MIT RESEARCHERS FORGE NEW WEAPON FOR CODE WARRIORS
By John P. Mello Jr. - TechNewsWorld |20th April 2016
MIT researchers have developed a fast, accurate system for identifying security flaws in Web apps written in Ruby on Rails, according to news reports published last week.
In tests the researchers -- MIT Professor Daniel Jackson and Joseph Near, a postdoctoral researcher at the University of California at Berkeley -- performed on 50 popular RoR apps, they uncovered 23 previously undiscovered security flaws. What's more, the longest amount of time it took to analyze any one program was 64 seconds.
"Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks,"- Jackson;who with Near plans to present their findings at the International Conference on Software Engineering in May.
"So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice," he continued. Static analysis is a method for analyzing a program's code for security flaws.
To avoid the bog, Near devised a way to turn RoR itself into a static analysis tool so that running a program through the framework's interpreter produced an easy-to-follow, formal, line-by-line description of how the program handles data. Those methods are incorporated in a debugger called Space, which will be described in the paper to be aired in May.
With Space, a program's data access procedures can be evaluated based on the ways applications typically access data. If it appears as though a program is accessing data in an atypical way, then chances are it has a security flaw.
"Most organizations that have built static analysis tools that focus on security issues are worried about attacks that allow data to be stolen from a database or deface a running website," Jarrett noted.
Instead of focusing on attackers running their own code within an application, Jackson and Near have turned their attention on access control problems. They want to make sure a user is authorized to do something in an application before any code is executed.
For example, an online forum may want a visitor to log in before contributing to any topic threads. If visitors can write to threads without logging in, that would be a flaw in the code that might be flagged by the researchers' methods.
False positives are a general problem with static analysis of software, observed Slawek Ligier, vice president of engineering for security for Barracuda Networks.
While the MIT research shows promise, it has limitations, he said. "Because it's focused on Ruby on Rails and how Ruby on Rails functions with its libraries, that's definitely a big limitation." Ruby on Rails has gained some popularity among younger software organizations but hasn't been widely adopted, Jarrett added.
Less than 5 percent of all applications are written in RoR, he estimated. By comparison, 45 percent of applications are written in Java.
"This is not a method that's going to instantly make every application running on the Internet more secure -- just the ones written in Ruby, and that's a relatively small number,"- Jarrett
"This could become interesting," he added, "if they could figure out a way to extend this technique beyond Ruby and make it work for applications in other languages."