Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

String analysis for detection of injection flaw in Web applications

웹 응용프로그램의 삽입취약점 탐지를 위한 문자열분석

  • Published : 2007.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

One common type of web-application vulnerabilities is injection flaw, where an attacker exploits faulty application code instead of normal input. In order to be free from injection flaw, an application program should be written in such a way that every potentially bad input character is filtered out. This paper proposes a precise analysis that statically checks whether or not an input string variable may have the given set of characters at hotspot. The precision is accomplished by taking the semantics of condition into account in the analysis.

삽입취약점은 웹 응용프로그램에 공격자가 악성코드를 정상적인 입력 값 대신 넣어 시스템에 피해를 입힐 수 있는 대표적인 취약점이다. 삽입공격에서 안전한 애플리케이션은 외부에서 들어오는 입력 값에 들어있을 수 있는 악성문자를 여과하도록 작성해야 한다. 특정 문자의 여과 여부는 주요지점에서 문자열 변수에 특정 문자가 포함될 수 있는지를 검사하여 정적으로 알아낼 수 있다. 본 논문에서는 조건식의 의미를 분석에 적용하는 향상된 방식으로 응용프로그램의 삽입 취약점을 정적으로 판정하는 방법을 제안한다.

Keywords

References

  1. Tae-Hyoung Choi, Oukseh Lee, Hyunha Kim, and Kyung-Goo Doh. 'A practical string analyzer by the widening approach'. In Naoki Kobayashi, editor, Proceedings of the Asian Symposium on Programming Languages and Systems, volume 4279 of Lecture Notes in Computer Science, pp. 374-388. Springer, 2006
  2. Aske Simon Christensen, Anders Mller, and Michael I. Schwartzbach. 'Precise analysis of string expressions'. In Proceedings of the International Static Analysis Symposium, volume 2694 of Lecture Notes in Computer Science, pp. 1-18. Springer-Verlag, June 2003
  3. Patrick Cousot and Radhia Cousot. 'Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints'. In Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 238-252, January 1977
  4. Patrick Cousot and Radhia Cousot. 'Abstract interpretation frameworks'. Journal of Logic and Computation, 2(4):511-547, 1992 https://doi.org/10.1093/logcom/2.4.511
  5. N. Jovanovic, C. Krugel, and E. Kirda. Pixy: 'A static analysis tool for detecting web application vulnerabilities (short paper)'. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006
  6. M. Martin, B. Livshits, and M. S. Lam. 'Finding application errors and security flaws using PQL: a program query language'. In OOPLSA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, p. 365-383, 2005
  7. Yasuhiko Minamide. 'Static approximation of dynamically generated web pages'. In Proceedings of the International World Wide Web Conference Committee, pp. 432-441, 2005
  8. Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. Principles of Program Analysis. Springer-Verlag, 1999
  9. Gary Wassermann and Zhendong Su. 'Sound and precise anlysis of web applications for injection vulnerabilities'. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007
  10. Y. Xie and A. Aiken. 'Static detection of security vulnerabilities in scripting languages'. In Proceedings of the 15th USENIX Security Symposium, pp. 179-192, July 2006