
New debugging method found undetected security flaws in popular web apps - Lind5
http://news.mit.edu/2016/patching-web-applications-0415
======
tptacek
You'd really need to see the paper to evaluate this, because pretty much every
static analysis technique can generate lists of "undetected security flaws",
especially if the corpus of application code is unconstrained. You'd want to
know:

* Did they find a kind of security flaw that is particularly difficult to detect? Like, reliable generic authorization bypass detection result would be novel.

* Did they find 23 flaws in _popular and important Rails apps_? Those applications have probably been tested extensively already, and new results are interesting. Random e-commerce applications buried in Github, less so.

* How severe were the flaws? Security flaws range from remote code execution on the very damaging side to version information disclosure on the marginal side.

~~~
forgotpwtomain
From skimming the papers briefly* it looks it's finding errors in policy-
scoping and other violations outside of expected permission branches.

The thesis isn't linked on the site but I found it here
__[0][http://www.cs.berkeley.edu/~jnear/](http://www.cs.berkeley.edu/~jnear/)
[1]
[https://dspace.mit.edu/handle/1721.1/99841](https://dspace.mit.edu/handle/1721.1/99841)

~~~
ShaneWilton
I've been working through the paper for almost two hours now. I'm not an
expert on static analysis, so I don't know how much of the information in here
is novel, but the paper does a great job of concisely conveying a lot of
interesting ideas. His model for representing data exposures is beautiful in
its simplicity, and I think it could almost trivially be adapted for dynamic
analysis too.

Definitely worth a skim in my opinion.

------
joshwa
Actual software:

[http://www.cs.berkeley.edu/~jnear/derailer/](http://www.cs.berkeley.edu/~jnear/derailer/)

"Derailer uses an automatic static analysis to produce a visual representation
of the information flows within a Ruby on Rails web application. The
visualization organizes the results of the analysis in a tree, with the goal
of helping the user to quickly find the most sensitive information flows, and
also allows the user to filter the set of flows based on the conditions under
which they occur."

[http://www.cs.berkeley.edu/~jnear/rubicon/](http://www.cs.berkeley.edu/~jnear/rubicon/)

"Rubicon is a library for Ruby, Rails, and RSpec that lets you write formal
specifications of the behavior of your web apps. In addition to the standard
RSpec language, Rubicon gives you the quantifiers of first-order logic, so
your specifications cover all possible objects of the given type, and mock
objects are no longer needed. "

~~~
sirwolfgang
The main one in the article:

[http://www.cs.berkeley.edu/~jnear/space/](http://www.cs.berkeley.edu/~jnear/space/)

"SPACE is a specification-free tool for finding missing security checks in
Ruby on Rails web applications using a catalog of access control patterns in
which each pattern models a common access control use case. SPACE checks that
for every kind of data exposure allowed by an application's code, some
security pattern in our catalog also allows the exposure. The user provides a
mapping from application types to the types of our catalog, and then SPACE
identifies security bugs automatically."

The paper referenced:

[https://dspace.mit.edu/bitstream/handle/1721.1/99841/9274107...](https://dspace.mit.edu/bitstream/handle/1721.1/99841/927410712-MIT.pdf)

------
chao-
It isn't the most important aspect of this article, and I know that tech
journalism by persons outside the field is prone to this sort of thing, but a
little bit of me dies inside when I read or hear the phrase "The Rails
Interpreter".

~~~
jaflo
Pardon my ignorance, but what should it be instead?

~~~
wpears
Ruby. Rails is the web framework, Ruby is the language and thus the thing that
is interpreted.

------
forgotpwtomain
This is as good click-bait there is nothing informative in this article that
suggests how this actually works or what the security flaws were.

------
schwabacher
Does anyone know what they mean by this?:

 _Ruby on Rails — or Rails, as it’s called for short — has the peculiarity of
defining even its most basic operations in libraries. Every addition, every
assignment of a particular value to a variable, imports code from a library._

~~~
__david__
It sounds like someone tried to explain operator overloading and Ruby's
message passing system to someone who was not very familiar with coding.

------
bikamonki
Please add Ruby on Rails on the title...

------
mkagenius
In case someone is interested, here is a tool which actually (no false
positives) detects data leak via your APIs :
[https://fallible.co/blog//2016/03/13/Automating-data-leak-
de...](https://fallible.co/blog//2016/03/13/Automating-data-leak-detection/)

Tool link: [https://overseer.fallible.co](https://overseer.fallible.co) (I
doubt people will be okay with installing our certificate, but just in case
someone wants to use a hosted version)

------
fmavituna
For whose wondering, brief read of the paper's initial chapters show that it's
a methodology (and toolset) to find access control issues in RoR. Seems like a
smart approach, need to see it in production though. I'm not really surprised
if they found various ACL related vulnerabilities with this model in web apps,
it's a common issue and not easy to test & check.

Injection vulnerabilities (XSS, SQLI etc.) are out of the scope of this
document/toolset, it's heavily designed for detect ACL issues in web
applications.

------
aries1980
This is a dupe of
[https://news.ycombinator.com/item?id=11515941](https://news.ycombinator.com/item?id=11515941)

------
JacksonGariety
> application written in language like Ruby on Rails

Come on, MIT, you can do better!

------
mhoad
It sounds as though this could have some hugely beneficial implications for
rails in the near future. I'm really excited to see it in action.

------
self_awareness
According to Daniel Jackson? For a moment it felt like a Stargate episode ;)

------
homakov
Hm, ok, they reinvented brakeman

------
corndoge
I don't really understand

