Free Press Journal

New system finds security flaws in popular web apps


New York :  US researchers have created a new system that can quickly comb through tens of thousands of lines of application code to find security flaws in popular web-based apps, says IANS.

The system, developed at the Massachusetts Institute of Technology (MIT), uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.

“The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero,” said Daniel Jackson, an MIT professor and the co-author of the study.

The static analysis would then evaluate every operation in the program according to its effect on integers’ signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.

“The problem with this is that it can’t be completely accurate, because you lose information,” Jackson said. “If you add a positive and a negative integer, you don’t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems,” he added.

With web applications, however, the cost of accuracy is prohibitively high. “The program under analysis is just huge,” he said. “Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice.”

That vast edifice of libraries, however, also gave Jackson and his former student Joseph Near, a way to make static analysis of programs written in Ruby on Rails practical. They exploited some peculiarities of the popular web programming framework to develop their system called “Space”.