Context: Static Application Security Testing (SAST) and Runtime Application Security Protection (RASP) are important and complementary techniques used for detecting and enforcing application-level security policies in web applications. Inquiry: The current state of the art, however, does not allow a safe and efficient combination of SAST and RASP based on a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both tools. Approach: In this work, we present a novel technique for deriving SAST from an existing RASP mechanism by using a two-phase abstract interpretation approach in the SAST component that avoids duplicating the effort of specifying security policies and implementing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The static analysis of security policies is then obtained from the RASP mechanism by first statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code. Knowledge: Splitting the analysis into two phases enables running each phase with a specific analysis configuration, rendering the static analysis approach tractable while maintaining sufficient precision. Grounding: We validate the applicability of our two-phase analysis approach by using it to both dynamically enforce and statically detect a range of security policies found in related work. Our experiments suggest that our two-phase analysis can enable faster and more precise policy violation detection compared to analyzing the full instrumented application under a single analysis configuration. Importance: Deriving a SAST component from a RASP mechanism enables equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development lifecycle. Moreover, our two-phase abstract interpretation approach does not require RASP developers to reimplement the enforcement code for static analysis.
翻译:常规应用安全测试(SAST)和运行应用安全保护(RASP)是用来探测和执行网络应用中应用安全级别安全政策的重要和互补技术。 调查: 目前的先进技术无法根据一套共同的安全政策,安全有效地结合SAST和RASP, 迫使开发商在两种工具中重新实施和保持同样的政策及其执行代码。 方法: 在这项工作中,我们提出了一个创新技术,通过在SAST组件中采用两阶段抽象解释方法,从现有的RASP机制中产生SAST,避免在网络应用安全级别安全政策时重复努力,不执行它们的精度。 然而,目前先进的技术无法根据一套共同的安保政策,在一套共同的安保政策的基础上,将SAST和RASP结合起来。 在第二阶段中,我们使用一个精度的抽象解释方法,并抽象地执行与REASP相关的政策执行代码。 知识: 将精度政策分析分为两个阶段,同时将精度的精度分析进行每个阶段的精度分析。