Navigation

• Education
  • International programmes
  • Faculties
  • ECTS
  • Vision and policy
• Research
  • Research at KU Leuven
  • Support and funding
  • Industry and Society
  • Phd
  • Postdoc researcher
  • Output and impact
  • Networking
  • Vision and policy
• Admissions
  • How to apply
  • Scholarships
  • Degree seeking students
  • Non-degree seeking students
  • Doctoral students
  • Reseachers
  • Short term study visits
  • Prepare your stay
• Living in Leuven
  • Welcome activities
  • News and agenda
  • Student Services
  • Housing
  • Insurance
  • Sports and culture
  • Student organisations
• About KU Leuven
  • Mission statement
  • Facts and figures
  • International networks
  • Development Cooperation
  • Academic Calendar
  • Alumni
  • Fundraising
  • Services and support
  • Boards and councils
  • News and press
  • Jobs

Home > Publications > PhD theses > Informatics (CW)

CW 2006_04

Chris Vanden Berghe
Pragmatic cuntermeasures for implementation-related vulnerabilities in Web applications

Advisor(s): Frank Piessens, Bart Preneel

Abstract

Developing secure software remains a real challenge despite the extensive body of knowledge and tool support following three decades of computer security research. The resulting insecurity manifests itself in a continuous stream of security vulnerability announcements. Examining the announced vulnerabilities, reveals that most are mere instances of well-known security issues, for which tools and best practices are readily available. So why are these tools and best practices not preventing the vulnerabilities in the first place?

Several factors, such as software release schedules and lack of security awareness, come to mind; but ultimately it is related to the limited economic incentive to invest in software security. A common problem with existing defense measures is that they are deemed too expensive due to their impact on the development processes or required security expertise. In this work we investigate the feasibility of pragmatic defense measures that are strictly decoupled from the software development process. We focus particularly on defense measures that address implementation-related vulnerabilities in web applications.

Our investigation consists of three parts, namely a study of the problem field, the development of a particular technique for preventing injection attacks and the extension of this technique to privacy enforcement.

The study of the problem field has to ensure the relevance of the security issue addressed. For this we developed a generally applicable methodology for taxonifying security vulnerabilities based on the correlation of the presence of system properties with the adjudged influence of these properties on a set of historical vulnerabilities. Applying this methodology to Web Services revealed that Web Services are likely to be prone for input validation vulnerabilities in general and injection vulnerabilities in particular.

This study served as input for the second part in which we developed Context-Sensitive String Evaluation (CSSE), a novel and efficient defense measure against injection vulnerabilities. CSSE addresses the root cause of injection vulnerabilities, namely mixing data and control channels through the use of \emph{ad hoc} serialization. By using fine-grained variable tainting, CSSE is able to automatically distinguish between the user-provided (data) and developer-provided (control) parts of an output expression and perform the necessary tests that avoid mixing of both.

In the last part we extended CSSE to privacy enforcement. Richer metadata, metadata persistence and support for privacy policies resulted in a practical implementation of the sticky policy paradigm, enabling consistent policy enforcement throughout the life-cycle of private data. By leveraging the aspect-oriented software development paradigm we were able to fully modularize and encapsulate this privacy enforcement functionality, allowing it to be used for existing applications.

Libridoc 318 / text.pdf (1.2M) / mailto: distrinet team