Derailer: interactive security analysis for web applications
Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in s...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Article |
Language: | en_US |
Published: |
Association for Computing Machinery (ACM)
2015
|
Online Access: | http://hdl.handle.net/1721.1/100435 https://orcid.org/0000-0003-4864-078X |
_version_ | 1811070966495707136 |
---|---|
author | Near, Joseph Paul Jackson, Daniel |
author2 | Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory |
author_facet | Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory Near, Joseph Paul Jackson, Daniel |
author_sort | Near, Joseph Paul |
collection | MIT |
description | Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application's security policy. The tool then highlights exposures missing security checks, which tend to be security bugs.
We have tested Derailer's scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers. |
first_indexed | 2024-09-23T08:44:30Z |
format | Article |
id | mit-1721.1/100435 |
institution | Massachusetts Institute of Technology |
language | en_US |
last_indexed | 2024-09-23T08:44:30Z |
publishDate | 2015 |
publisher | Association for Computing Machinery (ACM) |
record_format | dspace |
spelling | mit-1721.1/1004352022-09-23T14:16:45Z Derailer: interactive security analysis for web applications Near, Joseph Paul Jackson, Daniel Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science Near, Joseph Paul Jackson, Daniel Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application's security policy. The tool then highlights exposures missing security checks, which tend to be security bugs. We have tested Derailer's scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers. National Science Foundation (U.S.) (Grant 0707612) 2015-12-18T15:59:27Z 2015-12-18T15:59:27Z 2014-09 Article http://purl.org/eprint/type/ConferencePaper 9781450330138 http://hdl.handle.net/1721.1/100435 Joseph P. Near and Daniel Jackson. 2014. Derailer: interactive security analysis for web applications. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14). ACM, New York, NY, USA, 587-598. https://orcid.org/0000-0003-4864-078X en_US http://dx.doi.org/10.1145/2642937.2643012 Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14) Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/ application/pdf Association for Computing Machinery (ACM) MIT web domain |
spellingShingle | Near, Joseph Paul Jackson, Daniel Derailer: interactive security analysis for web applications |
title | Derailer: interactive security analysis for web applications |
title_full | Derailer: interactive security analysis for web applications |
title_fullStr | Derailer: interactive security analysis for web applications |
title_full_unstemmed | Derailer: interactive security analysis for web applications |
title_short | Derailer: interactive security analysis for web applications |
title_sort | derailer interactive security analysis for web applications |
url | http://hdl.handle.net/1721.1/100435 https://orcid.org/0000-0003-4864-078X |
work_keys_str_mv | AT nearjosephpaul derailerinteractivesecurityanalysisforwebapplications AT jacksondaniel derailerinteractivesecurityanalysisforwebapplications |