FYI.

This story is over 5 years old.

Tech

New MIT Tool Quickly Roots Out Hidden Web App Security Bugs

In 50 Ruby on Rails web apps it quickly busted 23 previously undiagnosed vulnerabilities.
Image: MIT News

It's a funny time for software testing. As more and more software is replaced by web applications—the cloud, that is—software bugs have more and more come to mean security holes. That is, interacting with software now so often means exposing data, which means trusting the builders of said software to entirely new degrees. And, as builders, we really need to not fuck that up.

Software testing—or debugging—is intense, tedious, and imperfect. Hence, software is full of bugs. Hence, software producers offer sometimes very large cash bounties to people that can find those bugs. A funny time.

Advertisement

Computer scientists from MIT have developed a new automated tool that can quickly comb through many thousands of lines of code written using the popular web framework Ruby on Rails looking for security vulnerabilities. In testing 50 popular RoR web applications, the tool, which will be presented at the International Conference on Software Engineering in May and is known simply as Space, was able to come up with 23 previously undiagnosed vulnerabilities. The longest it took to debug any program was 64 seconds.

And, as someone that does software testing on a semi-regular basis, I can say that 64 seconds essentially translates to 0 seconds. Performing a static analysis of code—where it's analyzed and inspected without actually running the program—at any kind of scale is a complicated, time-consuming ordeal.

Things get even more difficult when we start talking about contemporary web applications because so much of the code behind them is pulled in from external libraries and frameworks. This was the problem faced by the MIT group: Even very simple functionality in Ruby on Rails applications, like assigning values to variables, tends to be defined in often-vast external libraries. When all of these external resources are drawn in, the resulting pile of code gets to be very large.

"The program under analysis is just huge," explains MIT computer science and engineering professor Daniel Jackson in a statement. "Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice."

Advertisement

To solve the problem, the researchers attacked the RoR libraries themselves. The various operations defined within them were rewritten such that instead of doing actual computational operations, they returned symbolic expressions explaining what exactly those operations do.

"So we didn't revise the old code," Joe Near, now a postdoc researcher at the University of California, Berkeley and the lead researcher behind the tool, told me. "For a subset of the APIs, we threw it out and replaced it. The new versions don't let you actually run the web application; they only let you analyze it."

The effect is that as code is fed into the Ruby on Rails interpreter, that interpreter offers the helpful line-by-line description of the program's functionality in very clear, precise terms. With this in hand, static analysis becomes a much more reasonable task.

To make this reasonable task into an automated task, Near looked at the general nature of web applications and the various ways in which they allow users to have access to their data. He came up with seven different methods, and, for each, came up with a model describing what operations a user can perform on data. Using the rewritten libraries, he was able to develop a means of testing to see whether or not a given web app adheres to those models. When an app breaks the rules, there is likely to be a resulting security flaw.

Even without complete access to their underlying code, Near was able to analyze 50 web apps using Space. For a programmer familiar with their own code (and with complete access to it, obviously), the tool should be no sweat.