Skip to main content
SpringerLink
Log in
Book cover

SEFM 2015 Collocated Workshops

SEFM 2015: Software Engineering and Formal Methods pp 75–89Cite as

GuideForce: Type-Based Enforcement of Programming Guidelines

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9509))

Abstract

In this paper, we introduce the GuideForce project, whose aim is to develop automatic methods based on type systems and abstract interpretation that are capable of checking that programming guidelines related to secure web programming are correctly and reasonably applied. We outline the project plan and motivation and then describe a pilot study carried out with Soot, a Java-based program analysis framework. While still maintaining high accuracy and efficiency, the focus on guidelines adds a new human-oriented component to static analysis.

This research is funded by the German Research Foundation (DFG) under research grant 250888164 (GuideForce).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://github.com/Sable/heros.

  2. 2.

    Above, fname is shorthand for first name, lname for last name and salary for annual salary.

References

  1. Checkmarx CxSAST. https://www.checkmarx.com/

  2. Coverity. http://www.coverity.com/

  3. Fortify Static Code Analyzer. http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html

  4. IBM Secure AppScan Source. http://www-03.ibm.com/software/products/en/appscan-source

  5. Manifesto for Agile Software Development. http://agilemanifesto.org/

  6. Soot - A framework for analyzing and transforming Java and Android Applications. http://sable.github.io/soot/

  7. Type-Based Java String Analysis (2012). http://jsa.tcs.ifi.lmu.de/

  8. Aderhold, M., Cuellar, J., Mantel, H., Sudbrock, H.: Exemplary formalization of secure coding guidelines. Technical report TUD-CS-2010-0060, TU Darmstadt, Germany (2010)

    Google Scholar 

  9. Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An interactive tool for analyzing embedded SQL queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  10. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: O’Boyle, M.F.P., Pingali, K. (eds.) ACM Conference on Programming Language Design and Implementation, PLDI 2014, Edinburgh, United Kingdom, 09–11 June 2014, p. 29. ACM (2014)

    Google Scholar 

  11. Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Launchbury, J., Mitchell, J.C. (eds.) The 29th ACM Symposium on Principles of Programming Languages, Portland, OR, USA, 16–18 January 2002, pp. 1–3. ACM (2002)

    Google Scholar 

  12. Beringer, L., Grabowski, R., Hofmann, M.: Verifying pointer and string analyses with region type systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Chelf, B., Engler, D.R., Hallem, S.: How to write system-specific, static checkers in metal. In: Dwyer, M.B., Palsberg, J. (eds.) Proceedings of the Workshop on Program Analysis for Software Tools and Engineering, PASTE 2002, Charleston, South Carolina, USA, 18–19 November 2002, pp. 51–60. ACM (2002)

    Google Scholar 

  14. Chess, B., West, J.: Secure Programming with Static Analysis, 1st edn. Addison-Wesley Professional, Reading (2007)

    Google Scholar 

  15. Grabowski, R., Hofmann, M., Li, K.: Type-based enforcement of secure programming guidelines — code injection prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 182–197. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Halfond, W.G.J., Orso, A.: Preventing SQL injection attacks using AMNESIA. In: 28th IEEE and ACM SIGSOFT International Conference on Software Engineering (ICSE 2006) - Formal Demos track (May 2006)

    Google Scholar 

  17. Heidegger P., Bieniusa, A., Thiemann, P.: Access permission contracts for scripting languages. In: Field, J., Hicks, M. (eds.) Proceedings of the 39th ACM Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, 22–28 January 2012, pp. 111–122. ACM (2012)

    Google Scholar 

  18. Heidegger, P., Thiemann, P.: Recency types for analyzing scripting languages. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 200–224. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Huang, W., Dong, Y., Milanova, A.: Type-based taint analysis for Java web applications. In: Gnesi, S., Rensink, A. (eds.) FASE 2014 (ETAPS). LNCS, vol. 8411, pp. 140–154. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  20. Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: WWW 2003: Proceedings of the 12th International Conference on World Wide Web, pp. 148–159. ACM, New York, NY, USA (2003)

    Google Scholar 

  21. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)

    Google Scholar 

  22. Klein, A.: Blind XPath Injection (2004). http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf

  23. Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infastructure Workshop (CETUS 2011) (2011)

    Google Scholar 

  24. Laud, P.: Secrecy types for a simulatable cryptographic library. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 26–35. ACM (2005)

    Google Scholar 

  25. Laud, P., Uustalu, T., Vene, V.: Type systems equivalent to data-flow analyses for imperative languages. Theor. Comput. Sci. 364(3), 292–310 (2006)

    Article  MATH  MathSciNet  Google Scholar 

  26. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: SSYM 2005: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley, CA, USA (2005)

    Google Scholar 

  27. Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  28. Moy, Y.: Static analysis is not just for finding bugs. CrossTalk J. Defense Softw. Eng. 23(5), 5–8 (2010)

    Google Scholar 

  29. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)

    Book  MATH  Google Scholar 

  30. The owasp application security verification standard project. http://www.owasp.org/index.php/ASVS. Accessed 23 June 2013

  31. OWASP. XPATH Injection Java (2012). https://www.owasp.org/index.php/XPATH_Injection_Java

  32. Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)

    Google Scholar 

  33. Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Cytron, R.K., Lee, P. (eds.) POPL 1995: 22nd ACM Symposium on Principles of Programming Languages, San Francisco, California, USA, 23–25 January 1995, pp. 49–61. ACM Press (1995)

    Google Scholar 

  34. Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)

    Article  Google Scholar 

  35. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis - Theory and Applications, pp. 189–233. Prentice-Hall, Englewood Cliffs (1981)

    Google Scholar 

  36. Smith, G.: A new type system for secure information flow. In: CSFW, pp. 115–125. IEEE Computer Society (2001)

    Google Scholar 

  37. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382, Charleston, SC, January 2006. ACM Press, New York, NY, USA

    Google Scholar 

  38. Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: Andromeda: accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  39. Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a java bytecode optimization framework. In: MacKay, S.A., Johnson, J.H. (eds.) Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research, 8–11 November 1999, Mississauga, Ontario, Canada, pp. 13. IBM (1999)

    Google Scholar 

  40. Walker, D.: A type system for expressive security policies. In: Wegman, M.N., Reps, T.W. (eds.) POPL 2000, Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Boston, Massachusetts, USA, 19–21 January 2000, pp. 254–267. ACM (2000)

    Google Scholar 

  41. Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, CA, June 2007. ACM Press, New York, NY, USA

    Google Scholar 

  42. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany, May 2008. ACM Press, New York, NY, USA

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Ludwig-Maximilians-Universität, Munich, Bavaria, Germany

    Serdar Erbatur & Martin Hofmann

Authors
  1. Serdar Erbatur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Hofmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Serdar Erbatur .

Editor information

Editors and Affiliations

  1. Interdisciplinary Centre for ICT Se, University of Luxembourg (UL)., Luxembourg

    Domenico Bianculli

  2. University of York, York, United Kingdom

    Radu Calinescu

  3. LS Software Engineering, RWTH Aachen Universität, Aachen, Nordrhein-Westfalen, Germany

    Bernhard Rumpe

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Erbatur, S., Hofmann, M. (2015). GuideForce: Type-Based Enforcement of Programming Guidelines. In: Bianculli, D., Calinescu, R., Rumpe, B. (eds) Software Engineering and Formal Methods. SEFM 2015. Lecture Notes in Computer Science(), vol 9509. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49224-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49224-6_8

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49223-9

  • Online ISBN: 978-3-662-49224-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation