Inferring Specifications for Web Application Security
thesisposted on 27.10.2017 by Maliheh - Monshizadeh
In order to distinguish essays and pre-prints from academic theses, we have a separate category. These are often much longer text based documents than a paper.
Over the past two decades, we have been witnessing the evolution of the web applications from simple static pages into complex, interactive platforms. With increasing demand to have more features added to the applications, we also have observed an increase in the frequency and significance of data breaches due to web application vulnerabilities. The need to secure the applications, however, has not been met promptly. The current practice of web application development does not address security concerns even against known vulnerabilities, let alone new unknown attacks. The goal of the thesis is to improve the security of web applications. To achieve this goal, we would like to detect, and retrofit vulnerabilities. In studying the cyber threat landscape, we observed common web development practices and mistakes, which cause security flaws in design and implementation of web applications. By examining the existing security analysis tools, we identify their capabilities and their limitations. Most of these tools require some program specifications to be available to generate sound reports. However, specifications are often missing in web applications due to market demands for fast releases. The lack of program specification in web applications makes it challenging to analyze and verify web applications. In the absence of program specifications, the only source of information about the web developer’s design intentions with respect to security policies in the application source code. While this source code obscures the high-level logic of the application among so many low-level details, there still are some development patterns available to us to infer the intention of the developers. Based on this belief, it is very much possible to infer program specifications from low-level artifacts and leverage them in order to detect and retrofit vulnerabilities in legacy applications. We are also able to use this knowledge to build newer development frameworks for automated synthesis of secure code. This thesis develops techniques to infer security specifications from the web application source. As a result of using the inferred specifications, we can improve the security of the applications in numerous ways. First, we are able to examine the inferred authentication and authorization policies to find autho- rization inconsistencies. Such inconsistencies are the main source of privilege escalation vulnerabilities in web applications. To present the effectiveness of our approach, we evaluated it on various web applications. The results suggest that we are able to detect previously unknown vulnerabilities by precise inference of access control policies. Secondly, we are able to generate security patches for the reported vulnerabilities in web applications. Traditionally, the applications were being patched manually due to the poor quality of the automated generated patches. Using specification inference techniques, we can generate correct security patches for the vulnerable applications and suggest suitable placement of these patches in complex applications, reducing the effort of developers and security analysts. Lastly, we examine how inferred security specification can be used for synthesis of secure code in web development frameworks. We believe that by automated synthesis of security policies, we reduce the possibility of redundancy and human-error. Our results in each of the areas mentioned above show that inferring security specifications from the application source code is not only possible but also practical and scalable.