Proceedings ArticleDOI
MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications
Maliheh Monshizadeh,Prasad Naldurg,V. N. Venkatakrishnan +2 more
- pp 690-701
Reads0
Chats0
TLDR
MACE is the first tool reported in the literature to identify a new class of web application vulnerabilities called Horizontal Privilege Escalation (HPE) vulnerabilities, and works on large codebases, and discovers serious, previously unknown, vulnerabilities in 5 out of 7 web applications tested.Abstract:
We explore the problem of identifying unauthorized privilege escalation instances in a web application. These vulnerabilities are typically caused by missing or incorrect authorizations in the server side code of a web application. The problem of identifying these vulnerabilities is compounded by the lack of an access control policy specification in a typical web application, where the only supplied documentation is in fact its source code. This makes it challenging to infer missing checks that protect a web application's sensitive resources. To address this challenge, we develop a notion of authorization context consistency, which is satisfied when a web application consistently enforces its authorization checks across the code. We then present an approach based on program analysis to check for authorization state consistency in a web application. Our approach is implemented in a tool called MACE that uncovers vulnerabilities that could be exploited in the form of privilege escalation attacks. In particular, MACE is the first tool reported in the literature to identify a new class of web application vulnerabilities called Horizontal Privilege Escalation (HPE) vulnerabilities. MACE works on large codebases, and discovers serious, previously unknown, vulnerabilities in 5 out of 7 web applications tested. Without MACE, a comparable human-driven security audit would require weeks of effort in code inspection and testing.read more
Citations
More filters
Journal ArticleDOI
Securing web applications from injection and logic vulnerabilities
G. Deepa,P. Santhi Thilagam +1 more
TL;DR: The current state of the art for securing web applications from major flaws such as injection and logic flaws, which are rated as the top most threats by different security consortiums are summarized.
Proceedings Article
Detecting missing-check bugs via semantic- And context-aware criticalness and constraints inferences
TL;DR: CRIX can scalably and precisely evaluate whether any security checks are missing for critical variables, using an inter-procedural, semanticand context-aware analysis, and CRIX’s modeling and cross-checking of the semantics of conditional statements in the peer slices of critical variables infer their criticalness, which allows it to effectively detect missing-check bugs.
Proceedings ArticleDOI
FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications
TL;DR: FlowWatcher is described, an HTTP proxy that mitigates data disclosure vulnerabilities in unmodified web applications and it is shown that, with short UDA policies, it can mitigate CVE bugs in six~popular web applications.
Proceedings ArticleDOI
Check It Again: Detecting Lacking-Recheck Bugs in OS Kernels
TL;DR: The first in-depth study of LRC bugs is presented and LRSan, a static analysis system that systematically detects LRC Bugs in OS kernels is developed, using an inter-procedural analysis and multiple new techniques to identify security checks, critical variables, and uses of the checked variables.
Proceedings ArticleDOI
EKHunter: A Counter-Offensive Toolkit for Exploit Kit Infiltration.
Birhanu Eshete,Abeer Alhuzali,Maliheh Monshizadeh,Phillip Porras,V. N. Venkatakrishnan,Vinod Yegneswaran +5 more
TL;DR: The results validate the hypothesis that exploit kits largely lack sophistication necessary to resist counter-offensive activities and propose the design of EKHUNTER, a system that is capable of automatically detecting the presence of exploit vulnerabilities and deriving laboratory test cases that can compromise both the integrity of a fielded exploit kit, and even the identity of the kit operator.
References
More filters
Journal ArticleDOI
Proposed NIST standard for role-based access control
TL;DR: Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers.
Journal ArticleDOI
Interprocedural slicing using dependence graphs
TL;DR: A new kind of graph to represent programs is introduced, called a system dependence graph, which extends previous dependence representations to incorporate collections of procedures (with procedure calls) rather than just monolithic programs.
Proceedings ArticleDOI
Bugs as deviant behavior: a general approach to inferring errors in systems code
TL;DR: Six checkers are developed that extract beliefs by tailoring rule "templates" to a system --- for example, finding all functions that fit the rule template "a must be paired with b."
Proceedings ArticleDOI
Pixy: a static analysis tool for detecting Web application vulnerabilities
TL;DR: This paper uses flow-sensitive, interprocedural and context-sensitive dataflow analysis to discover vulnerable points in a program and applies it to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection.
Journal ArticleDOI
Interprocedural slicing using dependence graphs
TL;DR: A new kind of graph to represent programs is introduced, called a system dependence graph, which extends previous dependence representations to incorporate collections of procedures (with procedure calls) rather than just monolithic programs.
Related Papers (5)
Static detection of access control vulnerabilities in web applications
Fangqi Sun,Liang Xu,Zhendong Su +2 more