The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January (2008 vol.34)
pp: 50-64
ABSTRACT
Web applications are widely adopted and their correct functioning is mission-critical for many businesses. At the same time, web applications tend to be error-prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities, or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper, we focus on one specific type of implementation vulnerability, namely broken dependencies on session data. This vulnerability can lead to a variety of erroneous behaviour at run time and can easily be triggered by a malicious user by applying attack techniques such as forceful browsing. This paper shows how to guarantee the absence of run-time errors due to broken dependencies on session data in web applications. The proposed solution combines development-time program annotation, static verification and run-time checking to provably protect against broken data dependencies. We have developed a prototype implementation of our approach building on the JML annotation language and the existing static verification tool ESC/Java2, and we successfully applied our approach to a representative J2EE based e-commerce application. We show that the annotation overhead is very small, that the performance of the fully automatic static verification is acceptable, and that the performance overhead of the run-time checking is limited.
INDEX TERMS
Software/Program Verification, Security, Security and Protection, Reliability, Data sharing, Web-based services, Web technologies
CITATION
Lieven Desmet, Pierre Verbaeten, Wouter Joosen, Frank Piessens, "Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 50-64, January 2008, doi:10.1109/TSE.2007.70742
REFERENCES
[1] P.G. Neumann, “Keynote Speech: System and Network Trustworthiness in Perspective,” Proc. 13th ACM Conf. Computer and Comm. Security, Oct.-Nov. 2006.
[2] M. Shaw and D. Garlan, Software Architecture: Perspectives on an Emerging Discipline. Prentice Hall, 1996.
[3] Sun Microsystems, Inc., “Java Servlet Technology,” http://java.sun.com/productsservlet/, 2007.
[4] V. Samar, “Unified Login with Pluggable Authentication Modules (PAM),” Proc. Third ACM Conf. Computer and Comm. Security, pp.1-10, 1996.
[5] E. Freeman, K. Arnold, and S. Hupfer, JavaSpaces Principles, Patterns, and Practice. Addison Wesley Longman, 1999.
[6] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext Transfer Protocol—HTTP/1.1,” IETF RFC 2616 (Category: Standards Track), http://www.ietf. org/rfcrfc2616.txt, June 1999.
[7] V. Raghvendra, “Session Tracking on the Web,” Internetworking, vol. 3, no. 1, Mar. 2000.
[8] Karl Forster, Lockstep Systems, Inc., “Why Firewalls Fail to Protect Web Sites,” http://www.lockstep.com/products/webagain why-firewalls-fail.pdf, 2007.
[9] I. Ristic, “Web Application Firewalls Primer,” (IN)SECURE, vol. 1, no. 5, pp. 6-10, Jan. 2006.
[10] S. Pettit, “Anatomy of a Web Application: Security Considerations,” technical report, Sanctum, Inc., July 2001.
[11] webScurity, Inc., “The Weakest Link: Mitigating Web Application Vulnerabilities,” http://www.webscurity.com/pdfswebapp_ vuln_wp.pdf , 2007.
[12] Web Application Security Consortium, “Web Application Firewall Evaluation Criteria, Version 1.0,” http://www.webappsec.org/projectswafec/, Jan. 2006.
[13] L. Desmet, F. Piessens, W. Joosen, and P. Verbaeten, “Static Verification of Indirect Data Sharing in Loosely-Coupled Component Systems,” Proc. Fifth Int'l Symp. Software Composition, pp. 34-49, 2006.
[14] E. Armstrong, J. Ball, S. Bodoff, D.B. Carson, I. Evans, D. Green, K. Haase, and E. Jendrock, The J2EE 1.4 Tutorial. Sun Microsystems, Inc., Dec. 2005.
[15] L. Desmet, F. Piessens, W. Joosen, and P. Verbaeten, “Dependency Analysis of the Gatormail Webmail Application,” Report CW 427, Dept. of Computer Science, Katholieke Universiteit Leuven, Belgium, Sept. 2005.
[16] G.T. Leavens, “The Java Modeling Language (JML),” http:/www.jmlspecs.org/, 2007.
[17] L. Desmet, P. Verbaeten, W. Joosen, and F. Piessens, “Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies,” http://www.cs.kuleuven.be/~lieven/research TSE2007/, 2007.
[18] A.D. Raghavan and G.T. Leavens, “Desugaring JML Method Specifications,” Technical Report 00-03e, Dept. of Computer Science, Iowa State Univ., May 2005.
[19] L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G.T. Leavens, K.R.M. Leino, and E. Poll, “An Overview of JML Tools and Applications,” Int'l J. Software Tools for Technology Transfer, vol. 7, no. 3, pp. 212-232, June 2005.
[20] KindSoftware, “The Extended Static Checker for Java Version 2 (ESC/Java2),” http://secure.ucd.ie/products/opensource ESC Java2/, 2007.
[21] J.R. Kiniry, A.E. Morkan, and B. Denby, “Soundness and Completeness Warnings in ESC/Java2,” Proc. Fifth Int'l Workshop Specification and Verification of Component-Based Systems, pp. 19-24, 2006.
