Yao-Wen Huang

Securing web application code by static analysis and runtime protection

Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities have been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named.WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities. After notifying the developers, 38 acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%.

Web application security assessment by fault injection and behavior monitoring

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

A testing framework for Web application security assessment

The rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities. Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web applications. We implemented our proposed mechanisms in the Web Application Vulnerability and Error Scanner (WAVES)--a black-box testing framework for automated Web application security assessment. Real-world situations are used to test WAVES and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

Verifying Web applications using bounded model checking

The authors describe the use of bounded model checking (BMC) for verifying Web application code. Vulnerable sections of code are patched automatically with runtime guards, allowing both verification and assurance to occur without user intervention. Model checking techniques are relatively complex compared to the typestate-based polynomial-time algorithm (TS) we adopted in an earlier paper, but they offer three benefits - they provide counterexamples, more precise models, and sound and complete verification. Compared to conventional model checking techniques, BMC offers a more practical approach to verifying programs containing large numbers of variables, but requires fixed program diameters to be complete. Formalizing Web application vulnerabilities as a secure information flow problem with fixed diameter allows for BMC application without drawback. Using BMC-produced counterexamples, errors that result from propagations of the same initial error can be reported as a single group rather than individually. This offers two distinct benefits. First, together with the counterexamples themselves, they allow for more descriptive and precise error reports. Second, it allows for automated patching at locations where errors are initially introduced rather than at locations where the propagated errors cause problems. Results from a TS-BMC comparison test using 230 open-source Web applications showed a 41.0% decrease in runtime instrumentations when BMC was used. In the 38 vulnerable projects identified by TS, BMC classified the TS-reported 980 individual errors into 578 groups, with each group requiring a minimal set of patches for repair.

Non-detrimental Web application security scanning

The World Wide Web has become a sophisticated platform capable of delivering a broad range of applications. However, its rapid growth has resulted in numerous security problems that current technologies cannot address. Researchers from both academic and private sector are devoting a considerable amount of resources to the development of Web application security scanners (i.e., automated software testing platforms for Web application security auditing) with some success. However, little is known about their potential side effects. It is possible for an auditing process to induce permanent changes in an applications state. Due to this potential, we have so far avoided large-scale empirical evaluations of our Web Application Vulnerability and Error Scanner (WAVES). we introduce a testing methodology that allows for harmless auditing, define three testing modes - heavy, relaxed, and safe modes, and report our results from two experiments. In the first, we compared the coverage and side effects of the three scanning modes using 5 real-world Web applications chosen from the 38 found vulnerable in a previous static verification effort. In the second, we used the relaxed mode to conduct a 48-hour test involving 1120 random Web sites, of which 55 were found to be vulnerable.

Web Application Security—Past, Present, and Future

Web application security remains a major roadblock to universal acceptance of the Web for many kinds of online transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. In software engineering, software testing is an established and well-researched process for improving software quality. Recently, formal verification tools have also shown success in discovering vulnerabilities in C programs. In this chapter we shall discuss how to apply software testing and verification algorithms to Web applications and improve their security attributes. Two of the most common Web application vulnerabilities that are known to date are script injection, e.g., SQL injection, and cross-site scripting (XSS). We will formalize these vulnerabilities as problems related to information flow security—a conventional topic in security research. Using this formalization, we then present two tools, WAVES (Web Application Vulnerability and Error Scanner) and Web-SSARI (Web Application Security via Static Analysis and Runtime Inspection), which respectively utilize software testing and verification to deal in particular with script injection and XSS and address in general the Web application security problems. Finally we will present some results obtained by applying these tools to real-world Web applications that are in use today, and give some suggestions about the future research direction in this area.

Bounded Model Checking for Region Automata

For successful software verification, model checkers must be capable of handling a large number of program variables. Traditional, BDD-based model checking is deficient in this regard, but bounded model checking (BMC) shows some promise. However, unlike traditional model checking, for which time systems have been thoroughly researched, BMC is less capable of modeling timing behavior – an essential task for verifying many types of software. Here we describe a new bounded model checker we have named xBMC, which we believe solves the reachability problem of dense-time systems. In xBMC, regions and transition relations are represented as Boolean formulae using discrete interpretations. In an experiment using well- developed model checkers to verify Fischer’s protocol, xBMC outperformed both traditional (Kronos [8], Uppaal [16], and Red [26]) and bounded (SAL [21]) model checkers by being able to verify up to 22 processes, followed by Red with 15 processes. Therefore, although xBMC is less efficient in guaranteeing system correctness, it provides an effective and practical method for timing behavior verification of large systems.

Efficient exact spare allocation via Boolean satisfiability

Fabricating large memory and processor arrays is subject to physical failures resulting in yield degradation. The strategy of incorporating spare rows and columns to obtain reasonable production yields was first proposed in the 1970s, and continues to play an important role in recent VLSI developments. The spare allocation problem (SAP) in general is known to be intractable, an efficient exact spare allocation algorithm has great value. We propose a new Boolean encoding of SAP and a new SAT-based exact algorithm SATRepair. We used a realistic fault distribution model to compare SATRepairs performances against those of BDDRepair and several algorithms found in the literature. We found that a) our Boolean encoding of SAP facilitates the development of efficient exact SAP algorithms, and b) our SAT-based algorithm outperforms previous algorithms, especially for large problems.