Skip to main content
SpringerLink
Log in

On Race Vulnerabilities in Web Applications

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5137))

Abstract

A web programmer often conceives its application as a sequential entity, thus neglecting the parallel nature of the underlying execution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected parallel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions.

In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. NCSA Software Development Group: The Common Gateway Interface (1995)

    Google Scholar 

  2. Kunze, M.: Let there be light. LAMP: Freeware web publishing system with database support. c’t 12, 230 (1998)

    Google Scholar 

  3. Cova, M., Felmetsger, V., Vigna, G.: Vulnerability Analysis of Web Applications. In: Baresi, L., Dinitto, E. (eds.) Testing and Analysis of Web Services. Springer, Heidelberg (2007)

    Google Scholar 

  4. Symantec Inc.: Symantec internet security threat report: Volume XII. Technical report, Symantec Inc. (September 2007)

    Google Scholar 

  5. Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-Injection Attacks and Countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA (2006)

    Google Scholar 

  6. CERT: Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests (2002)

    Google Scholar 

  7. Netzer, R.H.B., Miller, B.P.: What are Race Conditions?: Some Issues and Formalizations. ACM Letters on Programming Languages and Systems 1(1), 74–88 (1992)

    Article  Google Scholar 

  8. Dean, D., Hu, A.J.: Fixing races for fun and profit: How to use access(2). In: Proceedings of the 13th conference on USENIX Security Symposium (2004)

    Google Scholar 

  9. Borisov, N., Johnson, R., Sastry, N., Wagner, D.: Fixing races for fun and profit: How to abuse atime. In: Proceedings of the 14th conference on USENIX Security Syposium (2005)

    Google Scholar 

  10. Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Computing Systems 2(2), 131–152 (1996)

    Google Scholar 

  11. Abbott, R.P., Chin, J.S., Donnelley, J.E., Konigsford, W.L., Tokubo, S., Webb, D.A.: Security analysis and enhancements of computer operating systems.

    Google Scholar 

  12. phpBB Group: phpBB

    Google Scholar 

  13. Joomla! Core Team: Joomla!

    Google Scholar 

  14. Jovanovic, N.: Web Application Security. PhD thesis, Technical University of Vienna (July 2007)

    Google Scholar 

  15. Hind, M.: Pointer analysis: Haven’t we solved this problem yet? In: 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2001) (2001)

    Google Scholar 

  16. PHP Documentation Group: PHP Manual. [Online; accessed 23-November-2007].

    Google Scholar 

  17. MySQL AB: MySQL Reference Manual, http://dev.mysql.com/doc/refman/5.0 .

  18. Sterling, N.: WARLOCK - A static data race analysis tool. In: Proceedings of the Usenix Winter 1993 Technical Conference, pp. 97–106 (1993)

    Google Scholar 

  19. Engler, D., Ashcraft, K.: RacerX: Effective, Static Detection of Race Conditions and Deadlocks. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 237–252 (2003)

    Google Scholar 

  20. Flanagan, C., Freund, S.N.: Type-based race detection for Java. ACM SIGPLAN Notices 35(5), 219–232 (2000)

    Article  Google Scholar 

  21. Boyapati, C., Rinard, M.: A parameterized type system for race-free java programs. In: Proceedings of the 16th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, pp. 56–69 (2001)

    Google Scholar 

  22. Dinning, A., Schonberg, E.: An empirical comparison of monitoring algorithms for access anomaly detection. In: Proceedings of the Second ACM SIGPLAN Symposium on Principles & Practice of Parallel Programming, pp. 1–10 (1990)

    Google Scholar 

  23. Ronsse, M., Bosschere, K.D.: RecPlay: A fully integrated practical record/replay system. ACM Transactions Computer Systems 17(2), 133–152 (1999)

    Article  Google Scholar 

  24. Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 21(7), 558–565 (1978)

    Article  MATH  Google Scholar 

  25. Choi, J.D., Lee, K., Loginov, A., O’Callahan, R., Sarkar, V., Sridharan, M.: Efficient and precise datarace detection for multithreaded object-oriented programs. ACM SIGPLAN Notices 37(5), 258–269 (2002)

    Article  Google Scholar 

  26. Cheng, G.I., Feng, M., Leiserson, C.E., Randall, K.H., Stark, A.F.: Detecting data races in Cilk programs that use locks. In: Proceedings of the 10th Annual ACM Symposium on Parallel Algorithms and Architectures, pp. 298–309 (1998)

    Google Scholar 

  27. Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., Anderson, T.E.: Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems 15(4), 391–411 (1997)

    Article  Google Scholar 

  28. Yu, Y., Rodeheffer, T., Chen, W.: RaceTrack: Efficient detection of data race conditions via adaptive tracking. Technical report, Microsoft Research (April 2005)

    Google Scholar 

  29. Pozniansky, E., Schuster, A.: Efficient on-the-fly data race detection in multithreaded C++ programs. ACM SIGPLAN Notices 38(10), 179–190 (2003)

    Article  Google Scholar 

  30. Tsyrklevich, E., Yee, B.: Dynamic detection and prevention of race conditions in file accesses. In: Proceedings of the 12th USENIX Security Symposium (August 2003)

    Google Scholar 

  31. Chamillard, A.T., Clarke, L.A., Avrunin, G.S.: An empirical comparison of static concurrency analysis techniques (July 23, 1996)

    Google Scholar 

  32. Visser, W., Havelund, K., Brat, G., Park, S.J.: Model checking programs. In: Proceedings of the 15th IEEE International Conference on Automated Software Engineering (September 2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, Milano, Italy

    Roberto Paleari, Davide Marrone, Danilo Bruschi & Mattia Monga

Authors
  1. Roberto Paleari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Marrone
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Danilo Bruschi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mattia Monga
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Paleari, R., Marrone, D., Bruschi, D., Monga, M. (2008). On Race Vulnerabilities in Web Applications. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70542-0_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-70541-3

  • Online ISBN: 978-3-540-70542-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation