Research On Vulnerability Detection Techniques For Web Applications

With the prevalence of Internet and the development of Web development technologies, Web applications have become one of the most important applications on the Internet and are playing a vital role in various fields. The security of the Web applications has attracted wide attention from both academia and the industry. Security vulnerabilities in the Web applications represent the most important battlefield of the offensive and defensive sides in the field of Web security. How to identify or detect vulnerabilities in the Web applications, i.e., vulnerability detection, is the focus of Web security research.The vulnerability detection techniques can be divided into static and dynamic vulnerabili-ty detection techniques depending on whether the techniques execute the program. Both of the vulnerability detection techniques are facing challenges.Static vulnerability detection techniques usually produce too many false positives. Improving the detection accuracy while ensuring the performance is one of the core challenges faced by static vulnerability detection. Static vulnerabilities detection techniques usually leverage program analysis techniques. However, the characteristics of the Web applications make it impossible to apply program analysis techniques to Web applications directly.Fuzz-testing-based dynamic vulnerability detection techniques have low false positive rates. However, the code coverage rate of fuzz testing is low because of the randomness of its inputs. Concolic-execution-based input generation algorithms can increase the code coverage of fuzz test-ing. Whereas concolic execution has to deal with the path-explosion problem when it explores the execution paths in large and complicated Web applications.Regarding the importance of vulnerability detection and the challenges it is facing, the dis-sertation has proposed a series of novel techniques. Taking into account the characteristics of Web applications, the dissertation focuses on the research of partial call graph generation for Web applications, static analysis to detect input validation vulnerability and path selection in concolic execution.The contributions of this dissertation can be summarized as follows:1. Aiming at supporting interprocedural analysis, the dissertation proposes an approach to gen-erate partial call graphs of the application part. The approach analyzes the code of the appli-cation part, as well as the signatures of the methods, the fields and the class hierarchy of the library classes referenced by the application part. Firstly, a hybrid heap model is proposed to abstract the memory locations in the Web application. It distinguishes between the abstract memory locations in the application and those in the library. Secondly, the interaction behav-ior between the application part and library part is modeled by specific rules. The rules are used to infer the pointer information of the library part. In addition, the approach maintains a points-to set for the library. It is used to resolve the call back edges and constrain the abstract objects flowing back to the points-to sets of the application part. The experimental results show that our approach can generate a sound and precise call graphs of the application part for the Web applications.2. Regarding the high false positive rate of static vulnerability detection techniques, we pro-pose an effective static analysis approach based on static information flow tracking to detect input validation vulnerabilities. Firstly, the approach integrates pointer analysis to identify the heap-based data dependency and aliasing relationships between variables in the program. Secondly, the data dependency summaries are computed for all the methods in the program using intraprocedural dataflow analysis, in order to improve the efficiency of inter-procedural dataflow analysis. Thirdly, we design a bidirectional dataflow analysis to track information flow. This design shortens the paths of data propagation. We implement the approach on top of FindBugs and evaluate it on the benchmark SecuriBench. The experimental results show that our approach can reduce the false positive rate of detecting input validation vulnerabili-ties without significantly slowing the performance.3. In order to alleviate the path-explosion problem in concolic execution, the dissertation devel-ops a path selection algorithm for concolic execution. The path selection algorithm estimates the real-time code coverage of each branch in the program, and guides the concolic execu-tion to select the paths less explored. The experiment shows that our path selection algorithm can alleviate the path-explosion problem and help fuzz-testing-based vulnerability detection techniques achieve high code coverage.