research-article

Dynamic multi-process information flow tracking for web application security

Authors:

Tzi-cker ChiuehAuthors Info & Claims

MC '07: Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion

Article No.: 19, Pages 1 - 20

https://doi.org/10.1145/1377943.1377956

Published: 01 November 2007 Publication History

Abstract

Although there is a large body of research on detection and prevention of such memory corruption attacks as buffer overflow, integer overflow, and format string attacks, the web application security problem receives relatively less attention from the research community by comparison. The majority of web application security problems originate from the fact that web applications fail to perform sanity checks on inputs from the network that are eventually used as operands of security-sensitive operations. Therefore, a promising approach to this problem is to apply proper checks on tainted portions of the operands used in security-sensitive operations, where a byte is tainted if it is data/control dependent on some network packet(s). This paper presents the design, implementation and evaluation of a dynamic checking compiler called WASC, which automatically adds checks into web applications used in three-tier internet services to protect them from the most common two types of web application attacks: SQL- and script-injection attack. In addition to including a taint analysis infrastructure for multi-process and multi-language applications, WASC features the use of SQL and HTML parsers to defeat evasion techniques that exploit interpretation differences between attack detection engines and target applications. Experiments with a fully operational WASC prototype show that it can indeed stop all SQL/script injection attacks that we have tested. Moreover, the end-to-end latency penalty associated with the checks inserted by WASC is less than 30% for the test web applications used in our performance study.

References

[1]

Imperva: Buffer overflow attack. http://www.imperva.com/application_defense_center/glossary/buffer_overflow.html

[2]

Ahmad, D.: The rising threat of vulnerabilities due to integer errors. IEEE Security & Privacy Magazine (2003) 77--82

[3]

Newsham, T.: Format strings attacks. http://www.securityfocus.com/guest/3342 (September 2000)

[4]

Anley, C.: Advanced sql injection. An NGSSoftware Insight Security Research (NISR) Publication (June)

[5]

Rafail, J.: Cross-site scripting vulnerabilities. CERT Advisory Archieves

[6]

chung Lam, L., cker Chiueh, T.: A general dynamic information flow tracking framework for security applications. In: Proceedings of 22st Annual Computer Security Applications Conference (ACSAC 2006). (December 2006)

[7]

chung Lam, L., cker Chiueh, T.: Web application firewall. http://www.cgisecurity.com/questions/webappfirewall.shtml

[8]

Breach Sec.: Open-source web application firewall. http://www.modsecurity.org

[9]

Cirt.Net: Nikto web server scanner. http://www.cirt.net/code/nikto.shtml

[10]

SecuriTeam: Whisker: a next-generation cgi scanner. http://www.securiteam.com/tools/3R5QHQAPPY.html

[11]

Tenable: The nessus vulnerability scanner. http://www.nessus.org/

[12]

Bellamy, W.: Hypertext transfer protocol (http) header exploitation. http://www.cgisecurity.com/lib/bill/ William_Bellamy_GCIH.html (September)

[13]

Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. 15th USENIX Security Symposium (August 2006)

[14]

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting

[15]

Pietraszek, T., Berghe, C. V.: Defending against injection attacks through context-sensitive string evaluation. In: Recent Advances in Intrusion Detection 2005 (RAID). (2005)

[16]

Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of POPL'06. (January 11--13 2006)

[17]

Yumerefendi, A., Mickle, B., Cox, L. P.: Tightlip: Keeping applications from spilling the beans. Duke University Techinical Report CS-2006-07 (April 2006)

[18]

Suh, G. E., Lee, J. W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems. (October 2004) 85--96

[19]

Crandall, J. R., Chong, F. T.: Minos: Control data attack prevention orthogonal to memory model. In: 37th Annual International Symposium on Microarchitecture. (December 2004) 221--232

[20]

Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005). (February 2005)

[21]

Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the asbestos operating system. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. (October 2005) 17--30

[22]

Smirnov, A., cker Chiueh, T.: A portable implementation framework for intrusion-resilient database management systems. In: DSN. (2004) 443--452

[23]

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference. (May 2005)

[24]

Zucker, J.: Sql::statement - sql parsing and processing engine. http://cpan.uwinnipeg.ca/htdocs/SQL-Statement/SQL/Statement.html

[25]

Microsoft Corp.: Reusing mshtml. MSDN Library, Microsoft Corporation

[26]

W3C: Document object model (dom) level 1 specification. W3C Recommendation, Technical Report REC-DOM-Level-1-19981001 (1998)

[27]

US-CERT: National vulnerability database: A comprehensive cyber vulnerability resource. http://nvd.nist.gov/nvd.cfm?startrow=21

[28]

Rsnake: XSS (cross site scripting) cheat sheet. http://ha.ckers.org/xss.html

Cited By

Maiga AArtho CGilcher FMoy YArtho CÖlveczky P(2023)Does Rust SPARK Joy? Safe Bindings from Rust to SPARK, Applied to the BBQueue LibraryProceedings of the 9th ACM SIGPLAN International Workshop on Formal Techniques for Safety-Critical Systems10.1145/3623503.3623534(37-47)Online publication date: 18-Oct-2023
https://dl.acm.org/doi/10.1145/3623503.3623534
Demilie WDeriba F(2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
https://doi.org/10.1186/s40537-022-00678-0
Krohmer DSharma KChen STorres-Arias SMelara MSimon L(2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564553
Show More Cited By

Dynamic multi-process information flow tracking for web application security
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation

SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MC '07: Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion

November 2007

118 pages

ISBN:9781595939357

DOI:10.1145/1377943

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Middleware07

Middleware07: 8th International Middleware Conference

November 26 - 30, 2007

California, Newport Beach

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
852
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Maiga AArtho CGilcher FMoy YArtho CÖlveczky P(2023)Does Rust SPARK Joy? Safe Bindings from Rust to SPARK, Applied to the BBQueue LibraryProceedings of the 9th ACM SIGPLAN International Workshop on Formal Techniques for Safety-Critical Systems10.1145/3623503.3623534(37-47)Online publication date: 18-Oct-2023
https://dl.acm.org/doi/10.1145/3623503.3623534
Demilie WDeriba F(2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
https://doi.org/10.1186/s40537-022-00678-0
Krohmer DSharma KChen STorres-Arias SMelara MSimon L(2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564553
Giannopoulos LDegkleri ETsanakas PMitropoulos D(2019)PythiaProceedings of the 12th European Workshop on Systems Security10.1145/3301417.3312497(1-6)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301417.3312497
Mitropoulos DLouridas PPolychronakis MKeromytis A(2019)Defending Against Web Application AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.266562016:2(188-203)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2665620
Mitropoulos DSpinellis D(2017)Fatal injection: a survey of modern code injection attack countermeasuresPeerJ Computer Science10.7717/peerj-cs.1363(e136)Online publication date: 27-Nov-2017
https://doi.org/10.7717/peerj-cs.136
Mitropoulos DStroggylos KSpinellis DKeromytis A(2016)How to Train Your BrowserACM Transactions on Privacy and Security10.1145/293937419:1(1-31)Online publication date: 19-Jul-2016
https://dl.acm.org/doi/10.1145/2939374
Hydara ISultan AZulzalil HAdmodisastro N(2015)Current state of research on cross-site scripting (XSS) – A systematic literature reviewInformation and Software Technology10.1016/j.infsof.2014.07.01058(170-186)Online publication date: Feb-2015
https://doi.org/10.1016/j.infsof.2014.07.010
Kerschbaumer CHennigan ELarsen PBrunthaler SFranz M(2013)Information flow tracking meets just-in-time compilationACM Transactions on Architecture and Code Optimization10.1145/2541228.255529510:4(1-25)Online publication date: 1-Dec-2013
https://dl.acm.org/doi/10.1145/2541228.2555295
Chinis GPratikakis PIoannidis SAthanasopoulos EZendra O(2013)Practical information flow for legacy web applicationsProceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems10.1145/2491404.2491410(17-28)Online publication date: 2-Jul-2013
https://dl.acm.org/doi/10.1145/2491404.2491410
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents