The Influence of Programming Language and Framework on Application Security

bemutefrogtownSecurity

Nov 18, 2013 (3 years and 4 months ago)

103 views

The Influence of Programming
Language and Framework on
Application Security
Matthew Finifter and David Wagner
{finifter,daw}@cs.berkeley.edu
UC Berkeley
February 14,2011
M.Finifter (UCB)
Language and Framework Security
February 14,2011 1
Motivation

Some languages and frameworks more prone to
vulnerabilities?

How can we find out empirically?
M.Finifter (UCB)
Language and Framework Security
February 14,2011 2
Overview

The problem

Experiment

Not enough data

How can we gather better data?
M.Finifter (UCB)
Language and Framework Security
February 14,2011 3
Problem

Many language and framework choices

None clearly superior

Security increasingly important

Languages and frameworks evolving to meet this need

We need to measure how successful they are
M.Finifter (UCB)
Language and Framework Security
February 14,2011 4
Experiment

Data gathered from a previous study (Prechelt 2007)

9 implementations of same web app:3 PHP,3 Java,
3 Perl

Teams chose which framework(s) to use

Little overlap in framework choice

Manual and black-box security analysis of each
implementation
M.Finifter (UCB)
Language and Framework Security
February 14,2011 5
Results
010203040
Java 3
Java 4
Java 9
PHP 6
PHP 7
PHP 8
Perl 1
Perl 2
Perl 5
Total Number of Vulnerabilities
Manual
Both
Black-box
M.Finifter (UCB)
Language and Framework Security
February 14,2011 6
Results (2)
20 19 51
Black-box Manual
M.Finifter (UCB)
Language and Framework Security
February 14,2011 7
Results (3)
CSRF
Session Management
Password Storage
Team
Number
Language
Vulnerable?
Framework
Support
Vulnerable?
Framework
Support
Vulnerable?
Framework
Support
1
Perl
X
none
opt-in
X
opt-in
2
Perl
X
none
X
none
X
none
5
Perl
X
none
X
none
opt-out
3
Java
manual
opt-out
none
4
Java
always on
opt-in
X
opt-in
9
Java
X
none
opt-in
none
6
PHP
X
none
opt-out
X
opt-in
7
PHP
X
none
opt-out
X
none
8
PHP
X
none
opt-out
X
opt-in
M.Finifter (UCB)
Language and Framework Security
February 14,2011 8
Results (4)

A few interesting,significant results

But not as many as we would like
M.Finifter (UCB)
Language and Framework Security
February 14,2011 9
Larger data set

Programming contest

Student programming projects

Outsourced development

guru.com,rentacoder.com,etc.
M.Finifter (UCB)
Language and Framework Security
February 14,2011 10
Outsourced development

We write web application in multiple languages using
multiple frameworks

Hire programmers for single security-relevant module

Sample size vs.module size
M.Finifter (UCB)
Language and Framework Security
February 14,2011 11
Conclusion

Have performed small-scale experiment

Some evidence that language and framework choice
influence security

Need better data for study of larger scale
M.Finifter (UCB)
Language and Framework Security
February 14,2011 12
Thank you!
Matthew Finifter,finifter@cs.berkeley.edu
M.Finifter (UCB)
Language and Framework Security
February 14,2011 13
M.Finifter (UCB)
Language and Framework Security
February 14,2011 14
Results (5)
0102030Number of Vulnerabilities
no support
manual
opt in
opt out
Framework Support
XSS
SQL Injection
Auth. Bypass
Number of Vulnerabilities vs. Framework Support
M.Finifter (UCB)
Language and Framework Security
February 14,2011 15
Results (6)
0246810
Java 3
Java 4
Java 9
PHP 6
PHP 7
PHP 8
Perl 1
Perl 2
Perl 5
Stored XSS
Manual
Both
Black-box
05101520
Java 3
Java 4
Java 9
PHP 6
PHP 7
PHP 8
Perl 1
Perl 2
Perl 5
Reflected XSS
Manual
Both
Black-box
0123
Java 3
Java 4
Java 9
PHP 6
PHP 7
PHP 8
Perl 1
Perl 2
Perl 5
SQL Injection
Manual
Both
Black-box
012
Java 3
Java 4
Java 9
PHP 6
PHP 7
PHP 8
Perl 1
Perl 2
Perl 5
Authentication/Authorization Bypass
Manual
Both
Black-box
M.Finifter (UCB)
Language and Framework Security
February 14,2011 16