Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bug--|23 previously unknown security bugs, and 10 false positives.National Science Foundation (U.S.) (Grant 0707612

Rubicon: Bounded Verification of Web Applications

Rubicon is a verifier for web applications. Specifications are written in an embedded domain-specific language and are checked fully automatically. Rubicon is designed to fit with current practices: its language is based on RSpec, a popular testing framework, and its analysis leverages the standard Ruby interpreter to perform symbolic execution (generating verification conditions that are checked by the Alloy Analyzer). Rubicon has been evaluated on five open-source applications; in one, a widely used customer relationship management system, a previously unknown security flaw was revealed.National Science Foundation (U.S.) (CRI: CRD - Development of Alloy Technology and Materials Grant 0707612

Symbolic Execution for (Almost) Free: Hijacking an Existing Implementation to Perform Symbolic Execution

Symbolic execution of a language is traditionally achieved by replacing the language s interpreter with an entirely new interpreter. This may be an unnecessary burden, and it is tempting instead to try to use as much of the existing interpret infrastructure as possible, both for handling aspects of the computation that are not symbolic, and for propagating symbolic ones. This approach was used to implement Rubicon, a bounded verification system for Ruby on Rails web applications, in less than 1000 lines of Ruby code. Rubicon uses symbolic execution to derive verification conditions from Rails applications and an off-the-shelf solver to check them. Despite its small size, Rubicon has been used to find previously unknown bugs in open-source Rails applications. The key idea is to encode symbolic values and operations in a library written in the target language itself, overriding only a small part of the standard interpreter. We formalize this approach, showing that replacing a few key operators with symbolic versions in a standard interpreter gives the same effect as replacing the entire interpreter with a symbolic one

Derailer: interactive security analysis for web applications

Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application's security policy. The tool then highlights exposures missing security checks, which tend to be security bugs. We have tested Derailer's scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers.National Science Foundation (U.S.) (Grant 0707612

Inductive Verification of Data Model Invariants for Web Applications ∗

Modern software applications store their data in remote cloud servers. Users interact with these applications using web browsers or thin clients running on mobile devices. A key issue in dependability of these applications is the correctness of the actions that update the data store, which are triggered by user requests. In this paper, we present techniques for automatically checking if the actions of an application preserve the data model invariants. Our approach first automatically data store, from a given application using instrumented execution. The abstract data store identifies the sets of objects and relations (associations) used by the application, and the actions that update the data store by deleting or creating objects or by changing the relations among the objects. We show that checking invariants of an abstract data store corresponds to inductive invariant verification, and can be done using a mapping to First Order Logic (FOL) and using a FOL theorem prover. We implemented this approach for the Rails framework and applied it to three open source applications. We found four previously unknown bugs and reported them to the developers, who confirmed and immediately fixed two of them

Model-based, event-driven programming paradigm for interactive web applications

Applications are increasingly distributed and event-driven. Advances in web frameworks have made it easier to program standalone servers and their clients, but these applications remain hard to write. A model-based programming paradigm is proposed that allows a programmer to represent a distributed application as if it were a simple sequential program, with atomic actions updating a single, shared global state. A runtime environment executes the program on a collection of clients and servers, automatically handling (and hiding from the programmer) complications such as network communication (including server push), serialization, concurrency and races, persistent storage of data, and queuing and coordination of events.National Science Foundation (U.S.) (Grant CCF-1138967)National Science Foundation (U.S.) (Grant CCF-1012759)National Science Foundation (U.S.) (Grant CCF-0746856

Inference and Regeneration of Programs that Manipulate Relational Databases

We present a new technique that infers models of programs that manipulate relational databases. This technique generates test databases and input commands, runs the program, then observes the resulting outputs and updated databases to infer the model. Because the technique works only with the externally observable inputs, outputs, and databases, it can infer the behavior of programs written in arbitrary languages using arbitrary coding styles and patterns. We also present a technique for automatically regenerating an implementation of the program based on the inferred model. The regenerator can produce a translated implementation in a different language and systematically include relevant security and error checks. We present results that illustrate the use of the technique to eliminate SQL injection vulnerabilities and the translation of applications from Java and Ruby on Rails to Python