[22] T. Pietraszek and C.V. Berghe, “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection, pp. 124-145, 2005.
[23] V. Haldar, D. Chandra, and M. Franz, “Dynamic Taint Propagation for Java,” Proc. 21st Ann. Computer Security Applications Conf. pp. 303-311, 2005.
[24] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, “Automatically Hardening Web Applications Using Precise Tainting,” Proc. 20th IFIP Int'l Information Security Conf., R.Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, eds., pp. 295-308, 2005.
[25] W.G.J. Halfond and A. Orso, “Amnesia: Analysis and Monitoring for Neutralizing SQL-Injection Attacks,” Proc. 20th IEEE/ACM Int'l Conf. Automated Software Eng., pp. 174-183, 2005.
[26] W. Xu, S. Bhatkar, and R. Sekar, “Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,” Proc. 15th Usenix Security Symp., p. 9, 2006.
[27] V.B. Livshits and M.S. Lam, “Finding Security Errors in Java Programs with Static Analysis,” Proc. 14th Usenix Security Symp., pp. 271-286, Aug. 2005.
[28] N. Jovanovic, C. Kruegel, and E. Kirda, “Precise Alias Analysis for Static Detection of Web Application Vulnerabilities,” Proc. ACM SIGPLAN Workshop Programming Languages and Analysis for Security, pp. 27-36, 2006.
[29] C. Gould, Z. Su, and P. Devanbu, “Static Checking of Dynamically Generated Queries in Database Applications,” Proc. 26th Int'l Conf. Software Eng., pp. 645-654, 2004.
[30] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, “Securing Web Application Code by Static Analysis and Runtime Protection,” Proc. 13th Int'l Conf. World Wide Web, pp. 40-52, 2004.
[31] J. Offutt, Y. Wu, X. Du, and H. Huang, “Bypass Testing of Web Applications,” Proc. 15th Int'l Symp. Software Reliability Eng., pp.187-197, 2004.
[32] T.E. Uribe and S. Cheung, “Automatic Analysis of Firewall and Network Intrusion Detection System Configurations,” Proc. ACM Workshop Formal Methods in Security Eng., pp. 66-74, 2004.
[33] K. Golnabi, R.K. Min, L. Khan, and E. Al-Shaer, “Analysis of Firewall Policy Rules Using Data Mining Techniques,” Proc. 10th IEEE/IFIP Network Operations and Management Symp., pp. 305-315, Apr. 2006.
[34] D.E. Perry and A.L. Wolf, “Foundations for the Study of Software Architecture,” ACM SIGSOFT Software Eng. Notes, vol. 17, no. 4, pp. 40-52, 1992.
[35] L. Bass, P. Clements, and R. Kazman, Software Architecture in Practice. Addison Wesley Longman, 1998.
[36] N. Medvidovic and R.N. Taylor, “A Classification and Comparison Framework for Software Architecture Description Languages,” IEEE Trans. Software Eng., vol. 26, no. 1, pp. 70-93, Jan. 2000.
[37] P.C. Clements, “A Survey of Architecture Description Languages,” Proc. Eighth Int'l Workshop Software Specification and Design, p. 16, 1996.
[38] J. Aldrich, “Using Types to Enforce Architectural Structure,” PhD dissertation, Univ. of Washington, Aug. 2003.
[39] B. Meyer, “Applying 'Design by Contract',” Computer, vol. 25, no. 10, pp. 40-51, Oct. 1992.
[40] B. Liskov, Abstraction and Specification in Program Development. MIT Press, 1986.
[41] Y.L. Traon, B. Baudry, and J.-M. Jezequel, “Design by Contract to Improve Software Vigilance,” IEEE Trans. Software Eng., vol. 32, no. 8, pp. 571-586, Aug. 2006.
[42] C. Szyperski, Component Software: Beyond Object-Oriented Programming. Addison Wesley Longman, 2002.
[43] M. Barnett, K.R.M. Leino, and W. Schulte, “The Spec# Programming System: An Overview,” Lecture Notes in Computer Science, vol. 3362, pp. 49-69, Jan. 2005.
[44] B. Jacobs, K.R.M. Leino, F. Piessens, and W. Schulte, “Safe Concurrency for Aggregate Objects with Invariants,” Proc. Third IEEE Int'l Conf. Software Eng. and Formal Methods, pp. 137-146, 2005.
[45] M. Pavlova, G. Barthe, L. Burdy, M. Huisman, and J.-L. Lanet, “Enforcing High-Level Security Properties for Applets,” Proc. Sixth Smart Card Research and Advanced Application IFIP Conf., J.-J.Quisquater, P. Paradinas, Y. Deswarte, and A.A.E. Kalam, eds., pp. 1-16, 2004.
[46] L. Cardelli, “Transitions in Programming Models: 2,” Proc. 27th Int'l Conf. Software Eng., p. 2, 2005.
[47] M.S. Miller, “Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control,” PhD dissertation, Johns Hopkins Univ., May 2006.
[48] J.C.M. Baeten, H.M.A. van Beek, and S. Mauw, “Specifying Internet Applications with Dicons,” Proc. 16th ACM Symp. Applied Computing, pp. 576-584, 2001.
16 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool