Course finding security vulnerabilities in Java applications

Introduction

The security of Web applications has become increas-ingly important in the last decade. More and more Web-based enterprise applications deal with sensitive financial and medical data, which, if compromised, in addition to downtime can mean millions of dollars in damages. It is crucial to protect these applications from hacker attacks.However, the current state of application security leaves much to be desired. The 2002 Computer Crime  and Security Survey conducted by the Computer Secu-rity Institute and the FBI revealed that, on a yearly ba-sis, over half of all databases experience at least one se-curity breach and an average episode results in close to $4 million in losses [10]. A recent penetration test-ing study performed by the Imperva Application De-fense Center included more than 250 Web applications from e-commerce, online banking, enterprise collabo-ration, and supply chain management sites [54]. Their vulnerability assessment concluded that at least 92% of Web applications are vulnerable to some form of hacker attacks. Security compliance of application vendors is especially important in light of recent U.S. industry reg-ulations such as the Sarbanes-Oxley act pertaining to in-formation security [4, 19].

Causes of Vulnerabilities
Of all vulnerabilities identified in Web applications,problems caused by unchecked input are recognized as being the most common [41]. To exploit unchecked in-put, an attacker needs to achieve two goals:
Inject malicious data into Web applications. Common methods used include:
• Parameter tampering: pass specially crafted ma-licious values in fields of HTML forms.
• URL manipulation: use specially crafted parame-ters to be submitted to the Web application as part of the URL.
• Hidden field manipulation: set hidden fields of HTML forms in Web pages to malicious values.
• HTTP header tampering: manipulate parts of HTTP requests sent to the application.
• Cookie poisoning: place malicious data in cookies,small files sent to Web-based applications.

Code Auditing for Security
Many attacks described in the previous section can be detected with code auditing. Code reviews pinpoint potential vulnerabilities before an application is run. In fact, most Web application development methodologies recommend a security assessment or review step as a sep-arate development phase after testing and before applica-tion deployment [40, 41].
Code reviews, while recognized as one of the most effective defense strategies [21], are time-consuming,costly, and are therefore performed infrequently. Secu-rity auditing requires security expertise that most devel-opers do not possess, so security reviews are often car-ried out by external security consultants, thus adding to the cost. In addition to this, because new security errors are often introduced as old ones are corrected, double-audits (auditing the code twice) is highly recommended.The current situation calls for better tools that help de-velopers avoid introducing vulnerabilities during the de-velopment cycle.

Static Analysis
This paper proposes a tool based on a static analy-sis for finding vulnerabilities caused by unchecked in-put. Users of the tool can describe vulnerability pat-terns of interest succinctly in PQL [35], which is an easy-to-use program query language with a Java-like syntax.
Our tool, as shown in Figure 1, applies user-specified queries to Java bytecode and finds all potential matches statically. The results of the analysis are integrated into Eclipse, a popular open-source Java development envi-ronment [13], making the potential vulnerabilities easy to examine and fix as part of the development process.
The advantage of static analysis is that it can find all potential security violations without executing the appli-cation. The use of bytecode-level analysis obviates the need for the source code to be accessible. This is espe-cially important since libraries whose source is unavail-able are used extensively in Java applications. Our ap-proach can be applied to other forms of bytecode such as MSIL, thereby enabling the analysis of C# code..

Contributions
A unified analysis framework. We unify multiple,seemingly diverse, recently discovered categories of se-curity vulnerabilities in Web applications and propose an extensible tool for detecting these vulnerabilities using a sound yet practical static analysis for Java.
A powerful static analysis. Our tool is the first prac-tical static security analysis that utilizes fully context-sensitive pointer analysis results. We improve the state of the art in pointer analysis by improving the object-naming scheme. The precision of the analysis is effec-tive in reducing the number of false positives issued by our tool.
A simple user interface. Users of our tool can find a variety of vulnerabilities involving tainted objects by specifying them using PQL [35]. Our system provides a GUI auditing interface implemented on top of Eclipse, thus allowing users to perform security audits quickly during program development..

Paper Organization
The rest of the paper is organized as follows. Section 2 presents a detailed overview of application-level security vulnerabilities we address. Section 3 describes our static analysis approach. Section 4 describes improvements that increase analysis precision and coverage. Section 5 describes the auditing environment our system provides. Section 6 summarizes our experimental findings. Sec-tion 7 describes related work, and Section 8 concludes.

Overview of Vulnerabilities

In this section we focus on a variety of security vulnerabilities in Web applications that are caused by unchecked input. According to an influential sur-vey performed by the Open Web Application Security Project [41], unvalidated input is the number one secu-rity problem in Web pplications. Many such security vulnerabilities have recently been appearing on special-ized vulnerability tracking sites such as SecurityFocus and were widely publicized in the technical press [39, 41]. Recent reports include SQL injections in Oracle products [31] and cross-site scripting  vulnerabilities in Mozilla Firefox [30].

SQL Injection Example
Let us start with a discussion of SQL injections, one of the most well-known kinds of security vulnerabilities found in Web applications. SQL injections are caused by unchecked user input being passed to a back-end database for execution [1, 2, 14, 29, 32, 47]. The hacker may embed SQL commands into the data he sends to the application, leading to unintended actions performed on the back-end database. When exploited, a SQL injection may cause unauthorized access to sensitive data, updates or deletions from the database, and even shell command execution.

….

Si le lien ne fonctionne pas correctement, veuillez nous contacter (mentionner le lien dans votre message)
Java applications (406 KO) (Cours PDF)
Security vulnerabilities in Java

Télécharger aussi :

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *