New system finds security flaws in popular web apps

MIT researchers have developed a system that can quickly comb through tens of thousands of lines of application codes to find security flaws in popular web applications.
In tests on 50 popular applications written using Web programming framework Ruby on Rails, the system found 23 previously undiagnosed security flaws, and took no more than 64 seconds to analyse any given programme.
According to researchers from Massachusetts Institute of Technology (MIT) in the US, the new system uses a technique called static analysis which seeks to describe in a very general way how data flows through a programme.
"The classic example of this is if you wanted to do an abstract analysis of a programme that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero," said Daniel Jackson from MIT.

The static analysis would then evaluate every operation in the program according to its effect on integers' signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on, researchers said.
"The problem with this is that it cannot be completely accurate, because you lose information. If you add a positive and a negative integer, you do not know whether the answer will be positive, negative, or zero," said Jackson.

"Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems," he said.

With Web applications, however, the cost of accuracy is prohibitively high, Jackson said.
"The programme under analysis is just huge. Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks," he said.
"So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice," he added.
A library is a compendium of code that programmers tend to use over and over again. Rather than rewriting the same functions for each new program, a programmer can just import them from a library, researchers said.

Ruby on Rails - or Rails - has the peculiarity of defining even its most basic operations in libraries. Every addition, every assignment of a particular value to a variable, imports code from a library, they said.
Researchers rewrote those libraries so that the operations defined in them describe their own behavior in a logical language. That turns the Rails interpreter, which converts high-level Rails programs into machine-readable code, into a static-analysis tool.
They identified seven different ways in which Web applications typically control access to data. Some data are publicly available, some are available only to users who are currently logged in, some are private to individual users, some users - administrators - have access to select aspects of everyone's data, and so on.