Towards a Taint Mode for Cloud Computing Web Applications
Cloud computing is generally understood to mean that data and computations are distributed somewhere over the Internet. Over the past years, there has been a steep increase on web sites using this technology. Unfortunately, those web sites are not exempted from the fact that injection flaws and cross-site scripting are two of the most common vulnerabilities. Taint analysis is an automatic approach to find and repair such vulnerabilities. Cloud computing platforms posses several features that, while facilitate the development of web applications, it make difficult the application of off-the-shelf taint analysis techniques. More specifically, several of the proposed taint analysis techniques do not deal with persistent storage (e.g., object datastores), opaque objects (i.e., objects which implementation cannot be accessed and thus tracking tainted data becomes a challenge), or a rich set of security policies (e.g., forcing a specific order of sanitizers to be applied). We propose a taint analysis for could computing web applications that considers datastore, opaque objects, and a set of rich and useful security policies. Rather than modifying interpreters or compilers, we provide taint analysis via a library for the cloud computing platform Google App Engine (GAE). To evaluate the use of our library, we harden an existing GAE web application against cross-site scripting attacks.
Categories and Subject Descriptors D.2.5 [Software Engineering]: Testing and Debugging; D.3.3 [Programming Languages]: Language Constructs and Features-Modules, packages General Terms Security, Languages, Web Applications Keywords Taint analysis, Cloud computing, Library
What's the running example
Download and unpack the tar file running example
Download and unzip the Google App Engine SDK for Python v1.6.3 (the current stable version). Run the server with the guestbook application: