Mitigating information leakage in web applications at the deployment level

Abstract

Huge amounts of data and personal information are being sent to and retrieved from web applications on daily basis. Every application has its own confidentiality and integrity policies. Violating these policies can have broad negative impact on the involved company’s financial status and enforcing them is very hard even for the developers with good security background. In this thesis, we propose a framework to enforce confidentiality and integrity policies in web applications. The proposed framework uses static techniques to enforce security-by-construction. It takes as input web application code and produces a report pinpointing the exact locations where the application’s confidentiality policies were violated. It uses an innovative idea which includes annotations at the database level and requires minimal effort from the developer. The framework includes the following steps: (1) annotating the attributes in the database tables with four security levels, (2) constructing the Program Dependence Graph (PDG) of the application, (3) extending the PDG to incorporate the database annotations producing an extended PDG (E-PDG), (4) designing and creating rules for the E-PDG to indicate insecure information flows, (5) traversing the E-PDG searching for any violations of the created rules, and (6) finally reporting the line numbers that caused the insecure flows. For testing, we compared our approach with JLift, a state-of-the-art type-based system approach to detect information leaks. Both approaches were run against custom made PHP web applications and publicly available applications downloaded from sourgeforge.net. The results show that our approach performs better than JLift in terms of accuracy and false alarms.