“Detection of Vulnerabilities and Automatic Protection for Web Applications”

From Navigators

(Difference between revisions)
Jump to: navigation, search
(Created page with "{{Publication |type=phdthesis |document=Document for Publication-PhD Thesis IberiaMedeiros.pdf |title= Detection of Vulnerabilities and Automatic Protection for Web Applications ...")
 
(2 intermediate revisions not shown)
Line 2: Line 2:
|type=phdthesis
|type=phdthesis
|document=Document for Publication-PhD Thesis IberiaMedeiros.pdf
|document=Document for Publication-PhD Thesis IberiaMedeiros.pdf
-
|title= Detection of Vulnerabilities and Automatic Protection for Web Applications
+
|title=Detection of Vulnerabilities and Automatic Protection for Web Applications
-
|author=Ibéria Medeiros,  
+
|author=Ibéria Medeiros,
 +
|Project=Project:SEGRID, Project:MASSIF, Project:RC-Clouds,
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
|month=sep
|month=sep
Line 19: Line 20:
is the input validation, which is directly related with the user inputs inserted in
is the input validation, which is directly related with the user inputs inserted in
web application forms.
web application forms.
 +
The thesis proposes methodologies and tools for the detection of input validation
The thesis proposes methodologies and tools for the detection of input validation
vulnerabilities in source code and for the protection of web applications
vulnerabilities in source code and for the protection of web applications
written in PHP, using source code static analysis, machine learning and runtime
written in PHP, using source code static analysis, machine learning and runtime
protection techniques.
protection techniques.
 +
An approach based on source code static analysis is used to identify vulnerabilities
An approach based on source code static analysis is used to identify vulnerabilities
in applications programmed with PHP. The user inputs are tracked with taint
in applications programmed with PHP. The user inputs are tracked with taint
Line 30: Line 33:
to remove the flaws, correcting the source code automatically thus protecting the
to remove the flaws, correcting the source code automatically thus protecting the
web application.
web application.
 +
A new technique for source code static analysis is suggested to automatically
A new technique for source code static analysis is suggested to automatically
learn about vulnerabilities and then to detect them. Machine learning applied to
learn about vulnerabilities and then to detect them. Machine learning applied to
Line 35: Line 39:
about flaws in the source code, classifying it as being vulnerable or not, and then
about flaws in the source code, classifying it as being vulnerable or not, and then
discovering and identifying the vulnerabilities.
discovering and identifying the vulnerabilities.
 +
A runtime protection technique is also proposed to flag and block injection attacks
A runtime protection technique is also proposed to flag and block injection attacks
against databases. The technique is implemented inside the database management
against databases. The technique is implemented inside the database management
Line 40: Line 45:
a semantic mismatch. Source code identifiers are employed so that, when an
a semantic mismatch. Source code identifiers are employed so that, when an
attack is flagged, the vulnerability is localized in the source code.
attack is flagged, the vulnerability is localized in the source code.
 +
Overall this work allowed the identification of about 1200 vulnerabilities in open
Overall this work allowed the identification of about 1200 vulnerabilities in open
source web applications available in the Internet, 560 of which previously unknown.
source web applications available in the Internet, 560 of which previously unknown.
The unknown vulnerabilities were reported to the corresponding software
The unknown vulnerabilities were reported to the corresponding software
developers and most of them have already been removed.
developers and most of them have already been removed.
-
 
+
|school=Departamento de Informática, Faculdade de Ciências, Universidade de Lisboa
-
|school=Doutoramento em Informática, Faculdade de Ciências da Universidade de Lisboa
+
|advisor=Miguel Correia, Nuno Ferreira Neves,
-
|advisor=Miguel Correia, Nuno Ferreira Neves,  
+
}}
}}

Latest revision as of 16:34, 2 October 2018

Ibéria Medeiros (advised by Miguel Correia, Nuno Ferreira Neves)

Ph.D. dissertation, Departamento de Informática, Faculdade de Ciências, Universidade de Lisboa, Sept. 2016

Abstract: In less than three decades of existence, the Web evolved from a platform for accessing hypermedia to a framework for running complex web applications. These applications appear in many forms, from small home-made to large-scale commercial services such as Gmail, Office 365, and Facebook. Although a significant research effort on web application security has been on going for a while, these applications have been a major source of problems and their security continues to be challenged. An important part of the problem derives from vulnerable source code, often written in unsafe languages like PHP, and programmed by people without the appropriate knowledge about secure coding, who leave flaws in the applications. Nowadays the most exploited vulnerability category is the input validation, which is directly related with the user inputs inserted in web application forms. The thesis proposes methodologies and tools for the detection of input validation vulnerabilities in source code and for the protection of web applications written in PHP, using source code static analysis, machine learning and runtime protection techniques. An approach based on source code static analysis is used to identify vulnerabilities in applications programmed with PHP. The user inputs are tracked with taint analysis to determine if they reach a PHP function susceptible to be exploited. Then, machine learning is applied to determine if the identified flaws are actually vulnerabilities. In the affirmative case, the results of static analysis are used to remove the flaws, correcting the source code automatically thus protecting the web application. A new technique for source code static analysis is suggested to automatically learn about vulnerabilities and then to detect them. Machine learning applied to natural language processing is used to, in a first instance, learn characteristics about flaws in the source code, classifying it as being vulnerable or not, and then discovering and identifying the vulnerabilities. A runtime protection technique is also proposed to flag and block injection attacks against databases. The technique is implemented inside the database management system to improve the effectiveness of the detection of attacks, avoiding a semantic mismatch. Source code identifiers are employed so that, when an attack is flagged, the vulnerability is localized in the source code. Overall this work allowed the identification of about 1200 vulnerabilities in open source web applications available in the Internet, 560 of which previously unknown. The unknown vulnerabilities were reported to the corresponding software developers and most of them have already been removed.

Download paper

Download Detection of Vulnerabilities and Automatic Protection for Web Applications

Export citation

BibTeX

Project(s): Project:SEGRID, Project:MASSIF, Project:RC-Clouds

Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)

Personal tools
Navigators toolbox