Enlarging Instruction Streams

Web applications are widely adopted and their correct functioning is mission critical for many businesses. At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or preven...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on computers 2007-10, Vol.56 (10), p.1342-1357
Main Authors: Desmet, L., Verbaeten, P., Joosen, W., Piessens, F.
Format: Article
Language:English
Subjects:
Access latency
Accuracy
Annotations
Arquitectura de computadors
Branch prediction
Code optimization
Compiladors (Programes d'ordinador)
Compilers (Computer programs)
Complexity theory
Computer architecture
Electronic commerce
Engines
Errors
Expansion
Informàtica
Instruction fetch
Layout
Military technology
Missions
Multiprocessadors
Multiprocessors
Network security
Optimization
Parallel processing (Electronic computers)
Predictive models
Program verification (computers)
Programació en paral·lel (Informàtica)
Superscalar processor design
Àrees temàtiques de la UPC
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Web applications are widely adopted and their correct functioning is mission critical for many businesses. At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper, we focus on one specific type of implementation vulnerability, namely, broken dependencies on session data. This vulnerability can lead to a variety of erroneous behavior at runtime and can easily be triggered by a malicious user by applying attack techniques such as forceful browsing. This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. The proposed solution combines development-time program annotation, static verification, and runtime checking to provably protect against broken data dependencies. We have developed a prototype implementation of our approach, building on the JML annotation language and the existing static verification tool ESC/Java2, and we successfully applied our approach to a representative J2EE-based e-commerce application. We show that the annotation overhead is very small, that the performance of the fully automatic static verification is acceptable, and that the performance overhead of the runtime checking is limited.
ISSN:0018-9340
1557-9956
DOI:10.1109/TC.2007.70742