ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Digital Library logoTake a look at the new version of this page: [ beta version ]. Tell us what you think.
Improving application security with data flow assertions
Full text PdfPdf (572 KB)
Source
ACM Symposium on Operating Systems Principles archive
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles table of contents
Big Sky, Montana, USA
SESSION: Security table of contents
Pages: 291-304  
Year of Publication: 2009
ISBN:978-1-60558-752-3
Authors
Alexander Yip  MIT, Cambridge, MA, USA
Xi Wang  MIT, Cambridge, MA, USA
Nickolai Zeldovich  MIT, Cambridge, MA, USA
M. Frans Kaashoek  MIT, Cambridge, MA, USA
Sponsors
ACM: Association for Computing Machinery
SIGOPS: ACM Special Interest Group on Operating Systems
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 40,   Downloads (12 Months): 116,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1629575.1629604
What is a DOI?

ABSTRACT

Resin is a new language runtime that helps prevent security vulnerabilities, by allowing programmers to specify application-level data flow assertions. Resin provides policy objects, which programmers use to specify assertion code and metadata; data tracking, which allows programmers to associate assertions with application data, and to keep track of assertions as the data flow through the application; and filter objects, which programmers use to define data flow boundaries at which assertions are checked. Resin's runtime checks data flow assertions by propagating policy objects along with data, as that data moves through the application, and then invoking filter objects when data crosses a data flow boundary, such as when writing data to the network or a file.

Using Resin, Web application programmers can prevent a range of problems, from SQL injection and cross-site scripting, to inadvertent password disclosure and missing access control checks. Adding a Resin assertion to an application requires few changes to the existing application code, and an assertion can reuse existing code and data structures. For instance, 23 lines of code detect and prevent three previously-unknown missing access control vulnerabilities in phpBB, a popular Web forum application. Other assertions comprising tens of lines of code prevent a range of vulnerabilities in Python and PHP applications. A prototype of Resin incurs a 33% CPU overhead running the HotCRP conference management application.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Gail-Joon Ahn , Wenjuan Xu , Xinwen Zhang, Systematic Policy Analysis for High-Assurance Services in SELinux, Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, p.3-10, June 02-04, 2008  [doi>10.1109/POLICY.2008.18]
 
2
A.H. Anderson. An introduction to the web services policy language (WSPL). In Proc. of the 2004 POLICY Workshop, pages 189--192, Yorktown Heights, NY, June 2004.
 
3
J. Bae. Vulnerability of uploading files with multiple extensions in phpBB attachment mod. http://seclists.org/fulldisclosure/2004/Dec/0347.html.CVE-2004-1404.
4
Steve Barker, The next 700 access control models or a unifying meta-model?, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy  [doi>10.1145/1542207.1542238]
 
5
M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K.R.M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. of the 4th International Symposium on Formal Methods for Components and Objects, pages 364--387, Amsterdam, The Netherlands, November 2005.
 
6
M. Barnett, K. Rustan, M. Leino, and W. Schulte. The Spec# programming system: An overview. In Proc. of the Workshop on Construction and Analysis of Safe, Secure and Interoperable Smart devices, pages 49--69, Marseille, France, March 2004.
7
Lujo Bauer , Jay Ligatti , David Walker, Composing security policies with polymer, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
8
Walter Chang , Brandon Streiff , Calvin Lin, Efficient and extensible security enforcement using dynamic data flow analysis, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA  [doi>10.1145/1455770.1455778]
9
Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web applications via automatic partitioning, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
10
Stephen Chong , K. Vikram , Andrew C. Myers, SIF: enforcing confidentiality and integrity in web applications, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
 
11
CWH Underground. Kwalbum arbitrary file upload vulnerabilities. http://www.milw0rm.com/exploits/6664.CVE-2008-5677.
 
12
Nicodemos Damianou , Naranker Dulay , Emil Lupu , Morris Sloman, The Ponder Policy Specification Language, Proceedings of the International Workshop on Policies for Distributed Systems and Networks, p.18-38, January 29-31, 2001
13
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
14
Petros Efstathopoulos , Eddie Kohler, Manageable fine-grained information flow, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, April 01-04, 2008, Glasgow, Scotland UK
15
Petros Efstathopoulos , Maxwell Krohn , Steve VanDeBogart , Cliff Frey , David Ziegler , Eddie Kohler , David Mazières , Frans Kaashoek , Robert Morris, Labels and event processes in the asbestos operating system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
 
16
Emory University. Multiple vulnerabilities in AWStats Totals. http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt. CVE-2008-3922.
 
17
Dawson Engler , Benjamin Chelf , Andy Chou , Seth Hallem, Checking system rules using system-specific, programmer-written compiler extensions, Proceedings of the 4th conference on Symposium on Operating System Design & Implementation, p.1-1, October 22-25, 2000, San Diego, California
 
18
David Evans , David Larochelle, Improving Security Using Extensible Lightweight Static Analysis, IEEE Software, v.19 n.1, p.42-51, January 2002  [doi>10.1109/52.976940]
 
19
D.F. Ferraiolo and D.R. Kuhn. Role-based access control. In Proc. of the 15th National Computer Security Conference, pages 554--563, Baltimore, MD, October 1992.
20
Lujo Bauer , Scott Garriss , Michael K. Reiter, Detecting and resolving policy misconfigurations in access-control systems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA  [doi>10.1145/1377836.1377866]
21
William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA  [doi>10.1145/1101908.1101935]
22
William G. J. Halfond , Alessandro Orso , Panagiotis Manolios, Using positive tainting and syntax-aware evaluation to counter SQL injection attacks, Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, November 05-11, 2006, Portland, Oregon, USA  [doi>10.1145/1181775.1181797]
 
23
N. Hippert. phpMyAdmin code execution vulnerability. http://fd.the-wildcat.de/pma_e36a091q11.php.CVE-2008-4096.
 
24
S. Kasatani. Safe ERB plugin. http://agilewebdevelopment.com/plugins/safe_erb.
 
25
D. Kilpatrick. Privman: A library for partitioning applications. In Proc. of the 2003 USENIX Annual Technical Conference, FREENIX track, pages 273--284, San Antonio, TX, June 2003.
 
26
Eddie Kohler, Hot Crap!, Proceedings of the conference on Organizing Workshops, Conferences, and Symposia for Computer Systems, p.1-6, April 15-15, 2008, San Francisco, California
 
27
Maxwell Krohn, Building secure high-performance web services with OKWS, Proceedings of the annual conference on USENIX Annual Technical Conference, p.15-15, June 27-July 02, 2004, Boston, MA
28
Maxwell Krohn , Alexander Yip , Micah Brodsky , Natan Cliffer , M. Frans Kaashoek , Eddie Kohler , Robert Morris, Information flow control for standard OS abstractions, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
29
V. Benjamin Livshits , Monica S. Lam, Finding security vulnerabilities in java applications with static analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.18-18, July 31-August 05, 2005, Baltimore, MD
30
Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
 
31
MoinMoin. The MoinMoin wiki engine. http://moinmoin.wikiwikiweb.de/.
32
Andrew C. Myers , Barbara Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Software Engineering and Methodology (TOSEM), v.9 n.4, p.410-442, Oct. 2000  [doi>10.1145/363516.363526]
 
33
myPHPscripts.net. Login session script. http://www.myphpscripts.net/?sid=7. CVE-2008-5855.
 
34
A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proc. of the 20th IFIP International Information Security Conference, pages 295--307, Chiba, Japan, May 2005.
 
35
Osirys. myPHPscripts login session password disclosure. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5855. CVE-2008-5855.
 
36
Osirys. wPortfolio arbitrary file upload exploit. http://www.milw0rm.com/exploits/7165. CVE-2008-5220.
 
37
Perl.org. Perl taint mode. http://perldoc.perl.org/perlsec.html.
 
38
phpMyAdmin. phpMyAdmin 3.1.0. http://www.phpmyadmin.net/.
 
39
T. Pietraszek and C.V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. of the 8th International Symposium on Recent Advances in Intrusion Detection, pages 124--145, Seattle, WA, September 2005.
 
40
Nikhil Swamy , Brian J. Corcoran , Michael Hicks, Fable: A Language for Enforcing User-defined Security Policies, Proceedings of the 2008 IEEE Symposium on Security and Privacy, p.369-383, May 18-21, 2008  [doi>10.1109/SP.2008.29]
 
41
The MITRE Corporation. Common vulnerabilities and exposures (CVE) database. http://cve.mitre.org/data/downloads/.
 
42
David Thomas , Andrew Hunt, Programming Ruby: the pragmatic programmer's guide, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2000
43
Michael Carl Tschantz , Shriram Krishnamurthi, Towards reasonability properties for access-control policy languages, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA  [doi>10.1145/1133058.1133081]
 
44
W. Venema. Taint support for PHP. http://wiki.php.net/rfc/taint.
 
45
J. Viega, J.T. Bloch, and P. Chandra. Applying aspect-oriented programming to security. Cutter IT Journal, 14(2):31--39, February 2001.
 
46
T. Waldmann. Check the ACL of the included page when using the rst parser's include directive. http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546. CVE-2008-6548.
47
Gary Wassermann , Zhendong Su, Sound and precise analysis of web applications for injection vulnerabilities, Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, June 10-13, 2007, San Diego, California, USA
 
48
Web Application Security Consortium. 2007 web application security statistics. http://www.webappsec.org/projects/statistics/wasc_wass_2007.pdf.
 
49
Yichen Xie , Alex Aiken, Static detection of security vulnerabilities in scripting languages, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
 
50
A. Yumerefendi, B. Mickle, and L.P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. of the 4th NSDI, pages 159--172, Cambridge, MA, April 2007.
 
51
Nickolai Zeldovich , Silas Boyd-Wickizer , Eddie Kohler , David Mazières, Making information flow explicit in HiStar, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
 
52
Nickolai Zeldovich , Silas Boyd-Wickizer , David Mazières, Securing distributed systems with information flow control, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.293-308, April 16-18, 2008, San Francisco, California

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Assertion checkers

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls


General Terms:
Design, Languages, Security


Keywords:
php, privacy, python, security, sql injection, web, xss

Collaborative Colleagues:
Alexander Yip: colleagues
Xi Wang: colleagues
Nickolai Zeldovich: colleagues
M. Frans Kaashoek: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player