Interactive Static Analysis for Application Security
Software vulnerabilities have become increasingly pervasive and result in severe data and financial loss to organizations and individuals. One leading source of software vulnerabilities is the insecure code written by developers. Although vulnerabilities could be addressed through secure programming practices and there have already been a collection of well documented secure programming practices, developer continues to make same mistakes. With the rapidly growing complexity of software, security bugs are difficult to avoid.This dissertation presents interactive static analysis as a developer-oriented hybrid framework for vulnerability detection and mitigation. This approach integrates static analysis into Integrated Development Environment (IDE) as a plug-in, facilitating two-way interaction between static analysis and developer. The goal is to assist developer in detecting and mitigating vulnerabilities during code construction phrase and solicit application specific knowledge from developer to customize static analysis as well as enable automatic placement of application sensor. Developers are not required to have any knowledge of static analysis, nor are they security experts. To demonstrate the effectiveness of interactive static analysis, this dissertation focuses on access control vulnerability detection. This dissertation finds implicit assumptions of previous research techniques to automatically detect access control vulnerabilities might be unrealistic for most web applications through studying six open source PHP web applications. It demonstrates that a hybrid approach, such as interactive static analysis, is a much more reasonable for detecting access control vulnerabilities.This dissertation presents an interactive static analysis prototype for access control vulnerability detection as a plug-in in Eclipse PHP IDE, called ASIDE-PHP (Application Security plug-in for the Integrated Development Environment for PHP). It also presents an extensive evaluation of the prototype with six open source PHP web applications including a large project named Moodle. The prototype detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.Based on the interactive static analysis framework, this dissertation proposes an approach for automatic placement of application sensors to enable application-based intrusion detection systems. This work focuses on using application sensors to detect events of failed access control to detect privilege escalation attacks. It presents a proof of concept analysis of two open source projects to evaluate the effectiveness of the approach. In addition, it illustrates a model for automatically inserting application sensors into applications to detect access control events, based on an extensive case study involving six open source PHP projects.