ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Using static analysis for Ajax intrusion detection
Full text PdfPdf (1.02 MB)
Source
International World Wide Web Conference archive
Proceedings of the 18th international conference on World wide web table of contents
Madrid, Spain
SESSION: Security and privacy/session: web security table of contents
Pages 561-570  
Year of Publication: 2009
ISBN:978-1-60558-487-4
Authors
Arjun Guha  Brown University, Providence, RI, USA
Shriram Krishnamurthi  Brown University, Providence, RI, USA
Trevor Jim  AT&T Labs-Research, Florham Park, NJ, USA
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 52,   Downloads (12 Months): 203,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1526709.1526785
What is a DOI?

ABSTRACT

We present a static control-flow analysis for JavaScript programs running in a web browser. Our analysis tackles numerous challenges posed by modern web applications including asynchronous communication, frameworks, and dynamic code generation. We use our analysis to extract a model of expected client behavior as seen from the server, and build an intrusion-prevention proxy for the server: the proxy intercepts client requests and disables those that do not meet the expected behavior. We insert random asynchronous requests to foil mimicry attacks. Finally, we evaluate our technique against several real applications and show that it protects against an attack in a widely-used web application.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Davide Balzarotti , Marco Cova , Viktoria V. Felmetsger , Giovanni Vigna, Multi-module vulnerability analysis of web-based applications, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315250]
 
2
Craig Chambers , David Ungar, Iterative type analysis and extended message splitting: optimizing dynamically-typed object-oriented programs, Lisp and Symbolic Computation, v.4 n.3, p.283-310, July 1991  [doi>10.1007/BF01806109]
3
Suresh N. Chari , Pau-Chen Cheng, BlueBoX: A policy-driven, host-based intrusion detection system, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.173-200, May 2003  [doi>10.1145/762476.762477]
4
Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web application via automatic partitioning, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
5
D. Crockford. JSON. http://www.json.org/.
 
6
M. Egele, M. Szydlowski, E. Kirda1, and C. Kruegel. Using static program analysis to aid intrusion detection. In Detection of Intrusions and Malware and Vulnerability Assessment, 2006.
 
7
Henry Hanping Feng , Oleg M. Kolesnikov , Prahlad Fogla , Wenke Lee , Weibo Gong, Anomaly Detection Using Call Stack Information, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.62, May 11-14, 2003
8
Cormac Flanagan , Matthias Felleisen, Componential set-based analysis, ACM Transactions on Programming Languages and Systems (TOPLAS), v.21 n.2, p.370-416, March 1999  [doi>10.1145/316686.316703]
 
9
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
10
Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany  [doi>10.1145/1278940.1278945]
 
11
Jonathon T. Giffin , Somesh Jha , Barton P. Miller, Detecting Manipulated Remote Call Streams, Proceedings of the 11th USENIX Security Symposium, p.61-79, August 05-09, 2002
 
12
J. T. Giffin, S. Jha, and B. P. Miller. Efficient context--sensitive intrusion detection. In Network and Distributed System Security Symposium, 2004.
 
13
Google. GWT: Google web toolkit. http://code.google.com/webtoolkit/.
 
14
J. Gross. Ajax IM. http://www.ajaxim.com/.
15
Jeffrey Heer , Stuart K. Card , James A. Landay, prefuse: a toolkit for interactive information visualization, Proceedings of the SIGCHI conference on Human factors in computing systems, April 02-07, 2005, Portland, Oregon, USA  [doi>10.1145/1054972.1055031]
16
Susan Horwitz, Identifying the semantic and textual differences between two versions of a program, Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation, p.234-245, June 1990, White Plains, New York, United States
17
Ranjit Jhala , Rupak Majumdar, Interprocedural analysis of asynchronous programs, Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 17-19, 2007, Nice, France
18
Trevor Jim , Nikhil Swamy , Michael Hicks, Defeating script injection attacks with browser-enforced embedded policies, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada  [doi>10.1145/1242572.1242654]
 
19
Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.258-263, May 21-24, 2006  [doi>10.1109/SP.2006.29]
20
Emre Kiciman , Benjamin Livshits, AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
21
Daniel R. Licata , Shriram Krishnamurthi, Verifying Interactive Web Programs, Proceedings of the 19th IEEE international conference on Automated software engineering, p.164-173, September 20-24, 2004  [doi>10.1109/ASE.2004.76]
 
22
G. A. Di Lucca , A. R. Fasolino , M. Mastoianni , P. Tramontana, Identifying Cross Site Scripting Vulnerabilities in Web Applications, Proceedings of the Web Site Evolution, Sixth IEEE International Workshop, p.71-80, September 11-11, 2004
23
Flemming Nielson , Hanne Riis Nielson, Infinitary control flow analysis: a collecting semantics for closure analysis, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.332-345, January 15-17, 1997, Paris, France  [doi>10.1145/263699.263745]
 
24
S. D. Paula and G. Fedon. Subverting AJAX. In CCC Chaos Communications Conference, 2006.
 
25
Prototype Core Team. Prototype JavaScript Framework. http://www.prototypejs.org/.
 
26
Mohan Rajagopalan , Matti A. Hiltunen , Trevor Jim , Richard D. Schlichting, System Call Monitoring Using Authenticated System Calls, IEEE Transactions on Dependable and Secure Computing, v.3 n.3, p.216-229, July 2006  [doi>10.1109/TDSC.2006.41]
 
27
Charles Reis , John Dunagan , Helen J. Wang , Opher Dubrovsky , Saher Esmeir, BrowserShield: vulnerability-driven filtering of dynamic HTML, Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p.5-5, November 06-08, 2006, Seattle, WA
 
28
J. C. Reynolds. Automatic computation of data set definitions. In Information Processing, 1968.
 
29
M. Sharif, K. Singh, J. Giffin, and W. Lee. Understanding precision in host based intrusion detection. In RAID Recent Advances in Intrusion Detection, 2007.
30
Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.372-382, January 11-13, 2006, Charleston, South Carolina, USA
 
31
The Flapjax Team. Flapjax. http://www.flapjax-lang.org/.
32
David Ungar , Randall B. Smith, Self: The power of simplicity, Conference proceedings on Object-oriented programming systems, languages and applications, p.227-242, October 04-08, 1987, Orlando, Florida, United States
 
33
David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
 
34
Yichen Xie , Alex Aiken, Static detection of security vulnerabilities in scripting languages, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
35
Dachuan Yu , Ajay Chander , Nayeem Islam , Igor Serikov, JavaScript instrumentation for browser security, Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 17-19, 2007, Nice, France

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Reliability


General Terms:
Languages, Security


Keywords:
Ajax, control-flow analysis, intrusion detection, javascript

Collaborative Colleagues:
Arjun Guha: colleagues
Shriram Krishnamurthi: colleagues
Trevor Jim: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player