Derailer: interactive security analysis for web applications

Near, Joseph P.; Jackson, Daniel

Author(s)

Near, Joseph Paul; Jackson, Daniel

DownloadJackson_Derailer.pdf (486.0Kb)

OPEN_ACCESS_POLICY

Terms of use

Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/

Metadata

Show full item record

Abstract

Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application's security policy. The tool then highlights exposures missing security checks, which tend to be security bugs. We have tested Derailer's scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers.

Date issued

2014-09

URI

http://hdl.handle.net/1721.1/100435

Department

Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14)

Publisher

Association for Computing Machinery (ACM)

Citation

Joseph P. Near and Daniel Jackson. 2014. Derailer: interactive security analysis for web applications. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14). ACM, New York, NY, USA, 587-598.

Version: Author's final manuscript

ISBN

9781450330138

Collections

MIT Open Access Articles

DSpace@MIT