On Race Vulnerabilities in Web Applications

  • Roberto Paleari
  • Davide Marrone
  • Danilo Bruschi
  • Mattia Monga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5137)

Abstract

A web programmer often conceives its application as a sequential entity, thus neglecting the parallel nature of the underlying execution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected parallel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions.

In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    NCSA Software Development Group: The Common Gateway Interface (1995)Google Scholar
  2. 2.
    Kunze, M.: Let there be light. LAMP: Freeware web publishing system with database support. c’t 12, 230 (1998)Google Scholar
  3. 3.
    Cova, M., Felmetsger, V., Vigna, G.: Vulnerability Analysis of Web Applications. In: Baresi, L., Dinitto, E. (eds.) Testing and Analysis of Web Services. Springer, Heidelberg (2007)Google Scholar
  4. 4.
    Symantec Inc.: Symantec internet security threat report: Volume XII. Technical report, Symantec Inc. (September 2007)Google Scholar
  5. 5.
    Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-Injection Attacks and Countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA (2006)Google Scholar
  6. 6.
    CERT: Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests (2002)Google Scholar
  7. 7.
    Netzer, R.H.B., Miller, B.P.: What are Race Conditions?: Some Issues and Formalizations. ACM Letters on Programming Languages and Systems 1(1), 74–88 (1992)CrossRefGoogle Scholar
  8. 8.
    Dean, D., Hu, A.J.: Fixing races for fun and profit: How to use access(2). In: Proceedings of the 13th conference on USENIX Security Symposium (2004)Google Scholar
  9. 9.
    Borisov, N., Johnson, R., Sastry, N., Wagner, D.: Fixing races for fun and profit: How to abuse atime. In: Proceedings of the 14th conference on USENIX Security Syposium (2005)Google Scholar
  10. 10.
    Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Computing Systems 2(2), 131–152 (1996)Google Scholar
  11. 11.
    Abbott, R.P., Chin, J.S., Donnelley, J.E., Konigsford, W.L., Tokubo, S., Webb, D.A.: Security analysis and enhancements of computer operating systems.Google Scholar
  12. 12.
    phpBB Group: phpBBGoogle Scholar
  13. 13.
    Joomla! Core Team: Joomla!Google Scholar
  14. 14.
    Jovanovic, N.: Web Application Security. PhD thesis, Technical University of Vienna (July 2007)Google Scholar
  15. 15.
    Hind, M.: Pointer analysis: Haven’t we solved this problem yet? In: 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2001) (2001)Google Scholar
  16. 16.
    PHP Documentation Group: PHP Manual. [Online; accessed 23-November-2007].Google Scholar
  17. 17.
    MySQL AB: MySQL Reference Manual, http://dev.mysql.com/doc/refman/5.0.
  18. 18.
    Sterling, N.: WARLOCK - A static data race analysis tool. In: Proceedings of the Usenix Winter 1993 Technical Conference, pp. 97–106 (1993)Google Scholar
  19. 19.
    Engler, D., Ashcraft, K.: RacerX: Effective, Static Detection of Race Conditions and Deadlocks. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 237–252 (2003)Google Scholar
  20. 20.
    Flanagan, C., Freund, S.N.: Type-based race detection for Java. ACM SIGPLAN Notices 35(5), 219–232 (2000)CrossRefGoogle Scholar
  21. 21.
    Boyapati, C., Rinard, M.: A parameterized type system for race-free java programs. In: Proceedings of the 16th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, pp. 56–69 (2001)Google Scholar
  22. 22.
    Dinning, A., Schonberg, E.: An empirical comparison of monitoring algorithms for access anomaly detection. In: Proceedings of the Second ACM SIGPLAN Symposium on Principles & Practice of Parallel Programming, pp. 1–10 (1990)Google Scholar
  23. 23.
    Ronsse, M., Bosschere, K.D.: RecPlay: A fully integrated practical record/replay system. ACM Transactions Computer Systems 17(2), 133–152 (1999)CrossRefGoogle Scholar
  24. 24.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 21(7), 558–565 (1978)MATHCrossRefGoogle Scholar
  25. 25.
    Choi, J.D., Lee, K., Loginov, A., O’Callahan, R., Sarkar, V., Sridharan, M.: Efficient and precise datarace detection for multithreaded object-oriented programs. ACM SIGPLAN Notices 37(5), 258–269 (2002)CrossRefGoogle Scholar
  26. 26.
    Cheng, G.I., Feng, M., Leiserson, C.E., Randall, K.H., Stark, A.F.: Detecting data races in Cilk programs that use locks. In: Proceedings of the 10th Annual ACM Symposium on Parallel Algorithms and Architectures, pp. 298–309 (1998)Google Scholar
  27. 27.
    Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., Anderson, T.E.: Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems 15(4), 391–411 (1997)CrossRefGoogle Scholar
  28. 28.
    Yu, Y., Rodeheffer, T., Chen, W.: RaceTrack: Efficient detection of data race conditions via adaptive tracking. Technical report, Microsoft Research (April 2005)Google Scholar
  29. 29.
    Pozniansky, E., Schuster, A.: Efficient on-the-fly data race detection in multithreaded C++ programs. ACM SIGPLAN Notices 38(10), 179–190 (2003)CrossRefGoogle Scholar
  30. 30.
    Tsyrklevich, E., Yee, B.: Dynamic detection and prevention of race conditions in file accesses. In: Proceedings of the 12th USENIX Security Symposium (August 2003)Google Scholar
  31. 31.
    Chamillard, A.T., Clarke, L.A., Avrunin, G.S.: An empirical comparison of static concurrency analysis techniques (July 23, 1996)Google Scholar
  32. 32.
    Visser, W., Havelund, K., Brat, G., Park, S.J.: Model checking programs. In: Proceedings of the 15th IEEE International Conference on Automated Software Engineering (September 2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Roberto Paleari
    • 1
  • Davide Marrone
    • 1
  • Danilo Bruschi
    • 1
  • Mattia Monga
    • 1
  1. 1.Dipartimento di Informatica e ComunicazioneUniversità degli Studi di MilanoMilanoItaly

Personalised recommendations