{"id":8508,"date":"2016-04-20T08:27:18","date_gmt":"2016-04-20T08:27:18","guid":{"rendered":"http:\/\/revoscience.com\/en\/?p=8508"},"modified":"2016-04-20T08:27:18","modified_gmt":"2016-04-20T08:27:18","slug":"patching-up-web-applications","status":"publish","type":"post","link":"https:\/\/www.revoscience.com\/en\/patching-up-web-applications\/","title":{"rendered":"Patching up Web applications"},"content":{"rendered":"

New debugging method found 23 undetected security flaws in 50 popular Web applications.<\/strong><\/em><\/span><\/p>\n

\"In<\/a>
In tests on 50 popular Web applications written using Ruby on Rails, a new debugging system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program.
Image: MIT News<\/figcaption><\/figure>\n

CAMBRIDGE, Mass.<\/strong> —\u00a0By exploiting some peculiarities of the popular Web programming framework Ruby on Rails, MIT researchers have developed a system that can quickly comb through tens of thousands of lines of application code to find security flaws.<\/span><\/p>\n

In tests on 50 popular Web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program.<\/span><\/p>\n

The researchers will present their results at the International Conference on Software Engineering, in May.<\/span><\/p>\n

According to Daniel Jackson, professor in the Department of Electrical Engineering and Computer Science, the new system uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.<\/span><\/p>\n

\u201cThe classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero,\u201d Jackson explains. The static analysis would then evaluate every operation in the program according to its effect on integers\u2019 signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.<\/span><\/p>\n

[pullquote]According to Daniel Jackson, professor in the Department of Electrical Engineering and Computer Science, the new system uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.[\/pullquote]<\/p>\n

\u201cThe problem with this is that it can\u2019t be completely accurate, because you lose information,\u201d Jackson says. \u201cIf you add a positive and a negative integer, you don\u2019t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems.\u201d<\/span><\/p>\n

With Web applications, however, the cost of accuracy is prohibitively high, Jackson says. \u201cThe program under analysis is just huge,\u201d he says. \u201cEven if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice.\u201d<\/span><\/p>\n

That vast edifice of libraries, however, also gave Jackson and his former student Joseph Near, who graduated from MIT last spring and is now doing a postdoc at the University of California at Berkeley, a way to make to make static analysis of programs written in Ruby on Rails practical.<\/span><\/p>\n

A library is a compendium of code that programmers tend to use over and over again. Rather than rewriting the same functions for each new program, a programmer can just import them from a library.<\/span><\/p>\n

Ruby on Rails \u2014 or Rails, as it\u2019s called for short \u2014 has the peculiarity of defining even its most basic operations in libraries. Every addition, every assignment of a particular value to a variable, imports code from a library.<\/span><\/p>\n

Near rewrote those libraries so that the operations defined in them describe their own behavior in a logical language. That turns the Rails interpreter, which converts high-level Rails programs into machine-readable code, into a static-analysis tool. With Near\u2019s libraries, running a Rails program through the interpreter produces a formal, line-by-line description of how the program handles data.<\/span><\/p>\n

In his PhD work, Near used this general machinery to build three different debuggers for Ruby on Rails applications, each requiring different degrees of programmer involvement. The one described in the new paper, which the researchers call Space, evaluates a program\u2019s data access procedures.<\/span><\/p>\n

Near identified seven different ways in which Web applications typically control access to data. Some data are publicly available, some are available only to users who are currently logged in, some are private to individual users, some users \u2014 administrators \u2014 have access to select aspects of everyone\u2019s data, and so on.<\/span><\/p>\n

For each of these data-access patterns, Near developed a simple logical model that describes what operations a user can perform on what data, under what circumstances. From the descriptions generated by the hacked libraries, Space can automatically determine whether the program adheres to those models. If it doesn\u2019t, there\u2019s likely to be a security flaw.<\/span><\/p>\n

Using Space does require someone with access to the application code to determine which program variables and functions correspond to which aspects of Near\u2019s models. But that isn\u2019t an onerous requirement: Near was able to map correspondences for all 50 of the applications he evaluated. And that mapping should be even easier for a programmer involved in an application\u2019s development from the outset, rather than coming to it from the outside as Near did.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

MIT researchers have developed a system that can quickly comb through tens of thousands of lines of application code to find security flaws.<\/p>\n","protected":false},"author":6,"featured_media":8509,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,17],"tags":[],"class_list":["post-8508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it","category-research"],"featured_image_urls":{"full":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"thumbnail":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0-150x150.jpg",150,150,true],"medium":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0-300x200.jpg",300,200,true],"medium_large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"1536x1536":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"2048x2048":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"ultp_layout_landscape_large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"ultp_layout_landscape":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"ultp_layout_portrait":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"ultp_layout_square":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"newspaper-x-single-post":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"newspaper-x-recent-post-big":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"newspaper-x-recent-post-list-image":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",95,63,false],"web-stories-poster-portrait":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",448,299,false],"web-stories-publisher-logo":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",96,64,false],"web-stories-thumbnail":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/04\/MIT-Bug-Finder-1_0.jpg",150,100,false]},"author_info":{"info":["Amrita Tuladhar"]},"category_info":"IT<\/a> Research<\/a>","tag_info":"Research","comment_count":"0","_links":{"self":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts\/8508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/comments?post=8508"}],"version-history":[{"count":0,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts\/8508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/media\/8509"}],"wp:attachment":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/media?parent=8508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/categories?post=8508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/tags?post=8508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}