Wednesday, 20 April 2016

New Debugging Technique from MIT Detect 23 New Peviously Undiagnosed Web Application Vulinerabilities



According to sources from MIT news, 23 previously undetected web application security vulnerabilities were found after testing 50 popular web applications written using Ruby on rails were tested. Each program took no more than 64 seconds to be analyzed. The results of the research will be present by some MIT researchers at the international conference on Software Engineering, in May.

The researchers have developed a system that is capable of quickly combing through tens of thousands of lines of program code to find security flaws. Using a process called static analysis, how data flows through a program can be describe in a very general way. This was according to Daniel Jackson, professor in the Department of Electrical Engineering and Computer Science. He further stated that the technique can’t be completely accurate, but more research is going on to make the analysis more scalable and accurate. A small program sits atop a vast edifice of libraries, plug-ins and frameworks. This is peculiar to Ruby on Rails (or Rails for short) making the cost of accuracy high when implementing static analysis because the program under analysis is huge and practicing it becomes infeasible. Work is also going on to make static analysis of programs written in Ruby on Rails practical.
Studies done by Joseph Near in his PhD work revealed that web applications typically control access to data in seven different ways:
1.    Some data are publicly available
2.    Some are available to currently logged in users
3.    Some are private to individual users
4.    Some users – administrators – have access to select aspects of everyone’s data and so on
During Joseph Near’s research, a logical model was developed for each of the data-access patterns. This model describes what operations a user can perform on what data, under what circumstances. A program is believed to contain security flaw if it doesn’t adhere to the models.

0 comments:

Post a Comment

Add a comment here

WhatsApp Dp