Securing web application code by static analysis and runtime protection

Yao Wen Huang*, Fang Yu, Christian Hang, Chung Hung Tsai, D. T. Lee, Sy Yen Kuo

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

382 Scopus citations

Abstract

Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities and their developers were notified. 38 projects acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%.

Original languageEnglish
Title of host publicationThirteenth International World Wide Web Conference Proceedings, WWW2004
PublisherAssociation for Computing Machinery (ACM)
Pages40-52
Number of pages13
ISBN (Print)158113844X, 9781581138443
DOIs
StatePublished - 2004
Externally publishedYes
EventThirteenth International World Wide Web Conference Proceedings, WWW2004 - New York, NY, United States
Duration: 17 05 200422 05 2004

Publication series

NameThirteenth International World Wide Web Conference Proceedings, WWW2004

Conference

ConferenceThirteenth International World Wide Web Conference Proceedings, WWW2004
Country/TerritoryUnited States
CityNew York, NY
Period17/05/0422/05/04

Keywords

  • Information flow
  • Noninterference
  • Program security
  • Security vulnerabilities
  • Type systems
  • Verification
  • Web application security

Fingerprint

Dive into the research topics of 'Securing web application code by static analysis and runtime protection'. Together they form a unique fingerprint.

Cite this