Abstract
In this paper, we introduce the GuideForce project, whose aim is to develop automatic methods based on type systems and abstract interpretation that are capable of checking that programming guidelines related to secure web programming are correctly and reasonably applied. We outline the project plan and motivation and then describe a pilot study carried out with Soot, a Java-based program analysis framework. While still maintaining high accuracy and efficiency, the focus on guidelines adds a new human-oriented component to static analysis.
This research is funded by the German Research Foundation (DFG) under research grant 250888164 (GuideForce).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
Above, fname is shorthand for first name, lname for last name and salary for annual salary.
References
Checkmarx CxSAST. https://www.checkmarx.com/
Coverity. http://www.coverity.com/
Fortify Static Code Analyzer. http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
IBM Secure AppScan Source. http://www-03.ibm.com/software/products/en/appscan-source
Manifesto for Agile Software Development. http://agilemanifesto.org/
Soot - A framework for analyzing and transforming Java and Android Applications. http://sable.github.io/soot/
Type-Based Java String Analysis (2012). http://jsa.tcs.ifi.lmu.de/
Aderhold, M., Cuellar, J., Mantel, H., Sudbrock, H.: Exemplary formalization of secure coding guidelines. Technical report TUD-CS-2010-0060, TU Darmstadt, Germany (2010)
Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An interactive tool for analyzing embedded SQL queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: O’Boyle, M.F.P., Pingali, K. (eds.) ACM Conference on Programming Language Design and Implementation, PLDI 2014, Edinburgh, United Kingdom, 09–11 June 2014, p. 29. ACM (2014)
Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Launchbury, J., Mitchell, J.C. (eds.) The 29th ACM Symposium on Principles of Programming Languages, Portland, OR, USA, 16–18 January 2002, pp. 1–3. ACM (2002)
Beringer, L., Grabowski, R., Hofmann, M.: Verifying pointer and string analyses with region type systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)
Chelf, B., Engler, D.R., Hallem, S.: How to write system-specific, static checkers in metal. In: Dwyer, M.B., Palsberg, J. (eds.) Proceedings of the Workshop on Program Analysis for Software Tools and Engineering, PASTE 2002, Charleston, South Carolina, USA, 18–19 November 2002, pp. 51–60. ACM (2002)
Chess, B., West, J.: Secure Programming with Static Analysis, 1st edn. Addison-Wesley Professional, Reading (2007)
Grabowski, R., Hofmann, M., Li, K.: Type-based enforcement of secure programming guidelines — code injection prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 182–197. Springer, Heidelberg (2012)
Halfond, W.G.J., Orso, A.: Preventing SQL injection attacks using AMNESIA. In: 28th IEEE and ACM SIGSOFT International Conference on Software Engineering (ICSE 2006) - Formal Demos track (May 2006)
Heidegger P., Bieniusa, A., Thiemann, P.: Access permission contracts for scripting languages. In: Field, J., Hicks, M. (eds.) Proceedings of the 39th ACM Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, 22–28 January 2012, pp. 111–122. ACM (2012)
Heidegger, P., Thiemann, P.: Recency types for analyzing scripting languages. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 200–224. Springer, Heidelberg (2010)
Huang, W., Dong, Y., Milanova, A.: Type-based taint analysis for Java web applications. In: Gnesi, S., Rensink, A. (eds.) FASE 2014 (ETAPS). LNCS, vol. 8411, pp. 140–154. Springer, Heidelberg (2014)
Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: WWW 2003: Proceedings of the 12th International Conference on World Wide Web, pp. 148–159. ACM, New York, NY, USA (2003)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)
Klein, A.: Blind XPath Injection (2004). http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infastructure Workshop (CETUS 2011) (2011)
Laud, P.: Secrecy types for a simulatable cryptographic library. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 26–35. ACM (2005)
Laud, P., Uustalu, T., Vene, V.: Type systems equivalent to data-flow analyses for imperative languages. Theor. Comput. Sci. 364(3), 292–310 (2006)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: SSYM 2005: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley, CA, USA (2005)
Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013)
Moy, Y.: Static analysis is not just for finding bugs. CrossTalk J. Defense Softw. Eng. 23(5), 5–8 (2010)
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)
The owasp application security verification standard project. http://www.owasp.org/index.php/ASVS. Accessed 23 June 2013
OWASP. XPATH Injection Java (2012). https://www.owasp.org/index.php/XPATH_Injection_Java
Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)
Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Cytron, R.K., Lee, P. (eds.) POPL 1995: 22nd ACM Symposium on Principles of Programming Languages, San Francisco, California, USA, 23–25 January 1995, pp. 49–61. ACM Press (1995)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis - Theory and Applications, pp. 189–233. Prentice-Hall, Englewood Cliffs (1981)
Smith, G.: A new type system for secure information flow. In: CSFW, pp. 115–125. IEEE Computer Society (2001)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382, Charleston, SC, January 2006. ACM Press, New York, NY, USA
Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: Andromeda: accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013)
Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a java bytecode optimization framework. In: MacKay, S.A., Johnson, J.H. (eds.) Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research, 8–11 November 1999, Mississauga, Ontario, Canada, pp. 13. IBM (1999)
Walker, D.: A type system for expressive security policies. In: Wegman, M.N., Reps, T.W. (eds.) POPL 2000, Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Boston, Massachusetts, USA, 19–21 January 2000, pp. 254–267. ACM (2000)
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, CA, June 2007. ACM Press, New York, NY, USA
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany, May 2008. ACM Press, New York, NY, USA
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Erbatur, S., Hofmann, M. (2015). GuideForce: Type-Based Enforcement of Programming Guidelines. In: Bianculli, D., Calinescu, R., Rumpe, B. (eds) Software Engineering and Formal Methods. SEFM 2015. Lecture Notes in Computer Science(), vol 9509. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49224-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-662-49224-6_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49223-9
Online ISBN: 978-3-662-49224-6
eBook Packages: Computer ScienceComputer Science (R0)