Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that a ect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly e ective is dy-namic taint analysis. Unfortunately, this approach in- troduces a signi cant run-time penalty. In this paper, we present a hybrid analysis frame-work that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode search-ing for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase.
A hybrid analysis framework for detecting web application vulnerabilities / M. Monga, R. Paleari, E. Passerini - In: Proceedings of the 5th International Workshop on Software Engineering for Secure Systems[s.l] : null, 2009. - ISBN 978-1-4244-3725-2. - pp. 25-32 (( convegno SESS : International Workshop on Software Engineering for Secure Systems tenutosi a Vancouver nel 2009.
A hybrid analysis framework for detecting web application vulnerabilities
M. Monga;R. Paleari;E. Passerini
2009
Abstract
Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that a ect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly e ective is dy-namic taint analysis. Unfortunately, this approach in- troduces a signi cant run-time penalty. In this paper, we present a hybrid analysis frame-work that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode search-ing for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
