Timothy L. Hinrichs, Daniele Rossetti, G. Petronella, V. Venkatakrishnan, A. Sistla, L. Zuck
WEBLOG is a declarative language for web application development designed to automatically eliminate several security vulnerabilities common to today's web applications. In this paper, we introduce Weblog, detail the security vulnerabilities it eliminates, and discuss how those vulnerabilities are eliminated. We then evaluate Weblog's ability to build and secure real-world applications by comparing traditional implementations of 3 existing small- to medium-size web applications to Weblog implementations.
{"title":"WEBLOG: a declarative language for secure web development","authors":"Timothy L. Hinrichs, Daniele Rossetti, G. Petronella, V. Venkatakrishnan, A. Sistla, L. Zuck","doi":"10.1145/2465106.2465119","DOIUrl":"https://doi.org/10.1145/2465106.2465119","url":null,"abstract":"WEBLOG is a declarative language for web application development designed to automatically eliminate several security vulnerabilities common to today's web applications. In this paper, we introduce Weblog, detail the security vulnerabilities it eliminates, and discuss how those vulnerabilities are eliminated. We then evaluate Weblog's ability to build and secure real-world applications by comparing traditional implementations of 3 existing small- to medium-size web applications to Weblog implementations.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130307620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Thomas H. Austin, Jean Yang, C. Flanagan, Armando Solar-Lezama
It is important for applications to protect sensitive data. Even for simple confidentiality and integrity policies, it is often difficult for programmers to reason about how the policies should interact and how to enforce policies across the program. A promising approach is policy-agnostic programming, a model that allows the programmer to implement policies separately from core functionality. Yang et al. describe Jeeves, a programming language that supports information flow policies describing how to reveal sensitive values in different output channels. Jeeves uses symbolic evaluation and constraint-solving to produce outputs adhering to the policies. This strategy provides strong confidentiality guarantees but limits expressiveness and implementation feasibility.� We extend Jeeves with faceted values, which exploit the structure of sensitive values to yield both greater expressiveness and to facilitate reasoning about runtime behavior. We present a faceted semantics for Jeeves and describe a model for propagating multiple views of sensitive information through a program. We provide a proof of termination-insensitive non-interference and describe how the semantics facilitate reasoning about program behavior.
{"title":"Faceted execution of policy-agnostic programs","authors":"Thomas H. Austin, Jean Yang, C. Flanagan, Armando Solar-Lezama","doi":"10.1145/2465106.2465121","DOIUrl":"https://doi.org/10.1145/2465106.2465121","url":null,"abstract":"It is important for applications to protect sensitive data. Even for simple confidentiality and integrity policies, it is often difficult for programmers to reason about how the policies should interact and how to enforce policies across the program. A promising approach is policy-agnostic programming, a model that allows the programmer to implement policies separately from core functionality. Yang et al. describe Jeeves, a programming language that supports information flow policies describing how to reveal sensitive values in different output channels. Jeeves uses symbolic evaluation and constraint-solving to produce outputs adhering to the policies. This strategy provides strong confidentiality guarantees but limits expressiveness and implementation feasibility.\u0000 We extend Jeeves with faceted values, which exploit the structure of sensitive values to yield both greater expressiveness and to facilitate reasoning about runtime behavior. We present a faceted semantics for Jeeves and describe a model for propagating multiple views of sensitive information through a program. We provide a proof of termination-insensitive non-interference and describe how the semantics facilitate reasoning about program behavior.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"5 3","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114115270","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ensuring that software protects its users' privacy has become an increasingly pressing challenge. Requiring software to be certified with a secure type system is one enforcement mechanism. Protecting privacy with type systems, however, has only been studied for programs written entirely in a single language, whereas software is frequently implemented using multiple languages specialized for different tasks.� This paper presents an approach that facilitates reasoning over composed languages. It outlines sufficient requirements for the component languages to lift privacy guarantees of the component languages to well-typed composed programs, significantly lowering the burden necessary to certify that such composite programs safe. The approach relies on computability and security-level separability. This paper defines completeness with respect to secure computations and formally establishes conditions sufficient for a security-typed language to be complete. We demonstrate the applicability of the results with a case study of three seminal security-typed languages.
{"title":"Security completeness: towards noninterference in composed languages","authors":"Andreas Gampe, J. Ronne","doi":"10.1145/2465106.2465122","DOIUrl":"https://doi.org/10.1145/2465106.2465122","url":null,"abstract":"Ensuring that software protects its users' privacy has become an increasingly pressing challenge. Requiring software to be certified with a secure type system is one enforcement mechanism. Protecting privacy with type systems, however, has only been studied for programs written entirely in a single language, whereas software is frequently implemented using multiple languages specialized for different tasks.\u0000 This paper presents an approach that facilitates reasoning over composed languages. It outlines sufficient requirements for the component languages to lift privacy guarantees of the component languages to well-typed composed programs, significantly lowering the burden necessary to certify that such composite programs safe. The approach relies on computability and security-level separability. This paper defines completeness with respect to secure computations and formally establishes conditions sufficient for a security-typed language to be complete. We demonstrate the applicability of the results with a case study of three seminal security-typed languages.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131896920","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xun Li, Vineeth Kashyap, J. Oberg, Mohit Tiwari, Vasanth Ram Rajarathinam, R. Kastner, T. Sherwood, B. Hardekopf, F. Chong
We describe Sapper, a language for creating critical hardware components that have provably secure information flow. Most systems that enforce information flow policies place the hardware microarchitecture within the trusted computing base, and also assume that the observable behavior of that microarchitecture is fully and correctly documented. However, the reality is that this behavior is incompletely (and sometimes incorrectly) specified, and that the microarchitecture itself often contains implementation bugs. This fact means that all such systems are vulnerable to attack by exploiting undocumented or buggy hardware features. Sapper addresses this problem by enabling flexible and efficient hardware design that is provably secure with respect to a given information flow policy. Sapper uses a hybrid approach that leverages unique language features and static analysis to determine a set of dynamic checks that are automatically inserted into the hardware design. These checks are provably sufficient to guarantee that the resulting hardware prevents all explicit, implicit, and timing channels even if the hardware is otherwise buggy or poorly documented.
{"title":"Position paper: Sapper -- a language for provable hardware policy enforcement","authors":"Xun Li, Vineeth Kashyap, J. Oberg, Mohit Tiwari, Vasanth Ram Rajarathinam, R. Kastner, T. Sherwood, B. Hardekopf, F. Chong","doi":"10.1145/2465106.2465214","DOIUrl":"https://doi.org/10.1145/2465106.2465214","url":null,"abstract":"We describe Sapper, a language for creating critical hardware components that have provably secure information flow. Most systems that enforce information flow policies place the hardware microarchitecture within the trusted computing base, and also assume that the observable behavior of that microarchitecture is fully and correctly documented. However, the reality is that this behavior is incompletely (and sometimes incorrectly) specified, and that the microarchitecture itself often contains implementation bugs. This fact means that all such systems are vulnerable to attack by exploiting undocumented or buggy hardware features. Sapper addresses this problem by enabling flexible and efficient hardware design that is provably secure with respect to a given information flow policy. Sapper uses a hybrid approach that leverages unique language features and static analysis to determine a set of dynamic checks that are automatically inserted into the hardware design. These checks are provably sufficient to guarantee that the resulting hardware prevents all explicit, implicit, and timing channels even if the hardware is otherwise buggy or poorly documented.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131229668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aseem Rastogi, Piotr (Peter) Mardziel, M. Hicks, Matthew A. Hammer
In secure multi-party computation, mutually distrusting parties cooperatively compute functions of their private data; in the process, they only learn certain results as per the protocol (e.g., the final output). The realization of these protocols uses cryptographic techniques to avoid leaking information between the parties. A protocol for a secure computation can sometimes be optimized without changing its security guarantee: when the parties can use their private data and the revealed output to infer the values of other data, then this other data need not be concealed from them via cryptography.� In the context of automatically optimizing secure multi-party computation, we define two related problems, knowledge inference and constructive knowledge inference. In both problems, we attempt to automatically discover when and if intermediate variables in a protocol will (eventually) be known to the parties involved in the computation. We formally state the two problems and describe our solutions. We show that our approach is sound, and further, we characterize its completeness properties. We present a preliminary experimental evaluation of our approach.
{"title":"Knowledge inference for optimizing secure multi-party computation","authors":"Aseem Rastogi, Piotr (Peter) Mardziel, M. Hicks, Matthew A. Hammer","doi":"10.1145/2465106.2465117","DOIUrl":"https://doi.org/10.1145/2465106.2465117","url":null,"abstract":"In secure multi-party computation, mutually distrusting parties cooperatively compute functions of their private data; in the process, they only learn certain results as per the protocol (e.g., the final output). The realization of these protocols uses cryptographic techniques to avoid leaking information between the parties. A protocol for a secure computation can sometimes be optimized without changing its security guarantee: when the parties can use their private data and the revealed output to infer the values of other data, then this other data need not be concealed from them via cryptography.\u0000 In the context of automatically optimizing secure multi-party computation, we define two related problems, knowledge inference and constructive knowledge inference. In both problems, we attempt to automatically discover when and if intermediate variables in a protocol will (eventually) be known to the parties involved in the computation. We formally state the two problems and describe our solutions. We show that our approach is sound, and further, we characterize its completeness properties. We present a preliminary experimental evaluation of our approach.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121713122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Per A. Hallgren, Daniel T. Mauritzson, A. Sabelfeld
The HTTP and HTTPS protocols are the corner stones of the modern web. From a security point of view, they offer an all-or- nothing choice to web applications: either no security guarantees with HTTP or both confidentiality and integrity with HTTPS. How- ever, in many scenarios confidentiality is not necessary and even undesired, while integrity is essential to prevent attackers from compromising the data stream.� We propose GlassTube, a lightweight approach to web application integrity. GlassTube guarantees integrity at application level, without resorting to the heavyweight HTTPS protocol. GlassTube prevents man-in-the-middle attacks and provides a general method for integrity in web applications and smartphone apps. GlassTube is easily deployed in the form of a library on the server side, and offers flexible deployment options on the client side: from dynamic code distribution, which requires no modification of the browser, to browser plugin and smartphone app, which allow smooth key predistribution. The results of a case study with a web-based chat indicate a boost in the performance compared to HTTPS, achieved with no optimization efforts.
{"title":"GlassTube: a lightweight approach to web application integrity","authors":"Per A. Hallgren, Daniel T. Mauritzson, A. Sabelfeld","doi":"10.1145/2465106.2465432","DOIUrl":"https://doi.org/10.1145/2465106.2465432","url":null,"abstract":"The HTTP and HTTPS protocols are the corner stones of the modern web. From a security point of view, they offer an all-or- nothing choice to web applications: either no security guarantees with HTTP or both confidentiality and integrity with HTTPS. How- ever, in many scenarios confidentiality is not necessary and even undesired, while integrity is essential to prevent attackers from compromising the data stream.\u0000 We propose GlassTube, a lightweight approach to web application integrity. GlassTube guarantees integrity at application level, without resorting to the heavyweight HTTPS protocol. GlassTube prevents man-in-the-middle attacks and provides a general method for integrity in web applications and smartphone apps. GlassTube is easily deployed in the form of a library on the server side, and offers flexible deployment options on the client side: from dynamic code distribution, which requires no modification of the browser, to browser plugin and smartphone app, which allow smooth key predistribution. The results of a case study with a web-based chat indicate a boost in the performance compared to HTTPS, achieved with no optimization efforts.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"94 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130719800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This work is about specifying and ensuring security in unreliable systems. We study systems which are subject to transient faults -- soft errors that cause stored values to be corrupted. Transient faults occur in hardware when a high-energy particle strikes a transistor, resulting in a spontaneous bit-flip. Such events have been acknowledged as the source of major crashes in server systems. The trend towards lower threshold voltages and tighter noise margins means that susceptibility to transient faults is increasing.� From a security perspective, transient faults are a known attack vector. For instance, it has been shown that a single bit flip, regardless of how is triggered, can compromise the value of a secret key in some public key and authentication systems.