Skip to main content
We gratefully acknowledge support from the Simons Foundation, member institutions, and all contributors. Donate
arXiv logo
Cornell University Logo

Computer Science > Programming Languages

arXiv:2107.07300 (cs)
[Submitted on 15 Jul 2021]

Title:Deriving Static Security Testing from Runtime Security Protection for Web Applications

Authors:Angel Luis Scull Pupo (Vrije Universiteit Brussel, Belgium), Jens Nicolay (Vrije Universiteit Brussel, Belgium), Elisa Gonzalez Boix (Vrije Universiteit Brussel, Belgium)
View PDF
Abstract:Context: Static Application Security Testing (SAST) and Runtime Application Security Protection (RASP) are important and complementary techniques used for detecting and enforcing application-level security policies in web applications.
Inquiry: The current state of the art, however, does not allow a safe and efficient combination of SAST and RASP based on a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both tools.
Approach: In this work, we present a novel technique for deriving SAST from an existing RASP mechanism by using a two-phase abstract interpretation approach in the SAST component that avoids duplicating the effort of specifying security policies and implementing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The static analysis of security policies is then obtained from the RASP mechanism by first statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code.
Knowledge: Splitting the analysis into two phases enables running each phase with a specific analysis configuration, rendering the static analysis approach tractable while maintaining sufficient precision.
Grounding: We validate the applicability of our two-phase analysis approach by using it to both dynamically enforce and statically detect a range of security policies found in related work. Our experiments suggest that our two-phase analysis can enable faster and more precise policy violation detection compared to analyzing the full instrumented application under a single analysis configuration.
Importance: Deriving a SAST component from a RASP mechanism enables equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development lifecycle. Moreover, our two-phase abstract interpretation approach does not require RASP developers to reimplement the enforcement code for static analysis.
Subjects: Programming Languages (cs.PL)
Cite as: arXiv:2107.07300 [cs.PL]
  (or arXiv:2107.07300v1 [cs.PL] for this version)
  https://doi.org/10.48550/arXiv.2107.07300
Journal reference: The Art, Science, and Engineering of Programming, 2022, Vol. 6, Issue 1, Article 1
Related DOI: https://doi.org/10.22152/programming-journal.org/2022/6/1

Submission history

From: Angel Luis Scull Pupo [view email] [via PROGRAMMINGJOURNAL proxy]
[v1] Thu, 15 Jul 2021 13:05:37 UTC (497 KB)
Full-text links:

Access Paper:

  • View PDF
  • Other Formats
view license
Current browse context:
cs.PL
< prev   |   next >
new | recent | 2021-07
Change to browse by:
cs

References & Citations

DBLP - CS Bibliography

listing | bibtex
Elisa Gonzalez Boix
export BibTeX citation

Bookmark

BibSonomy logo Reddit logo

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)
Connected Papers (What is Connected Papers?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)

Code, Data and Media Associated with this Article

alphaXiv (What is alphaXiv?)
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Hugging Face (What is Huggingface?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)

Demos

Replicate (What is Replicate?)
Hugging Face Spaces (What is Spaces?)
TXYZ.AI (What is TXYZ.AI?)

Recommenders and Search Tools

Influence Flower (What are Influence Flowers?)
CORE Recommender (What is CORE?)

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)