UC Santa Barbara

A crucial problem in developing dependable web applications is the

correctness of the input validation and sanitization. Bugs in string

manipulation operations used for validation and sanitization are common,

resulting in erroneous application behavior and vulnerabilities that are

exploitable by malicious users. In this dissertation, we investigate the

problem of automatic detection and repair of validation and sanitization bugs

both at the client-side (JavaScript) and the server-side (PHP or Java) code.

We first present a formal model for input validation and sanitization

functions along with a new domain specific intermediate language

to represent them. Then, we show how to extract input validation and

sanitization functions in our intermediate language from both client and

server-side code in web applications. After the extraction phase, we use

automata-based static string-analysis techniques to automatically verify

and fix the extracted functions. One of our contributions is the development

of efficient automata-based string analysis techniques for frequently used,

complex string operations.

We developed two basic approaches to bug detection and repair: 1)

policy-based, and 2) differential. In the policy-based approach, input

validation and sanitization policies are expressed using two regular

expressions, one specifying the maximum policy (the upper bound for the

set of strings that should be allowed) and the other specifying the minimum

policy (the lower bound for the set of strings that should be allowed). Using

our string analysis techniques we can identify two types of errors in

an input validation and sanitization function: 1) it accepts a set of strings that

is not permitted by the maximum policy (i.e., it is under-constrained),

or 2) it rejects a set of strings that is permitted by the minimum policy

(i.e., it is over-constrained).

Our differential bug detection and repair approach does not require any

policy specifications. It exploits the fact that, in web applications,

developers typically perform redundant input validation and sanitization

in both the client and the server-side since client-side checks can

be by-passed. Using automata-based string analysis, we compare the

input validation and sanitization functions extracted from the client- and

server-side code, and identify and report the inconsistencies between them.

Finally, we present an automated differential repair technique that can

repair client and server-side code with respect to each other, or across

applications in order to strengthen the validation and sanitization

checks. Given a reference and a target function, our differential repair

technique strengthens the validation and sanitization operations in the

target function based on the reference function by automatically generating

a set of patches.

We experimented with a number of real world web applications and found many

bugs and vulnerabilities. Our analysis generates counter-example behaviors

demonstrating the detected bugs and vulnerabilities to help the developers

with the debugging process. Moreover, we automatically generate patches

that can be used to mitigate the detected bugs and vulnerabilities until

developers write their own patches.