. IEEE 31st Symp. Secur. Privacy, Berleley/Oakland, CA, USA, 2010, pp. 497–512.
[50]
W. Weimer, T. Nguyen, C. L. Goues, and S. Forrest, “Automatically finding patches using genetic programming,” in Proc. 31st Int. Conf. Softw. Eng., Vancouver, Canada, 2009, pp. 364–374.
[51]
M. Wen, J. Chen, R. Wu, D. Hao, and S.-C. Cheung, “Context-aware patch generation for better automated program repair,” in Proc. 40th Int. Conf. Softw. Eng., 2018, pp. 1–11.
[52]
Wireshark, “Wireshark,” 2022. [Online]. Available: https://www.wireshark.org/
[53]
J. C. Wong, “Uber concealed massive hack that exposed data of 57 m users and drivers,” Guardian, vol. 22, 2017.
[54]
Q. Xin and S. P. Reiss, “Leveraging syntax-related code for automated program repair,” in Proc. IEEE/ACM 32nd Int. Conf. Autom. Softw. Eng., G. Rosu, M. D. Penta, and T. N. Nguyen, Eds., 2017, pp. 660–670.
[55]
F. Yu, C. Shueh, C. Lin, Y. Chen, B. Wang, and T. Bultan, “Optimal sanitization synthesis for web application vulnerability repair,” in Proc. 25th Int. Symp. Softw. Testing Anal., A. Zeller and A. Roychoudhury, Eds., 2016, pp. 189–200.
Index Terms
- DCAFixer: An Automatic Tool for Bug Detection and Repair for Database Java Client Applications
Index terms have been assigned to the content through auto-classification.
Recommendations
Example-based vulnerability detection and repair in Java code
ICPC '22: Proceedings of the 30th IEEE/ACM International Conference on Program ComprehensionThe Java libraries JCA and JSSE offer cryptographic APIs to facilitate secure coding. When developers misuse some of the APIs, their code becomes vulnerable to cyber-attacks. To eliminate such vulnerabilities, people built tools to detect security-API ...
Client-Side Detection of Clickjacking Attacks
Clickjacking attacks are emerging threat for web application users where click operations performed by victims lead to security breaches such as compromising webcams and posting unintended messages. Effective client-side defense technique could prevent ...
Automated Detection of Client-State Manipulation Vulnerabilities
Special Issue International Conference on Software Engineering (ICSE 2012) and Regular PapersWeb application programmers must be aware of a wide range of potential security risks. Although the most common pitfalls are well described and categorized in the literature, it remains a challenging task to ensure that all guidelines are followed. For ...
Comments
Information & Contributors
Information
Published In
1545-5971 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Computer Society Press
Washington, DC, United States
Publication History
Published: 01 January 2025
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025