Abstract
Code injection and cross-site scripting belong to the most common security vulnerabilities in modern software, usually caused by incorrect string processing. These exploits are often addressed by formulating programming guidelines or “best practices”.
In this paper, we study the concrete example of a guideline used at SAP for the handling of untrusted, potentially executable strings that are embedded in the output of a Java servlet. To verify adherence to the guideline, we present a type system for a Java-like language that is extended with refined string types, output effects, and polymorphic method types.
The practical suitability of the system is demonstrated by an implementation of a corresponding string type verifier and context-sensitive inference for real Java programs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Open Web Application Security Project: The OWASP Application Security Verification Standard Project, http://www.owasp.org/index.php/ASVS
Wiegenstein, A.: A short story about Cross Site Scripting SAP Blog, http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/2422
Hildenbrand, P.: Guard your web applications against XSS attacks: Output encoding functionality from SAP. SAP Insider 8(2) (2007)
Open Web Application Security Project: The OWASP ten most critical web application security risks, http://owasptop10.googlecode.com/
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: 2006 IEEE Symp. on Security and Privacy (SP 2006), pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)
Wikipedia: Cross-site scripting (2011), http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=417581017 (online accessed March 14, 2011)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Symposium on Principles of Programming Languages (POPL 2006), Charleston, SC, pp. 372–382. ACM Press, New York (2006)
Crégut, P., Alvarado, C.: Improving the Security of Downloadable Java Applications With Static Analysis. Electr. Notes Theor. Comp. Sci. 141(1), 129–144 (2005)
Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Conf. on Prog. Lang. Design and Implementation (PLDI 2007), San Diego, CA. ACM Press, New York (2007)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: 14th USENIX Security Symposium (SSYM 2005), p. 18. USENIX Association, Berkeley (2005)
Pierce, B.C.: Types and Programming Languages. MIT Press (2002)
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)
SAP AG: SAP NetWeaver 7.0 Knowledge Center, http://help.sap.com/content/documentation/netweaver/
Hofmann, M.O., Jost, S.: Type-Based Amortised Heap-Space Analysis. In: Sestoft, P. (ed.) ESOP 2006. LNCS, vol. 3924, pp. 22–37. Springer, Heidelberg (2006)
Igarashi, A., Pierce, B., Wadler, P.: Featherweight Java: A minimal core calculus for Java and GJ. In: 1999 Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 1999). ACM (1999)
Beringer, L., Grabowski, R., Hofmann, M.: Verifying Pointer and String Analyses with Region Type Systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)
Shivers, O.: Control-Flow Analysis of Higher-Order Languages, or Taming Lambda. PhD thesis. Carnegie Mellon University, Pittsburgh, PA, USA (1991)
Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: Conf. on Programming language design and implementation (PLDI 1994), pp. 242–256. ACM, New York (1994)
Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. SIGPLAN Not. 39(6), 131–144 (2004)
Grabowski, R.: Type-Based Java String Analysis (2011), http://jsa.tcs.ifi.lmu.de/
Tse, S., Zdancewic, S.: Fjavac: a functional Java compile (2006), http://www.cis.upenn.edu/~stevez/stse-work/javac/index.html
Nielson, F., Nielson, H.R., Seidl, H.: A succinct solver for alfp. Nordic J. of Computing 9, 335–372 (2002)
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011)
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An Interactive Tool for Analyzing Embedded SQL Queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)
Tabuchi, N., Sumii, E., Yonezawa, A.: Regular expression types for strings in a text processing language. Electr. Notes Theor. Comput. Sci. 75 (2002)
Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Local policies for resource usage analysis. ACM Trans. Program. Lang. Syst. 31, 23:1–23:43 (2009)
Skalka, C., Smith, S.: History effects and verification. In: Asian Programming Languages Symposium (November 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Grabowski, R., Hofmann, M., Li, K. (2012). Type-Based Enforcement of Secure Programming Guidelines — Code Injection Prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-29420-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29419-8
Online ISBN: 978-3-642-29420-4
eBook Packages: Computer ScienceComputer Science (R0)