Security-by-construction in web applications development via database annotations

Huge amounts of data and personal information are being sent to and retrieved from web applications on daily basis. Every application has its own confidentiality and integrity policies. Violating these policies can have broad negative impact on the involved company's financial status, while enforcing them is very hard even for the developers with good security background. In this paper, we propose a framework that enforces security-by construction in web applications. Minimal developer effort is required, in a sense that the developer only needs to annotate database attributes by a security class. The web application code is then converted into an intermediary representation, called Extended Program Dependence Graph (EPDG). Using the EPDG, the provided annotations are propagated to the application code and run against generic security enforcement rules that were carefully designed to detect insecure information flows as early as they occur. As a result, any violation in the data's confidentiality or integrity policies is reported. As a proof of concept, two PHP web applications, Hotel Reservation and Auction, were used for testing and validation. The proposed system was able to catch all the existing insecure information flows at their source. Apart from the proof of concept and to comprehensively test the performance of our system, we compared it to JLift, a state-of-the-art type-based system approach to detect information leaks. Both approaches were run against custom made PHP web applications and publicly available applications downloaded from SourceForge and GitHub. The results show that our approach outperforms JLift in terms of accuracy and the number of false alarms, and is able to catch the insecure flows at their source when they first occurred. (C) 2016 Elsevier Ltd. All rights reserved

Mitigating information leakage in web applications at the deployment level

Thesis (M.S.)--American University of Beirut, Department of Computer Science, 2012.Advisor : Dr. Wassim El Hajj, Assistant Professor, Computer Science--Committee Members : Dr. Haidar Safa, Associate Professor, Computer Science ; Dr. Hazem Hajj, Assistant Professor, Electrical Engineering.Includes bibliographical references (leaves 64-67)Huge amounts of data and personal information are being sent to and retrieved from web applications on daily basis. Every application has its own confidentiality and integrity policies. Violating these policies can have broad negative impact on the involved company’s financial status and enforcing them is very hard even for the developers with good security background. In this thesis, we propose a framework to enforce confidentiality and integrity policies in web applications. The proposed framework uses static techniques to enforce security-by-construction. It takes as input web application code and produces a report pinpointing the exact locations where the application’s confidentiality policies were violated. It uses an innovative idea which includes annotations at the database level and requires minimal effort from the developer. The framework includes the following steps: (1) annotating the attributes in the database tables with four security levels, (2) constructing the Program Dependence Graph (PDG) of the application, (3) extending the PDG to incorporate the database annotations producing an extended PDG (E-PDG), (4) designing and creating rules for the E-PDG to indicate insecure information flows, (5) traversing the E-PDG searching for any violations of the created rules, and (6) finally reporting the line numbers that caused the insecure flows. For testing, we compared our approach with JLift, a state-of-the-art type-based system approach to detect information leaks. Both approaches were run against custom made PHP web applications and publicly available applications downloaded from sourgeforge.net. The results show that our approach performs better than JLift in terms of accuracy and false alarms