� Fault tolerance techniques aim to preserve properties of systems despite such transient faults. Preservation of functional correctness, however, comes at a high cost, and seems to inevitably require some special form of hardware-level replication. For the predominantly-software-based techniques, with one or two notable exceptions, most works do not give precise, formal guarantees.� In this work, rather than attempting to preserve full functional behaviour in the presence of faults, we consider the novel problem of guaranteeing security: faults may cause a program to go wrong, but even if it goes wrong it should not leak sensitive data, no matter if the code is crafted with malicious intent. The particular security characterization we study is non-interference, an information-flow security property which says that public outputs of a program (the low security channel) do not reveal anything about its secrets (the high security inputs).� Our approach has two distinguishing features. Firstly, it does not rely on special purpose fault tolerant hardware, and secondly, it makes its assumptions precise and provides formal guarantees.� We study this problem for a RISC-style machine for which the only fault-tolerant component is the ROM containing the code, but otherwise contains no special fault-tolerant components. We devise a transformation technique for programs which generates fault-tolerant noninterfering code, up to a fixed number of faults. The method is based on a strong separation of resources between different security levels, inspired by the recent technique of Secure Multi-Execution, together with a carefully chosen code and data layout, and a robust protocol for data access and control flow modifications. We prove that the transformation method yields noninterfering programs in the presence of faults, and that it preserves the meaning of a class of reasonable programs -- those which use a bounded amount of storage and which are not sensitive to exactly where in memory code and data are located.
{"title":"Fault-tolerant non-interference: invited talk abstract","authors":"David Sands","doi":"10.1145/2465106.2489089","DOIUrl":"https://doi.org/10.1145/2465106.2489089","url":null,"abstract":"This work is about specifying and ensuring security in unreliable systems. We study systems which are subject to transient faults -- soft errors that cause stored values to be corrupted. Transient faults occur in hardware when a high-energy particle strikes a transistor, resulting in a spontaneous bit-flip. Such events have been acknowledged as the source of major crashes in server systems. The trend towards lower threshold voltages and tighter noise margins means that susceptibility to transient faults is increasing.\u0000 From a security perspective, transient faults are a known attack vector. For instance, it has been shown that a single bit flip, regardless of how is triggered, can compromise the value of a secret key in some public key and authentication systems.\u0000 Fault tolerance techniques aim to preserve properties of systems despite such transient faults. Preservation of functional correctness, however, comes at a high cost, and seems to inevitably require some special form of hardware-level replication. For the predominantly-software-based techniques, with one or two notable exceptions, most works do not give precise, formal guarantees.\u0000 In this work, rather than attempting to preserve full functional behaviour in the presence of faults, we consider the novel problem of guaranteeing security: faults may cause a program to go wrong, but even if it goes wrong it should not leak sensitive data, no matter if the code is crafted with malicious intent. The particular security characterization we study is non-interference, an information-flow security property which says that public outputs of a program (the low security channel) do not reveal anything about its secrets (the high security inputs).\u0000 Our approach has two distinguishing features. Firstly, it does not rely on special purpose fault tolerant hardware, and secondly, it makes its assumptions precise and provides formal guarantees.\u0000 We study this problem for a RISC-style machine for which the only fault-tolerant component is the ROM containing the code, but otherwise contains no special fault-tolerant components. We devise a transformation technique for programs which generates fault-tolerant noninterfering code, up to a fixed number of faults. The method is based on a strong separation of resources between different security levels, inspired by the recent technique of Secure Multi-Execution, together with a carefully chosen code and data layout, and a robust protocol for data access and control flow modifications. We prove that the transformation method yields noninterfering programs in the presence of faults, and that it preserves the meaning of a class of reasonable programs -- those which use a bounded amount of storage and which are not sensitive to exactly where in memory code and data are located.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124540505","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.
{"title":"Position paper: the science of boxing","authors":"M. Lester","doi":"10.1145/2465106.2465120","DOIUrl":"https://doi.org/10.1145/2465106.2465120","url":null,"abstract":"The ubiquity of Web 2.0 applications handling sensitive information means that static analysis of applications written in JavaScript has become an important security problem. The highly dynamic nature of the language makes this difficult. The eval construct, which allows execution of a string as program code, is particularly notorious in this regard. Eval is a form of metaprogramming construct: it allows generation and manipulation of program code at run time. Other metaprogramming formalisms are more principled in their behaviour and easier to reason about; consider, for example, Lisp-style code quotations, which we call staged metaprogramming. We argue that, instead of trying to reason directly about uses of eval, we should first transform them to staged metaprogramming, then analyse the transformed program. To demonstrate the feasibility of this approach, we describe an algorithm for transforming uses of eval on strings encoding program text into uses of staged metaprogramming with quoted program terms. We present our algorithm in the context of a JavaScript-like language augmented with staged metaprogramming.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121293590","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Theories of quantitative information flow have seen growing interest recently, in view of the fundamental importance of controlling the leakage of confidential information, together with the pragmatic necessity of tolerating intuitively "small" leaks. Given such a theory, it is crucial to develop automated techniques for calculating the leakage in a system. In this paper, we address this question in the context of deterministic imperative programs and under the recently-proposed min-entropy measure of information leakage, which measures leakage in terms of the confidential information's vulnerability to being guessed in one try by an adversary. In this context, calculating the maximum leakage of a program reduces to counting the number of feasible outputs that it can produce. We approach this task by determining patterns among pairs of bits in the output, for instance by determining that two bits must be unequal. By counting the number of solutions to the two-bit patterns, we obtain an upper bound on the number of feasible outputs and hence on the leakage. We explore the effectiveness of our approach on a number of case studies, in terms of both efficiency and accuracy.
{"title":"Calculating bounds on information leakage using two-bit patterns","authors":"Ziyuan Meng, Geoffrey Smith","doi":"10.1145/2166956.2166957","DOIUrl":"https://doi.org/10.1145/2166956.2166957","url":null,"abstract":"Theories of quantitative information flow have seen growing interest recently, in view of the fundamental importance of controlling the leakage of confidential information, together with the pragmatic necessity of tolerating intuitively \"small\" leaks. Given such a theory, it is crucial to develop automated techniques for calculating the leakage in a system. In this paper, we address this question in the context of deterministic imperative programs and under the recently-proposed min-entropy measure of information leakage, which measures leakage in terms of the confidential information's vulnerability to being guessed in one try by an adversary. In this context, calculating the maximum leakage of a program reduces to counting the number of feasible outputs that it can produce. We approach this task by determining patterns among pairs of bits in the output, for instance by determining that two bits must be unequal. By counting the number of solutions to the two-bit patterns, we obtain an upper bound on the number of feasible outputs and hence on the leakage. We explore the effectiveness of our approach on a number of case studies, in terms of both efficiency and accuracy.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128861076","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Web applications are vulnerable to semantic attacks such as denial of service due to infinite loops caused by malicious inputs and unauthorized database operations due to missing security checks. Unlike "conventional" threats such as SQL injection and cross-site scripting, these attacks exploit bugs in the logic of the vulnerable application and cannot be discovered using data-flow analysis alone.� We give the first characterization of these types of vulnerabilities in PHP applications, develop novel inter-procedural algorithms for discovering them in PHP source code, and implement these algorithms as part of SaferPHP, a framework for static security analysis of PHP applications. SaferPHP uncovered multiple, previously unreported vulnerabilities in several popular Web applications.
{"title":"SAFERPHP: finding semantic vulnerabilities in PHP applications","authors":"Sooel Son, Vitaly Shmatikov","doi":"10.1145/2166956.2166964","DOIUrl":"https://doi.org/10.1145/2166956.2166964","url":null,"abstract":"Web applications are vulnerable to semantic attacks such as denial of service due to infinite loops caused by malicious inputs and unauthorized database operations due to missing security checks. Unlike \"conventional\" threats such as SQL injection and cross-site scripting, these attacks exploit bugs in the logic of the vulnerable application and cannot be discovered using data-flow analysis alone.\u0000 We give the first characterization of these types of vulnerabilities in PHP applications, develop novel inter-procedural algorithms for discovering them in PHP source code, and implement these algorithms as part of SaferPHP, a framework for static security analysis of PHP applications. SaferPHP uncovered multiple, previously unreported vulnerabilities in several popular Web applications.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115037196","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: