11 research outputs found
CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments
AbstractThis paper presents a context-sensitive sanitization based XSS defensive framework for the cloud environment. It discovers all the hidden injection points in HTML5-based web applications deployed on the platforms of cloud and sanitizes the XSS attack payloads injected in such points in a context sensitive manner. The identification of such injection points permits our technique to retrieve each possible web page of application, allowing a wider exploration and accelerating the process of applying the sanitizers on the untrusted variables of web application. The XSS attack mitigation capability of our framework was evaluated on web applications deployed for the cloud users in the cloud environment. The experimental results reveal that this technique detects the XSS attack payloads with minimum rate of false negatives and less runtime overhead
Data-flow Analysis of Programs with Associative Arrays
Dynamic programming languages, such as PHP, JavaScript, and Python, provide
built-in data structures including associative arrays and objects with similar
semantics-object properties can be created at run-time and accessed via
arbitrary expressions. While a high level of security and safety of
applications written in these languages can be of a particular importance
(consider a web application storing sensitive data and providing its
functionality worldwide), dynamic data structures pose significant challenges
for data-flow analysis making traditional static verification methods both
unsound and imprecise. In this paper, we propose a sound and precise approach
for value and points-to analysis of programs with associative arrays-like data
structures, upon which data-flow analyses can be built. We implemented our
approach in a web-application domain-in an analyzer of PHP code.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Type-based Dependency Analysis for JavaScript
Dependency analysis is a program analysis that determines potential data flow
between program points. While it is not a security analysis per se, it is a
viable basis for investigating data integrity, for ensuring confidentiality,
and for guaranteeing sanitization. A noninterference property can be stated and
proved for the dependency analysis. We have designed and implemented a
dependency analysis for JavaScript. We formalize this analysis as an
abstraction of a tainting semantics. We prove the correctness of the tainting
semantics, the soundness of the abstraction, a noninterference property, and
the termination of the analysis.Comment: Technical Repor
Next Generation Black-Box Web Application Vulnerability Analysis Framework
abstract: Web applications are an incredibly important aspect of our modern lives. Organizations
and developers use automated vulnerability analysis tools, also known as
scanners, to automatically find vulnerabilities in their web applications during development.
Scanners have traditionally fallen into two types of approaches: black-box
and white-box. In the black-box approaches, the scanner does not have access to the
source code of the web application whereas a white-box approach has access to the
source code. Today’s state-of-the-art black-box vulnerability scanners employ various
methods to fuzz and detect vulnerabilities in a web application. However, these
scanners attempt to fuzz the web application with a number of known payloads and
to try to trigger a vulnerability. This technique is simple but does not understand
the web application that it is testing. This thesis, presents a new approach to vulnerability
analysis. The vulnerability analysis module presented uses a novel approach
of Inductive Reverse Engineering (IRE) to understand and model the web application.
IRE first attempts to understand the behavior of the web application by giving
certain number of input/output pairs to the web application. Then, the IRE module
hypothesizes a set of programs (in a limited language specific to web applications,
called AWL) that satisfy the input/output pairs. These hypotheses takes the form of
a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt
to detect vulnerabilities in this DAG. Further, it generates the payload based on the
DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability
(based on our understanding of the program). It then tests this potential
vulnerability using the generated payload on the actual web application, and creates
a verification procedure to see if the potential vulnerability is actually vulnerable,
based on the web application’s response.Dissertation/ThesisMasters Thesis Computer Science 201
Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
Embedded devices are becoming more widespread, interconnected, and
web-enabled than ever. However, recent studies showed that these devices are
far from being secure. Moreover, many embedded systems rely on web interfaces
for user interaction or administration. Unfortunately, web security is known to
be difficult, and therefore the web interfaces of embedded systems represent a
considerable attack surface.
In this paper, we present the first fully automated framework that applies
dynamic firmware analysis techniques to achieve, in a scalable manner,
automated vulnerability discovery within embedded firmware images. We apply our
framework to study the security of embedded web interfaces running in
Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable
modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement
a scalable framework for discovery of vulnerabilities in embedded web
interfaces regardless of the vendor, device, or architecture. To achieve this
goal, our framework performs full system emulation to achieve the execution of
firmware images in a software-only environment, i.e., without involving any
physical embedded devices. Then, we analyze the web interfaces within the
firmware using both static and dynamic tools. We also present some interesting
case-studies, and discuss the main challenges associated with the dynamic
analysis of firmware images and their web interfaces and network services. The
observations we make in this paper shed light on an important aspect of
embedded devices which was not previously studied at a large scale.
We validate our framework by testing it on 1925 firmware images from 54
different vendors. We discover important vulnerabilities in 185 firmware
images, affecting nearly a quarter of vendors in our dataset. These
experimental results demonstrate the effectiveness of our approach
Towards fully automatic placement of security sanitizers and declassifiers
A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and run-time monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities. This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the flow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them. This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the run-time overhead of run-time taint tracking, our technique avoids it wherever possible
Recommended from our members
Towards Fully Automatic Placement of Security Sanitizers and Declassifiers
A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, in pretty much all work thus far, the burden on sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities. This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the flow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them. This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the runtime overhead of run-time taint tracking, our technique avoids it wherever possible.Engineering and Applied Science