This is a list of articles, blog entries and research related to application security that I found interesting and worthwhile reading this month.
The paper “One Technique is Not Enough: A comparison of Vulnerability Discovery Techniques” by Andrew Austin and Laurie Williams of the Department of Computer Science of the North Carolina State University examines the effectiveness of specific vulnerability discovery techniques:
- systematic and exploratory manual penetration testing
- static analysis
- automated penetration testing.
Based on a case study of two web-based electronic health care record systems (OpenEMR and eCHR) the authors found empirical evidence that:
- no single technique discovered every type of vulnerability;
- static analysis found the most implementation bugs;
- systematic manual penetration testing found the most design flaws;
- the most effective technique (measured in vulnerabilities discovered per hour) was automated penetration testing;
- if one has limited time, one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws.
At the 11th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2011) Andrea Avancini and Mariano Ceccato presented their paper “Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities”.
Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri and David Evans (University of Virginia) presented their paper “GuardRails: A Data-Centric Web Application Security Framework” at the 2nd USENIX Conference on Web Application Development (WebApps 2011). Slides available here.
The authors present GuardRails, a tool for Ruby on Rails (currently only version 2) that helps developers build secure web applications. GuardRails works by attaching security policies using annotations to the data model itself. GuardRails then produces a version of the application that enforces those policies. The paper assumes that the developer is a benevolent partner in this (see an earlier blog-post of mine if there is potential malicious intent by developers).
The design goals where:
- to allow developers to specify and automatically enforce data policies in a way that minimizes opportunity for developer error;
- no functionality is broken by the GuardRails transformations;
- no need to modify an application to use GuardRails.
The authors acknowledge that currently their method imposes a significant performance cost, but they believe that this is more related to the prototype system than the intrinsic costs of their approach. Anyway, visit the GuardRails website for more information or download the GuardRails source code.
In another interesting paper presented at WebApps 2011 “PHP Aspis: Using Partial Taint Tracking
To Protect Against Injection Attacks” by Ioannis Papagiannis, Matteo Migliavacca and Peter Pietzuch, the authors introduce PHP Aspis, a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: third-party plugins.
The authors evaluate PHP Aspis with Wordpress and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010. The overhead penalty was about 2.2 times. Code available here.
In the paper “A Systematic Analysis of XSS Sanitization in Web Application Frameworks” (presentations available here and here) by Joel Weinberger, Prateek Saxena, Devdatta Akhawe,
Matthew Finifter, Richard Shin, and Dawn Song (University of California, Berkeley) the authors systematically study the security of the XSS sanitization abstractions 14 major commercially used frameworks provide. The (not so positive) conclusions are:
- Frameworks often do not address critical parts of the XSS conundrum.
- There is a wide gap between the abstractions provided by frameworks and the requirements of applications.
I already described this study on the Astyran blog in September but forgot to add the conclusion. Related research (by the same authors) is An Empirical Analysis of XSS Sanitization in Web Application Frameworks.
Since apparently attackers are having great fun making fools of us, it is maybe time too to have some fun. The International Obfuscated C Code Contest (IOCCC) for the first time in many year launched a new challenge (running from 12 November till 12 January). For those who are too young to remember the previous challenges, here are the goals of the contest:
- To write the most Obscure/Obfuscated C program under the rules below.
- To show the importance of programming style, in an ironic way.
- To stress C compilers with unusual code.
- To illustrate some of the subtleties of the C language.
- To provide a safe forum for poor C code.
Since the online submission tool will be available tomorrow, please hurry and visit the IOCCC website.
If you are more into games, you can register for DARPA’s Crowd Sourced Formal Verification (CSFV). This program seeks to make formal verification of software more cost effective by enabling non-specialists to participate productively in the formal verification process; this is done by creating a specific game that is intuitively understandable and fun to play. This game is based on the particular software implementation and software property to be verified. Playing, and completing, the CSFV game enables formal verification tools to complete a corresponding formal software verification proof.
The presentation “A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks” by Ben S. Y. Fung and Patrick P. C. Lee of the Department of Computer Science and Engineering of The Chinese University of Hong Kong at the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-11), Changsha, China, November 2011 won deservedly so the best paper award. The authors also made the presentation slides and source code available.
The authors propose the DeRef defence mechanism (proof-of-concept prototype on Firefox and WordPress) and justified the performance overheads. The DeRef mechanism provides fine-grained access control on the scope within which the client’s authentication credentials can be embedded in the requests with the following features:
- The browser cannot infer the scopes being configured by the website;
- The website does not know where the browser initiates requests. DeRef achieves this by using two-phase checking using hashing and blind signature (read the paper!).
And in yet another paper from WebApps 2011 “Secure Data Preservers for Web Services” by Jayanthkumar Kannan (Google Inc.), Petros Maniatis (Intel Labs) and Byung-Gon Chun (Yahoo! Research), the authors describe a novel approach wherein a user who hands off her data to a web service has complete choice over the code and policies that constrain access to her data.
And in our last paper from WebApps 2011, “The Effectiveness of Application Permissions” by Adrienne Porter Felt, Kate Greenwood and David Wagner of the University of California, Berkeley, the authors performed case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS in order to evaluate whether application permissions are effective at protecting users.
Their results indicate that
“application permissions can have a positive impact on system security when applications’ permission requirements are declared upfront by the developer, but can be improved”.
At ESORICS 2011, Leuven, Belgium (where yours truly was born) Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens (KUL Leuven) presented their paper “Automatic and Precise Client-Side Protection against CSRF Attacks”. The paper presents a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites.
In another paper from ESORICS 2011, “Protecting Against Web Application Injections with Complementary Character Coding” (presentation available here) by Raymond Mui and Phyllis Frankl of the Polytechnic Institute of NYU, the authors describe complementary character coding, a new character encoding scheme and its application for protecting against input injection attacks, including SQL injection and cross site scripting.
In this approach, each character has two encodings, which can be used to distinguish between trusted and untrusted data. Small modifications to web components, such as the browser, application code interpreter, and database management system, allow them to enforce security policies guarding against injection attacks.
Thanks to the (very interesting) security blog at www.clerkendweller.com I was made aware of the paper “Exploring the Relationship Between Web Application Development Tools and Security” by Matthew Finifter and David Wagner of the University of California, Berkeley.
The authors come to the following conclusions:
- There is no relationship between choice of programming language and application security;
- Automatic framework protection measures (such as for CSRF and session management) are effective at precluding vulnerabilities, while manual protection mechanisms provide little value;
- Manual source code review is more effective than automated black-box testing, but testing is complementary.
Note that the authors came to those conclusions based on a review of 9 implementations (by 9 different professional programming teams) of the same application. Three teams used Perl, 3 used Java and 3 used PHP. The manual review and the automated black box test were executed by Matthew Finifter. For the black-box test the brilliant Burp Suite Professional was used.
Personally I belief that Burp is an invaluable tool in the hands of a manual tester (we use it at Astyran), but not really the best in ‘automated’ (scan-based) black-box testing.
See for instance the results of the recently publicized scanner benchmark. But the well-written paper is certainly worth a read and will no doubt be abused in the heated “manual versus automated reviews” wars.
ISACA (the Information Systems Audit and Control Association) published the white paper “Mobile Payment: Risk, Security and Assurance Issues”.
This - very high level - white paper examines the current state and nature of the mobile payments market, some of the relevant enabling technologies, and looks at the relevant risk, security and assurance issues that security and audit professionals will want to consider when developing and evaluating mobile payment services.
Web 2.0 and Beyond
An interesting paper “Security Issues in NoSQL Databases” in the proceedings of the 2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11 reviews two of the most popular NoSQL databases (Cassandra and MongoDb)and outlines their main security features and problems.
The conclusions are
Clearly the future generations of such DBMSs need considerable development and hardening in order to provide secure environment for sensitive data which is being stored by applications (such as social networks) using them.”
More information in a previous blog-post of mine.
This post is not supposed to be a full list of all publications regarding application security in the this month but just a selection, based on the amount of time we had free to read them and the relevancy of the topics to our work.
Anything I missed or that you think should be added to this list? Let me know!
Please find earlier overviews here:
“Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.” (Douglas Adams, Mostly Harmless)