University of Minnesota
Program Analysis for Security
index.php

Web applications

Adam Chlipala. “Static checking of dynamically-varying security policies in database-backed applications”. In Operating Systems Design and Implementation (OSDI), pages 105–118, Vancouver, BC, Canada, October 2010.
[USENIX]

Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. “ADsafety: Type-based verification of JavaScript sandboxing”. In USENIX Security Symposium, San Francisco, CA, USA, August 2011.
[USENIX]

Question: The discussion section of the UrFlow (Chlipala) paper compares the protection that UrFlow (and the underlying Ur/Web) provide against the top 10 web security vulnerabilities as enumerated by OWASP. In regard to the categories of insecure direct object references (#4) and failure to restrict URL access (#8), the paper says that “UrFlow can enforce that appropriate checks are always performed whenever database objects are used in particular ways.” Fill in some of the details of this claim by describing an example of a possible vulnerability of one of these kinds (you may wish to refer to the OWASP descriptions), and explaining how an UrFlow policy would function to prevent it.

Optional

Mike Samuel, Prateek Saxena, and Dawn Song. “Context-sensitive auto-sanitization in web templating languages using type qualifiers”. In ACM Conference on Computer and Communications Security (CCS), pages 587–600, Chicago, IL, USA, October 2011.
[ACM]

There are several challenges to the correct use of sanitizers to prevent cross-site-scripting is that different transformations are appropriate in different contexts within a web page (e.g., HTML versus JavaScript). This paper address this problem by taking advantage of a tightly structured template language.

Adam Barth, Juan Caballero, and Dawn Song. “Secure content sniffing for web browsers, or how to stop papers from reviewing themselves”. In IEEE Symposium on Security and Privacy “Oakland”, pages 360–371, Oakland, CA, USA, May 2009.
[IEEE]

An obscure corner of web browser behavior opens a hole for eye-catching attacks, like the one alluded to in the alternate title. The solution is mostly more conservative design, but binary analysis and string constraint solving can help in generating attacks or verifying their absence.

Gary Wassermann and Zhendong Su. “Sound and precise analysis of web applications for injection vulnerabilities”. In Programming Language Design and Implementation (PLDI), pages 32–41, San Diego, CA, USA, June 2007.
[ACM]

Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit M. Paradkar, and Michael D. Ernst. “Finding bugs in dynamic web applications”. In International Symposium on Software Testing and Analysis (ISSTA), pages 261–272, Seattle, WA, USA, July 2008.
[ACM]