Software vulnerabilities originating from insecure code are one of the leading causes of security problems people face today. We propose a new approach, called interactive static analysis, to integrate the detection and mitigation of security vulnerabilities into the context of development.
The goal of our research is thus to increase the awareness of security vulnerabilities and practice of secure programming techniques among programmers through the use of interactive static analysis. We also aim to utilize the programmer’s contextual knowledge to drive customized static analysis, detecting additional vulnerabilities currently beyond the capabilities of existing tools. To that end, we are implementing and evaluating interactive static analysis within a prototype tool called Application Security in the IDE (ASIDE).
We have created an interactive static analysis tool, Application Security in the IDE (ASIDE), focused on Web-based applications. The goal is to raise developer awareness and behavior of secure programming in their code, without requiring a security background. The current prototype is an Eclipse plugin for both Java and PHP. Static analysis algorithms are run on the code under development to detect a variety of potential issues. Warning icons are then placed in the left margin of the code editing window with interactive options for understanding and mitigating vulnerabilities.
ASIDE works on two types of potential vulnerabilities. Type I are vulnerabilities that are independent of the code context. These are vulnerabilities traditionally found by static analysis tools. We currently support input validation, output encoding and SQL injection vulnerabilities. ASIDE provides short descriptions alongside the warning, and a “Read More” option for detailed and contextualized descriptions of the potential vulnerability, ways to mitigate, and example code. In addition, we have added “quick fixes” for automatically generating sanitization code for input validation and output encoding warnings using ESAPI's open source libraries.
Type II vulnerabilities require additional application-specific knowledge in order to detect potential issues. In these cases, developers are first requested to provide that knowledge, in the form of an annotation performed by highlighting code. We currently support access control vulnerabilities. When ASIDE detects security-sensitive operations, developers are requested to annotate the corresponding access control logic. In annotation mode, the developer would then highlight the statements performing access control for the sensitive operation. In doing so, the developer is reminded to add such checks, if they are not already implemented. ASIDE then performs additional static analysis to detect potential access control vulnerabilities.
Through user evaluations, we have demonstrated that ASIDE improves the security awareness and knowledge of developers. We are continuing to expand the features of ASIDE. Download the latest version at http://aside.uncc.edu/download.
Dr. Bill Chu, Professor, UNC Charlotte
Dr. Heather Richter Lipford, Associate Professor, UNC Charlotte
Dr. Emerson Murphy-Hill, Associate Professor, NC State
Jing Xie, Ph.D. UNC Charlotte, now at Fire Eye Security
Jun Zhu, Ph.D. UNC Charlotte, now at Paypal
Mahmoud Mohammadi, Ph.D. student, UNC Charlotte
Tyler Thomas, Ph.D. student, UNC Charlotte
Justin Smith, Ph.D. student, NC State