JoanAudit: A Tool for Auditing Common Injection Vulnerabilities

Thome, Julian; Shar, Lwin Khin; Bianculli, Domenico; Briand, Lionel

doi:10.1145/3106237.3122822

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

JoanAudit: A Tool for Auditing Common Injection Vulnerabilities

Thome, Julian; Shar, Lwin Khin; Bianculli, Domenico et al.

2017 • In 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

Peer reviewed

Permalink
https://hdl.handle.net/10993/31717

DOI
10.1145/3106237.3122822

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

esec-fse2017-demo.pdf

Author preprint (644.86 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Security Auditing; Static Analysis; Vulnerability; Automated Code Fixing

Abstract :

[en] JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide security auditors audit the source code in a scalable way. JoanAudit is configured with various security-sensitive input sources and sinks relevant to injection vulnerabilities and standard sanitization procedures that prevent these vulnerabilities. It can also automatically fix some cases of vulnerabilities in source code — cases where inputs are directly used in sinks without any form of sanitization — by using standard sanitization procedures. Our evaluation shows that by using JoanAudit, security auditors are required to inspect only 1% of the total code for auditing common injection vulnerabilities. The screen-cast demo is available at https://github.com/julianthome/joanaudit.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Computer science

Author, co-author :

Thome, Julian ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Shar, Lwin Khin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Bianculli, Domenico ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

JoanAudit: A Tool for Auditing Common Injection Vulnerabilities

Publication date :

September 2017

Event name :

ESEC/FSE 2017: 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

Event place :

Paderborn, Germany

Event date :

from 04-09-2017 to 08-09-2017

Audience :

International

Main work title :

11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

Publisher :

ACM

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR9132112 - A Scalable And Accurate Hybrid Vulnerability Analysis Framework, 2014 (01/09/2014-14/04/2018) - Julian Thomé

Funders :

FNR - Fonds National de la Recherche [LU]

Available on ORBilu :

since 11 July 2017

Statistics

Number of views

408 (45 by Unilu)

Number of downloads

797 (26 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

Nuno Antunes and Marco Vieira. 2013. SOA-Scanner: An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures. In Proceedings of SCC 2013. IEEE Computer Society, Washington, DC, USA, 280-287.
Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: an input mutation approach. In Proceedings of ISSTA 2014. ACM, New York, NY, USA, 259-269.
Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Experiences Using Static Analysis to Find Bugs. IEEE Softw. 25, 5 (2008), 22-29.
Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (2013), 82-90.
Stephen Cass. 2016. The 2016 Top Programming Languages. http://spectrum. ieee.org/computing/software/the-2016-top-programming-languages. (2016).
Johannes Dahse. 2016. Static detection of complex vulnerabilities in modern PHP applications. Ph.D. Dissertation. Ruhr University Bochum.
Adam Hans Dockter, Szczepan Murdoch, Peter Faber, Daz Niederwieser, Luke Daley Deboer, and Rene Gröschke. 2017. The Gradle Build Tool. https://gradle. org. (2017).
Apache Software Foundation. 2017. The Apache Maven Project. https://maven. apache.org/. (2017).
Jürgen Graf, Martin Mohr, Martin Hecker, Simon Bischof, and Tobias Blaschke. 2017. Joana - Information Flow Control for Java. https://github.com/ joana-team/joana. (2017).
William G. J. Halfond, Alessandro Orso, and Pete Manolios. 2008. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. IEEE Trans. Softw. Eng. 34, 1 (2008), 65-81.
Christian Hammer. 2009. Information flow control for Java: a comprehensive approach based on path conditions in dependence graphs. Ph.D. Dissertation. Karlsruhe Institute of Technology.
Susan Horwitz, Thomas W. Reps, and David Binkley. 1990. Interprocedural Slicing Using Dependence Graphs. ACM Trans. Program. Lang. Syst. 12, 1 (1990), 26-60.
David Hovemeyer and William Pugh. 2004. Finding Bugs is Easy. SIGPLAN Not. 39, 12 (2004), 92-106.
Wei Huang, Yao Dong, and Ana Milanova. 2014. Type-Based Taint Analysis for Java Web Applications. In Proceedings of FASE 2014. Springer, New York, NY, USA, 140-154.
IBM. 2017. T. J. Watson Libraries for Analysis (WALA). http://wala. sourceforge.net. (2017).
Sadeeq Jan, Cu D. Nguyen, and Lionel C. Briand. 2016. Automated and Effective Testing of Web Services for XML Injection Attacks. In Proceedings of ISSTA 2016. ACM, New York, NY, USA, 12-23.
Ganeshan Jayaraman, Venkatesh Prasad Ranganath, and John Hatcliff. 2005. Kaveri: Delivering the Indus Java Program Slicer to Eclipse. In Proceedings of FASE 2005. Springer, Berlin, Heidelberg, 269-272.
Nenad Jovanovic, Christopher Krügel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of SP 2006. IEEE Computer Society, Washington, DC, USA, 258-263.
Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL Injection and cross-site scripting attacks. In Proceedings of ICSE 2009. IEEE Computer Society, Washington, DC, USA, 199-209.
Nuno Laranjeiro, Marco Vieira, and Henrique Madeira. 2014. A Technique for Deploying Robust Web Services. IEEE Trans. Serv. Comput. 7, 1 (2014), 68-81.
Johannes Lerch, Ben Hermann, Eric Bodden, and Mira Mezini. 2014. FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases. In Proceedings of SIGSOFT FSE 2014. ACM, New York, NY, USA, 98-108.
Lightbend and Zengularity. 2017. The Play Framework. https://www. playframework.com/. (2017).
V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of USENIX Security 2005. USENIX Association, Berkeley, CA, USA, 18-18.
Christian Mainka, Meiko Jensen, Luigi Lo Iacono, and Jörg Schwenk. 2013. Making XML Signatures Immune to XML SignatureWrapping Attacks. In Proceedings of CLOSER 2013. Springer, New York, NY, USA, 151-167.
Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. DEKANT: A Static Analysis Tool That Learns to Detect Web Application Vulnerabilities. In Proceedings of ISSTA 2016. ACM, New York, NY, USA, 1-11.
Karl J. Ottenstein and Linda M. Ottenstein. 1984. The Program Dependence Graph in a Software Development Environment. In Proceedings of SIGSOFT/SIGPLAN PSDE 1984. ACM, New York, NY, USA, 177-184.
OWASP. 2017. OWASP Top 10. https://www.owasp.org/index.php/ Category:OWASP-Top-Ten-Project. (2017).
OWASP. 2017. Static Code Analysis. https://www.owasp.org/index.php/Static-Code-Analysis. (2017).
Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks. In Proceedings of WebApps 2011. USENIX Association, Berkeley, CA, USA, 2-2.
Pablo Martín Pérez, Joanna Filipiak, and José María Sierra. 2011. LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications. In Proceedings of FutureTech 2011. Springer, Berlin, Heidelberg, 148-156.
Abdul Razzaq, Khalid Latif, Hafiz Farooq Ahmad, Ali Hur, Zahid Anwar, and Peter Charles Bloodsworth. 2014. Semantic security against Web application attacks. Inf. Sci. 254 (2014), 19-38.
Thiago Mattos Rosa, Altair Olivo Santin, and Andreia Malucelli. 2013. Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems. IEEE Secur. & Priv. 11, 4 (2013), 46-53.
Hossain Shahriar and Mohammad Zulkernine. 2012. Information-Theoretic Detection of SQL Injection Attacks. In Proceedings of HASE 2012. IEEE Computer Society, Washington, DC, USA, 40-47.
SpringSource. 2017. The Spring Framework. https://spring.io/. (2017).
Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in Web applications. In Proceedings of POPL 2006. ACM, New York, NY, USA, 372-382.
Zhao Tao. 2013. Detection and Service Security Mechanism of XML Injection Attacks. In Proceedings of ICICA 2013. Springer, Berlin, Heidelberg, 67-75.
Julian Thomé, Alessandra Gorla, and Andreas Zeller. 2014. Search-based security testing of Web applications. In Proceedings of SBST Workshop 2014. ACM, New York, NY, USA, 5-14.
Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel C. Briand. 2017. Search-driven String Constraint Solving for Vulnerability Detection. In Proceedings of ICSE 2017. ACM, New York, NY, USA, 198-208.
Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel C. Briand. 2017. Security slicing for auditing common injection vulnerabilities. (2017). https://doi.org/10.1016/j.jss.2017.02.040
Julian Thomé, Lwin Khin Shar, and Lionel C. Briand. 2015. Security slicing for auditing XML, XPath, and SQL injection vulnerabilities. In Proceedings of ISSRE 2015. IEEE Computer Society, Washington, DC, USA, 553-564.
Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. 2013. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Proceedings of FASE 2013. Springer, Berlin, Heidelberg, 210-225.
Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and OmriWeisman. 2009. TAJ: effective taint analysis of Web applications. In Proceedings of PLDI 2009. ACM, New York, NY, USA, 87-97.
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie J. Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot - a Java bytecode optimization framework. In Proceedings of CASCON 1999. IBM, Indianapolis, Indiana, USA, 13.
Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of SP 2014. IEEE Computer Society, Washington, DC, USA, 590-604.
Guowei Yang, Suzette Person, Neha Rungta, and Sarfraz Khurshid. 2014. Directed Incremental Symbolic Execution. ACM Trans. Softw. Eng. Methodol. 24, 1 (2014), 3:1-3:42.
Fang Yu, Muath Alkhalaf, and Tevfik Bultan. 2010. STRANGER: An Automatabased String Analysis Tool for PHP. In Proceedings of TACAS 2010. Springer, Berlin, Heidelberg, 154-157.
Yunhui Zheng and Xiangyu Zhang. 2013. Path sensitive static analysis of Web applications for remote code execution vulnerability detection. In Proceedings of ICSE 2013. IEEE Computer Society, Washington, DC, USA, 652-661.