research-article

Raccoon: automated verification of guarded race conditions in web applications

Authors:

Giancarlo PellegrinoAuthors Info & Claims

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 1678 - 1687

https://doi.org/10.1145/3341105.3373855

Published: 30 March 2020 Publication History

Abstract

Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities.

References

[1]

T. Warszawski and P. Bailis, "Acidrain: Concurrency-related attacks on database-backed web applications," in Proceedings of the 2017 ACM International Conference on Management of Data, 2017. [Online]. Available

Digital Library

[2]

R. Paleari, D. Marrone, D. Bruschi, and M. Monga, "On race vulnerabilities in web applications," in Detection of Intrusions and Malware, and Vulnerability Assessment: 5th International Conference, DIMVA 2008, Paris, France, July 10--11, 2008. Proceedings, 2008. [Online]. Available

Digital Library

[3]

"Owasp:top 10 project," accessed 2019-09-05. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[4]

L. Constantin, "Withdrawal vulnerabilities enable bitcoin theft from flexcoin and poloniex," March 2014. [Online]. Available: https://www.pcworld.com/article/2104940/withdrawal-vulnerabilities-enabled-\bitcoin-theft-from-flexcoin-and-poloniex.html

[5]

E. Hamokov, accessed 2019-09-05. [Online]. Available: https://sakurity.com/blog/2015/05/21/starbucks.html

[6]

P. Bailis, A. Fekete, M. J. Franklin, A. Ghodsi, J. M. Hellerstein, and I. Stoica, "Feral concurrency control: An empirical investigation of modern application integrity," in Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data, 2015. [Online]. Available

Digital Library

[7]

Y. Zheng and X. Zhang, "Static detection of resource contention problems in server-side scripts," in Proceedings of the 34th International Conference on Software Engineering, 2012. [Online]. Available: http://dl.acm.org/citation.cfm?id=2337223.2337292

[8]

G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow, "Deemon: Detecting csrf with dynamic analysis and property graphs," in Proceedings of the 2017 ACM Conference on Computer and Communications Security, 2017.

Digital Library

[9]

S. Mcallister, E. Kirda, and C. Kruegel, "Leveraging user interactions for in-depth testing of web applications," in Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, 2008. [Online]. Available

[10]

G. Pellegrino and D. Balzarotti, "Toward black-box detection of logic flaws in web applications," in NDSS 2014, Network and Distributed System Security Symposium, 23--26 February 2014, San Diego, USA, 2014. [Online]. Available: http://www.eurecom.fr/publication/4207

[11]

"Owasp testing guide," accessed 2019-09-05. [Online]. Available: https://www.owasp.org/index.php/OWASP_Testing_Project

[12]

"Usage of web servers for websites," accessed 2019-09-05. [Online]. Available: https://w3techs.com/technologies/overview/web_server/all

[13]

"Usage of server-side programming languages for websites," accessed 2019-09-05. [Online]. Available: https://w3techs.com/technologies/overview/programming_language/all

[14]

"Topdb top database index," accessed 2019-09-05. [Online]. Available: https://pypl.github.io/DB.html

[15]

"Usage statistics and market share of unix for websites," accessed 2019-09-05. [Online]. Available: https://w3techs.com/technologies/details/os-unix/all/all

[16]

"Selenium browser automation," accessed 2018-03-16. [Online]. Available: https://www.seleniumhq.org/

[17]

"Seleniumide," accessed 2018-06-11. [Online]. Available: https://www.seleniumhq.org/projects/ide/

[18]

D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, "Targeted online password guessing: An underestimated threat," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016. [Online]. Available

Digital Library

Cited By

Du SLiu XLai GLuo XYin HStavrou ACremers CShi E(2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560666
Qiu ZShao SZhao QKhan HHui XJin GLo DMcIntosh SNovielli N(2022)A deep study of the effects and fixes of server-side request races in web applicationsProceedings of the 19th International Conference on Mining Software Repositories10.1145/3524842.3528463(744-756)Online publication date: 23-May-2022
https://dl.acm.org/doi/10.1145/3524842.3528463
Alidoosti MNowroozi ANickabadi A(2022)Semantic web RacerExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.116569195:COnline publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.116569

Index Terms

Raccoon: automated verification of guarded race conditions in web applications
1. Security and privacy
  1. Database and storage security
    1. Information accountability and usage control
  2. Software and application security
    1. Web application security

Recommendations

Operating System Transactions
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

Applications must be able to synchronize accesses to operating system resources in order to ensure correctness in the face of concurrency and system failures. System transactions allow the programmer to specify updates to heterogeneous system resources ...
A type and effect system for atomicity

Ensuring the correctness of multithreaded programs is difficult, due to the potential for unexpected and nondeterministic interactions between threads. Previous work addressed this problem by devising tools for detecting race conditions, a situation ...
Detecting concurrency memory corruption vulnerabilities
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Memory corruption vulnerabilities can occur in multithreaded executions, known as concurrency vulnerabilities in this paper. Due to non-deterministic multithreaded executions, they are extremely difficult to detect. Recently, researchers tried to apply ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

March 2020

2348 pages

ISBN:9781450368667

DOI:10.1145/3341105

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '20

Sponsor:

SIGAPP

SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing

March 30 - April 3, 2020

Brno, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
252
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)2

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Du SLiu XLai GLuo XYin HStavrou ACremers CShi E(2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560666
Qiu ZShao SZhao QKhan HHui XJin GLo DMcIntosh SNovielli N(2022)A deep study of the effects and fixes of server-side request races in web applicationsProceedings of the 19th International Conference on Mining Software Repositories10.1145/3524842.3528463(744-756)Online publication date: 23-May-2022
https://dl.acm.org/doi/10.1145/3524842.3528463
Alidoosti MNowroozi ANickabadi A(2022)Semantic web RacerExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.116569195:COnline publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.116569

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents