WhiteList Checker: An Eclipse Plugin to
Improve Application Security



       Bill Chu, Jing Xie, Will Stranathan
       ...
Motivation
   Lack of proper input validation is a cause of many
    software vulnerabilities
       XSS, SQL injection,...
WhiteList Checker
• Identify untrusted input     String username = request.getParameter(“username”);

• Interactively noti...
Trust boundary definition
   API calls
       HttpServletRequest.getParameter()
   Parameters / variables
       main ...
Input validation rules
   WhiteList Checker is initialized with a set of regular
    expressions developed by OWASP for i...
Building a data dictionary
   Identify all input times and where they are input to
    the application
   Answer queries...
Generate customized rules for static analysis

   Fortify Example
       Generate rules that removes taints to reduce fa...
Future work
   Dataflow analysis for input of composite type
   Implement semantic validation rules
   Dynamic language...
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
Upcoming SlideShare
Loading in …5
×

WhiteList Checker: An Eclipse Plugin to Improve Application Security

1,275 views

Published on

Presentation for EclipseCon 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,275
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

WhiteList Checker: An Eclipse Plugin to Improve Application Security

  1. 1. WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
  2. 2. Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
  3. 3. WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
  4. 4. Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
  5. 5. Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
  6. 6. Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
  7. 7. Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
  8. 8. Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies

×