國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 1 Introduction
1.1 Background
The number of web applications are growing rapidly in the recent years. They have become ubiquitous due to the convenience, flexibility, and availability. More and more organizations and companies have built their own websites for customer services or their own business purpose. People have been getting used to the service provided by the Web applications via the Internet. As the user’s needs grows, the business logic and program code of the Web applications are becoming more complicated and fragile. People are easily having security issue when accessing these web applications. According to the OWASP[1-2] organization, they indicate that there are already a variety of ways to access a Web application maliciously, e.g., Injection flaws, Cross-Site Scripting attacks. These attacks are due to the security vulnerabilities in a web application while developing the program.
Some techniques, such as firewall and encrypted connection, have been taken to prevent from these attacks but they can’t solve all these vulnerabilities and only work under certain scenarios. So in the thesis, we focus on eliminating these vulnerabilities from source code level. We believe, before the Web application is deployed online, removing most of the insecure code can make the Web application more secure.
1.2 Motivation and Objectives
Vulnerabilities in Web applications may lead to serious security issues such as leaking personal sensitive information, database corruption even crush down the sever. Attackers can access to insecure Web applications through these vulnerabilities and take over the control.
Insufficient background knowledge or a careless Web application developer are possible
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
reasons for producing these vulnerabilities. However, we can reduce these vulnerabilities in Web applications in the development stage. Although, these vulnerabilities cannot be identified by a compiler at compile time. An experienced developer may still write insecure code to form these vulnerabilities. One way to reduce the vulnerabilities in Web application is to review the program code manually but it is time consuming and error-prone when the web application grows larger and becomes more complex. For such reasons, it is practical to have a program analysis tool to help developers to find out the vulnerabilities in the program.
We use program analysis approaches to implement our analysis tool. There are two major approaches of program analysis: static program analysis and dynamic program analysis.
Static analysis analyzes the program without executing it and dynamic analysis analyzes the program while it is being executing. Both of them have some limitations. For example, static
analysis may lead to false positive alarms more than dynamic analysis because it doesn’t
actually executing the program. Dynamic program analysis may leave some vulnerabilities undiscovered if the program has been executed incompletely. However, onlineanalysis[6] has been proposed and tries to solve these problems mentioned above. Online analysis performs like dynamic analysis. It analyzes the program when the program is running.
Online analysis incrementally analyzes code when it is dynamically loaded into the running
program. Thus online analysis can handle with the dynamic code.In this thesis, we choose Java as our target language because it is one of widely used server-side language. According TIOBE’s[3] statistic in Jun 2010, Java language is ranked the first. Java language has its own characteristics, e.g., polymorphism, dynamic loading, and Reflection mechanism. Hence it is insufficient to analyze a Java program in a static way due to these features. A motivation example is shown in the figure below.
‧
from the calls to getParameter at line 5. Next, a dynamic loading method call loads the Refl1 class itself and acquire the id method in the class at lines 9 and 13. Then the id method is invoked (reflectively) at line 18. Since the id method simply return its first string argument, object o and string s2 are reference to the same string object with string s1. Method println is considered an XSS sink because it renders the string value of its input to the screen. Thus, the call to println with argument s2 at line 20 poses a security issue. This example illustrates many of the challenges faced by static taint analysis of real programs. To analyze this code precisely, the analysis must track flow through dynamic loading and reflective calls and also need to realize the polymorphism relationship among present objects. Static analysis algorithms that cannot disambiguate the dynamic code will fail to distinguish between the1 public class Refl1 extends BasicTestCase implements MicroTestCase { 2 private static final String FIELD_NAME = "name";
3 protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws
4 IOException {
5 String s1 = req.getParameter(FIELD_NAME);
6 PrintWriter writer = resp.getWriter();
7 Method idMethod = null;
8 try {
9 Class clazz = Class.forName("securibench.micro.reflection.Refl1");
10 Method methods[] = clazz.getMethods();
24 public String id(String string, PrintWriter writer) { 25 return string;
26 } 27 }
Figure 1. 1 A motivating example
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
vulnerable and benign calls to println.
Thus we design a hybrid analysis tool which combines dynamic analysis with online analysis trying to solve the problems appeared with using static analyzer. There are three major parts in our analysis tool. First, we choose the AspectJ language to implement the dynamic analysis part of our tool. By instrumenting the dataflow analysis module into the program, we can dynamically track the unchecked user input when the program is under execution. Second, we use SOOT[4], a Java optimize framework, to implement the online analysis module. This module dynamically loads the program code which has been executed into the module by collecting the information from designed instrumentation to the program.
Then it compiles the executed program code into JIMPLE code which is a typed, 3-adress statement based intermediate representation and performs online taint dataflow analysis. We design an online taint dataflow analysis algorithm based on JIMPLE to detect vulnerabilities in JAVA web applications. We believe that combining this two module’s results can perform more accurate vulnerability detection. Finally, we design a executor module to execute the program as completely as it can for triggering the entire analysis. Our program analysis tool can help developers to reduce the numbers of vulnerabilities effectively.