Recent Changes - Search:

CSE dept.


This site contains wiki-pages for the department of computer science and engineering at Chalmers and GU.


edit SideBar

GAEtaintmode

Towards a Taint Mode for Cloud Computing Web Applications

Luciano Bello and Alejandro Russo

Cloud computing is generally understood to mean that data and computations are distributed somewhere over the Internet. Over the past years, there has been a steep increase on web sites using this technology. Unfortunately, those web sites are not exempted from the fact that injection flaws and cross-site scripting are two of the most common vulnerabilities. Taint analysis is an automatic approach to find and repair such vulnerabilities. Cloud computing platforms posses several features that, while facilitate the development of web applications, it make difficult the application of off-the-shelf taint analysis techniques. More specifically, several of the proposed taint analysis techniques do not deal with persistent storage (e.g., object datastores), opaque objects (i.e., objects which implementation cannot be accessed and thus tracking tainted data becomes a challenge), or a rich set of security policies (e.g., forcing a specific order of sanitizers to be applied). We propose a taint analysis for could computing web applications that considers datastore, opaque objects, and a set of rich and useful security policies. Rather than modifying interpreters or compilers, we provide taint analysis via a library for the cloud computing platform Google App Engine (GAE). To evaluate the use of our library, we harden an existing GAE web application against cross-site scripting attacks.

Categories and Subject Descriptors D.2.5 [Software Engineering]: Testing and Debugging; D.3.3 [Programming Languages]: Language Constructs and Features-Modules, packages
General Terms Security, Languages, Web Applications
Keywords Taint analysis, Cloud computing, Library

What's the running example

The running example is explained in the Section 6 of the paper. It is based on the guestbook example from google-app-engine-samples, used by the Getting Started documentation.

It had been tested with google_appengine v1.6.3 and Python 2.7.2, on Linux:

It includes the taintmode library and other files. In summary,

app.yaml
index.yaml
stylesheets/
From the original guestbook example, without any modifications.
templatefilters.pyThe shorturl sanitizer, explained in Section 6.1 of the paper.
guestbook6_templates.py
index.html
From the original guestbook example, with some minimal modifications explained in Section 6.1 of the paper.
taintmode/The taintmode library itself.

Instructions

Download and unpack the tar file running example

wget http://www.cse.chalmers.se/~bello/GAEtaintmode/GAEtaintmode_example.tar.gz
tar zxvf GAEtaintmode_example.tar.gz

Download and unzip the Google App Engine SDK for Python v1.6.3 (the current stable version). Run the server with the guestbook application:

wget googleappengine.googlecode.com/files/google_appengine_1.6.3.zip
unzip google_appengine_1.6.3.zip
./google_appengine/dev_appserver.py --clear_datastore guestbook
Edit - History - Print - Recent Changes - Search
Page last modified on December 08, 2015, at 04:44 PM