Mitigating SQL injection and cross site scripting vulnerabilities using program analysis and data mining techniques
Shar, Lwin Khin
Date of Issue2013
School of Electrical and Electronic Engineering
This thesis presents approaches for mitigating SQL injection (SQLI) and cross site scripting (XSS) vulnerabilities, the two most common vulnerabilities found in web applications in recent years. Current approaches to mitigate SQLI and XSS problems can be broadly classified into three types which are defensive coding, vulnerability detection, and attack prevention. Defensive coding approaches provide input validation and input sanitization methods that are effective against SQLI and XSS. Vulnerability detection approaches typically focus on identification of vulnerabilities in program source code. Attack prevention approaches focus on warding off real time attacks during runtime. Although all these approaches are certainly useful and could address some of SQLI and XSS issues, there are some major drawbacks that lead to the continual occurrences of the two vulnerabilities nowadays. Defensive coding approaches are very effective when practiced correctly. However, as these approaches generally require intensive manual work, they are error-prone. Vulnerability detection techniques are useful as they could automatically report vulnerable statements in programs. But these techniques are known to report many false positive cases while they could also miss some vulnerabilities. As these techniques also lack focus on reporting the defense features implemented in the programs, it is difficult for one to identify those false positive and false negative cases. Attack prevention techniques are an effective and efficient solution for deployed applications. But these techniques do not address vulnerabilities in programs. As more sophisticated attack vectors are being discovered, programs with vulnerabilities not removed always risk the possibility of being exploited anytime. Hence, it is clear that complementary or alternative solutions, which are easy to be used and yet effective, are required to comprehensively address the threats of SQLI and XSS. Based on these motivations, in this thesis, we propose three complementing novel approaches which are vulnerability prediction, vulnerability auditing, and vulnerability removal. Overall, all the three proposed approaches are based on program analysis techniques augmented with the use of pattern-based empirical models. In addition, vulnerability prediction approach also involves data mining techniques. We empirically discover interesting patterns from program source code and program execution traces and reflect those patterns in appropriate models so that the models can be used for vulnerability prediction, auditing, and removal purposes. Firstly, we propose a vulnerability prediction approach based on static and dynamic program analysis techniques, and data mining-based classification and clustering techniques. We show that a set of code attributes that characterize input validation and input sanitization code patterns in web applications can be used to build useful vulnerability predictors. The attributes are collected using both static analysis and dynamic analysis techniques. Static attributes are easier to collect using conventional static control flow and data flow analysis. But, dynamic attributes can provide more accuracy as they could reflect program behaviors more precisely. Our vulnerability predictors provide an alternative solution to existing vulnerability detection approaches. As existing approaches do not provide comprehensive information on the implementations of defense artifacts in programs, one has to manually inspect a large chunk of code to identify the deficiencies in current defense implementations in an attempt to fix vulnerabilities. Hence, secondly, to complement existing approaches, we propose a vulnerability auditing approach that systematically recovers SQLI and XSS defense features implemented in program source code for assisting to verification and fixing of SQLI and XSS vulnerabilities. This approach only relies on conventional static program analysis to extract defense features. Finally, we present a vulnerability removal approach that automates the application of defensive coding methods in program source code. Pattern analysis and data flow analysis techniques are mainly used to apply required defensive coding schemes in appropriate code locations in an automated way. This thesis also presents experimental evaluations of the proposed approaches and demonstrates that the approaches are useful and effective.
DRNTU::Engineering::Computer science and engineering::Software::Software engineering