A new system was created by US researchers that can quickly comb through tens of thousands of lines of application code to find security flaws in popular web-based apps.
The system is used to find a data flow through a program which was developed at the Massachusetts Institute of Technology (MIT), uses a technique called static analysis.
An MIT professor and co-author of the study explains, “The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero."
Followed by the evaluation of every operation in the program according to its effect on integers’ signs, adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.
He added, "The problem with this is that it can’t be completely accurate, because you lose information. If you add a positive and a negative integer, you don’t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problem."
With web applications, however, the cost of accuracy is prohibitively high. The researchers exploited some peculiarities of the popular web programming framework to develop their system called “Space”.
In May, 2016, the researchers will present their results at the International Conference on Software Engineering to be held in Austin, Texas.
In his PhD work, he used this general machinery to build three different debuggers for Ruby on Rails applications, each requiring different degrees of programmer involvement.
From the descriptions generated by the hacked libraries, Space can automatically determine whether the program adheres to those models. If it does not, there’s likely to be a security flaw.
In tests on 50 popular web applications written using language Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyse any given program.