ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Improving application security with data flow assertions
Full text PdfPdf (572 KB)
Source
ACM Symposium on Operating Systems Principles archive
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles table of contents
Big Sky, Montana, USA
SESSION: Security table of contents
Pages 291-304  
Year of Publication: 2009
ISBN:978-1-60558-752-3
Authors
Alexander Yip  MIT, Cambridge, MA, USA
Xi Wang  MIT, Cambridge, MA, USA
Nickolai Zeldovich  MIT, Cambridge, MA, USA
M. Frans Kaashoek  MIT, Cambridge, MA, USA
Sponsors
ACM: Association for Computing Machinery
SIGOPS: ACM Special Interest Group on Operating Systems
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 39,   Downloads (12 Months): 39,   Citation Count: 0
Additional Information:

abstract   references   index terms  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1629575.1629604
What is a DOI?

ABSTRACT

Resin is a new language runtime that helps prevent security vulnerabilities, by allowing programmers to specify application-level data flow assertions. Resin provides policy objects, which programmers use to specify assertion code and metadata; data tracking, which allows programmers to associate assertions with application data, and to keep track of assertions as the data flow through the application; and filter objects, which programmers use to define data flow boundaries at which assertions are checked. Resin's runtime checks data flow assertions by propagating policy objects along with data, as that data moves through the application, and then invoking filter objects when data crosses a data flow boundary, such as when writing data to the network or a file.

Using Resin, Web application programmers can prevent a range of problems, from SQL injection and cross-site scripting, to inadvertent password disclosure and missing access control checks. Adding a Resin assertion to an application requires few changes to the existing application code, and an assertion can reuse existing code and data structures. For instance, 23 lines of code detect and prevent three previously-unknown missing access control vulnerabilities in phpBB, a popular Web forum application. Other assertions comprising tens of lines of code prevent a range of vulnerabilities in Python and PHP applications. A prototype of Resin incurs a 33% CPU overhead running the HotCRP conference management application.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
G. Ahn, X. Zhang, and W. Xu. Systematic policy analysis for high-assurance services in SELinux. In Proc. of the 2008 POLICY Workshop, pages 3--10, Palisades, NY, June 2008.
 
2
A.H. Anderson. An introduction to the web services policy language (WSPL). In Proc. of the 2004 POLICY Workshop, pages 189--192, Yorktown Heights, NY, June 2004.
 
3
J. Bae. Vulnerability of uploading files with multiple extensions in phpBB attachment mod. http://seclists.org/fulldisclosure/2004/Dec/0347.html.CVE-2004-1404.
 
4
S. Barker. The next 700 access control models or a unifying meta-model? In Proc. of the 14th ACM Symposium on Access Control Models and Technologies, pages 187--196, Stresa, Italy, June 2009.
 
5
M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K.R.M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. of the 4th International Symposium on Formal Methods for Components and Objects, pages 364--387, Amsterdam, The Netherlands, November 2005.
 
6
M. Barnett, K. Rustan, M. Leino, and W. Schulte. The Spec# programming system: An overview. In Proc. of the Workshop on Construction and Analysis of Safe, Secure and Interoperable Smart devices, pages 49--69, Marseille, France, March 2004.
 
7
L. Bauer, J. Ligatti, and D. Walker. Composing security policies with Polymer. In Proc. of the 2005 PLDI, pages 305--314, Chicago, IL, June 2005.
 
8
W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proc. of the 15th CCS, pages 39--50, Alexandria, VA, October 2008.
 
9
S. Chong, J. Liu, A.C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In Proc. of the 21st SOSP, pages 31--44, Stevenson, WA, October 2007.
 
10
S. Chong, K. Vikram, and A.C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. of the 16th USENIX Security Symposium, pages 1--16, Boston, MA, August 2007.
 
11
CWH Underground. Kwalbum arbitrary file upload vulnerabilities. http://www.milw0rm.com/exploits/6664.CVE-2008-5677.
 
12
N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policy specification language. In Proc. of the 2001 POLICY Workshop, pages 18--38, Bristol, UK, January 2001.
 
13
D.E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976.
 
14
P. Efstathopoulos and E. Kohler. Manageable fine-grained information flow. In Proc. of the 3rd ACM EuroSys conference, pages 301--313, Glasgow, UK, April 2008.
 
15
P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proc. of the 20th SOSP, pages 17--30, Brighton, UK, October 2005.
 
16
Emory University. Multiple vulnerabilities in AWStats Totals. http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt. CVE-2008-3922.
 
17
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proc. of the 4th OSDI, pages 1--16, San Diego, CA, October 2000.
 
18
D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42--51, January/February 2002.
 
19
D.F. Ferraiolo and D.R. Kuhn. Role-based access control. In Proc. of the 15th National Computer Security Conference, pages 554--563, Baltimore, MD, October 1992.
 
20
S. Garriss, L. Bauer, and M.K. Reiter. Detecting and resolving policy misconfigurations in access-control systems. In Proc. of the 13th ACM Symposium on Access Control Models and Technologies, pages 185--194, Estes Park, CO, June 2008.
 
21
W.G.J. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proc. of the 20th ACM International Conference on Automated Software Engineering, pages 174--183, Long Beach, CA, November 2005.
 
22
W.G.J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proc. of the 14th FSE, pages 175--185, Portland, OR, November 2006.
 
23
N. Hippert. phpMyAdmin code execution vulnerability. http://fd.the-wildcat.de/pma_e36a091q11.php.CVE-2008-4096.
 
24
S. Kasatani. Safe ERB plugin. http://agilewebdevelopment.com/plugins/safe_erb.
 
25
D. Kilpatrick. Privman: A library for partitioning applications. In Proc. of the 2003 USENIX Annual Technical Conference, FREENIX track, pages 273--284, San Antonio, TX, June 2003.
 
26
E. Kohler. Hot crap! In Proc. of the Workshop on Organizing Workshops, Conferences, and Symposia for Computer Systems, San Francisco, CA, April 2008.
 
27
M. Krohn. Building secure high-performance web services with OKWS. In Proc. of the 2004 USENIX Annual Technical Conference, pages 185--198, Boston, MA, June-July 2004.
 
28
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M.F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proc. of the 21st SOSP, pages 321--334, Stevenson, WA, October 2007.
 
29
V.B. Livshits and M.S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. of the 14th USENIX Security Symposium, pages 271--286, Baltimore, MD, August 2005.
 
30
M. Martin, B. Livshits, and M. Lam. Finding application errors and security flaws using PQL: a program query language. In Proc. of the 2005 OOPSLA, pages 365--383, San Diego, CA, October 2005.
 
31
MoinMoin. The MoinMoin wiki engine. http://moinmoin.wikiwikiweb.de/.
 
32
A.C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM TOCS, 9(4):410--442, October 2000.
 
33
myPHPscripts.net. Login session script. http://www.myphpscripts.net/?sid=7. CVE-2008-5855.
 
34
A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proc. of the 20th IFIP International Information Security Conference, pages 295--307, Chiba, Japan, May 2005.
 
35
Osirys. myPHPscripts login session password disclosure. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5855. CVE-2008-5855.
 
36
Osirys. wPortfolio arbitrary file upload exploit. http://www.milw0rm.com/exploits/7165. CVE-2008-5220.
 
37
Perl.org. Perl taint mode. http://perldoc.perl.org/perlsec.html.
 
38
phpMyAdmin. phpMyAdmin 3.1.0. http://www.phpmyadmin.net/.
 
39
T. Pietraszek and C.V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. of the 8th International Symposium on Recent Advances in Intrusion Detection, pages 124--145, Seattle, WA, September 2005.
 
40
N. Swamy, B.J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In Proc. of the 2008 IEEE Symposium on Security and Privacy, pages 369--383, Oakland, CA, May 2008.
 
41
The MITRE Corporation. Common vulnerabilities and exposures (CVE) database. http://cve.mitre.org/data/downloads/.
 
42
D. Thomas, C. Fowler, and A. Hunt. Programming Ruby: The Pragmatic Programmers' Guide. Pragmatic Bookshelf, 2004.
 
43
M.C. Tschantz and S. Krishnamurthi. Towards reasonability properties for access-control policy languages. In Proc. of the 11th ACM Symposium on Access Control Models and Technologies, pages 160--169, Lake Tahoe, CA, June 2006.
 
44
W. Venema. Taint support for PHP. http://wiki.php.net/rfc/taint.
 
45
J. Viega, J.T. Bloch, and P. Chandra. Applying aspect-oriented programming to security. Cutter IT Journal, 14(2):31--39, February 2001.
 
46
T. Waldmann. Check the ACL of the included page when using the rst parser's include directive. http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546. CVE-2008-6548.
 
47
G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In Proc. of the 2007 PLDI, pages 32--41, San Diego, CA, June 2007.
 
48
Web Application Security Consortium. 2007 web application security statistics. http://www.webappsec.org/projects/statistics/wasc_wass_2007.pdf.
 
49
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proc. of the 15th USENIX Security Symposium, pages 179--192, Vancouver, BC, Canada, July 2006.
 
50
A. Yumerefendi, B. Mickle, and L.P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. of the 4th NSDI, pages 159--172, Cambridge, MA, April 2007.
 
51
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. of the 7th OSDI, pages 263--278, Seattle, WA, November 2006.
 
52
N. Zeldovich, S. Boyd-Wickizer, and D. Mazières. Securing distributed systems with information flow control. In Proc. of the 5th NSDI, pages 293--308, San Francisco, CA, April 2008.

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Assertion checkers

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls


General Terms:
Design, Languages, Security


Keywords:
php, privacy, python, security, sql injection, web, xss


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player