Title :
A hybrid analysis framework for detecting web application vulnerabilities
Author :
Monga, Mattia ; Paleari, Roberto ; Passerini, Emanuele
Author_Institution :
Univ. degli Studi di Milano, Milan
Abstract :
Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that affect web applications can be ascribed to the lack of proper validation of user´s input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly effective is dynamic taint analysis. Unfortunately, this approach introduces a significant run-time penalty. In this paper, we present a hybrid analysis framework that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode searching for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase.
Keywords :
Internet; object-oriented programming; program diagnostics; security of data; Web application vulnerability; back-end components; dynamic taint analysis; poorly experienced programmers; run-time penalty; security skills; Application software; Data security; Java; Monitoring; Network servers; Performance analysis; Phase detection; Programming profession; Runtime; Web server;
Conference_Titel :
Software Engineering for Secure Systems, 2009. SESS '09. ICSE Workshop on
Conference_Location :
Vancouver, BC
Print_ISBN :
978-1-4244-3725-2
DOI :
10.1109/IWSESS.2009.5068455
