Affiliations: [a] Secure Systems Lab, Technical University Vienna, Vienna, Austria. E-mail: enji@seclab.tuwien.ac.at | [b] UC Santa Barbara, CA, USA. E-mail: chris@cs.ucsb.edu | [c] Institut Eurecom, Sophia Antipolis, France. E-mail: kirda@eurecom.fr
Correspondence:
[*]
Corresponding author: C. Kruegel, Department of Computer Science, University of California, Santa Barbara, CA 93106, USA. Tel.: +1 805 893 6198; Fax: +1 805 893 8553; E-mail: chris@cs.ucsb.edu.
Abstract: The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In addition to the taint analysis at the core of our engine, we employ a precise alias analysis targeted at the unique reference semantics commonly found in scripting languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing an iterative two-phase algorithm for fast and precise resolution of file inclusions. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be easily applied to the detection of vulnerability types such as SQL injection, cross-site scripting (XSS), and command injection. We implemented the presented concepts in Pixy, a high-precision static analysis tool aimed at detecting cross-site scripting and SQL injection vulnerabilities in PHP programs. To demonstrate the effectiveness of our techniques, we analyzed a number of popular, open-source web applications and discovered hundreds of previously unknown vulnerabilities. Both the high analysis speed as well as the low number of generated false positives show that our techniques can be used for conducting effective security audits.
Keywords: Program analysis, static analysis, data flow analysis, alias analysis, web application security, scripting languages security, cross-site scripting, SQL injection, PHP
