Static enforcement of web application integrity through strong typing
作者: Giovanni Vigna , William Robertson
DOI:
关键词:
摘要: Security vulnerabilities continue to plague web applications, allowing attackers access sensitive data and co-opt legitimate sites as a hosting ground for malware. Accordingly, researchers have focused on various approaches detecting preventing common classes of security in including anomaly-based detection mechanisms, static dynamic analyses server-side application code, client-side policy enforcement. This paper presents different approach security. In this work, we present framework that leverages existing work strong type systems statically enforce separation between the structure content both documents database queries generated by application, show how can automatically prevent introduction cross-site scripting SQL injection vulnerabilities. We an evaluation framework, demonstrate coverage correctness our sanitization functions. Finally, experimental results suggest applications developed using perform competitively with traditional frameworks.
ucsb.edu参考文章(35)
Úlfar Erlingsson, Yinglian Xie, Benjamin Livshits, End-to-end web application security HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems. pp. 18- ,(2007)
Richard A. Kemmerer, Christopher Krügel, Giovanni Vigna, William K. Robertson, Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks. network and distributed system security symposium. ,(2006)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Stephen Chong, Andrew C. Myers, K. Vikram, SIF: enforcing confidentiality and integrity in web applications usenix security symposium. pp. 1- ,(2007)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
Martin Elsman, Ken Friis Larsen, Typing XHTML Web Applications in ML Practical Aspects of Declarative Languages. pp. 224- 238 ,(2004) , 10.1007/978-3-540-24836-1_16
Dana N. Xu, Extended static checking for haskell symposium/workshop on haskell. pp. 48- 59 ,(2006) , 10.1145/1159842.1159849
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, Giovanni Vigna, Multi-module vulnerability analysis of web-based applications computer and communications security. pp. 25- 35 ,(2007) , 10.1145/1315245.1315250