Advertisement

A Method to Enhance the Security Capability of Python IDE

  • Vinh Pham
  • Namuk Kim
  • Eunil Seo
  • Jun Suk Ha
  • Tai-Myoung ChungEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11814)

Abstract

The majority of applications running on the Internet are web applications; however, these applications are vulnerable to arbitrary code execution and database manipulation by Cross-Site Scripting or SQL injection attacks. The fundamental reason of these vulnerabilities is that web applications use a string type for assembling heterogeneous computer languages’ syntax for a particular language. To cope with these vulnerabilities, we propose a language-based scheme, in which the programming language itself provides security capabilities by a method of the syntax embedded in Python. Furthermore, the proposed solution supports backward compatibility and higher portability to other languages as well as Python. To improve the debugging difficulty caused by a language-based scheme, we propose a trace-processor that has post-mortem debug ability. We implement the proposed solution as a development environment, named Python-S, based on CPython’s source code. Python-S successfully displays the protection capabilities for the SQL injection attack.

Keywords

Code injection Python Web application Programming language 

References

  1. 1.
    OWASP Homepage. https://www.owasp.org
  2. 2.
    Cwe/sans top 25 most dangerous software errors (2011). http://www.sans.org/top25-software-errors/
  3. 3.
    2011 Trustwave Global Security Report. https://www.trustwave.com
  4. 4.
    Python 3 - CGI Programming. https://www.tutorialspoint.com
  5. 5.
    Stack Overflow’s annual Developer Survey (2019). https://insights.stackoverflow.com/survey/2019#most-popular-technologies
  6. 6.
  7. 7.
    Juillerat, N.: Enforcing code security in database web applications using libraries and object models. In: Proceedings of the 2007 Symposium on Library-Centric Software Design, pp. 31–41. ACM (2007)Google Scholar
  8. 8.
    Grabowski, R., Hofmann, M., Li, K.: Type-based enforcement of secure programming guidelines — code injection prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 182–197. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29420-4_12CrossRefGoogle Scholar
  9. 9.
    Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: a web vulnerability scanner. In: Proceedings of the 15th International Conference on World Wide Web, pp. 247–256. ACM (2006)Google Scholar
  10. 10.
    Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55(10), 1767–1780 (2013)CrossRefGoogle Scholar
  11. 11.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. ACM SIGPLAN Not. 41(1), 372–382 (2006)CrossRefGoogle Scholar
  12. 12.
    Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 335–344. IEEE (2008)Google Scholar
  13. 13.
    Fulton, N., Omar, C., Aldrich, J.: Statically typed string sanitation inside a Python. In: Proceedings of the 2014 International Workshop on Privacy & Security in Programming. ACM (2014)Google Scholar
  14. 14.
    Micheelsen, S., Thalmann, B.: A static analysis tool for detecting security vulnerabilities in python web applications (2016)Google Scholar
  15. 15.
    Giannopoulos, L., et al.: Pythia: identifying dangerous data-flows in Django-based applications. EuroSec@ EuroSys (2019)Google Scholar
  16. 16.
    Johns, M.: Towards practical prevention of code injection vulnerabilities on the programming language level (2007)Google Scholar
  17. 17.
    Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure code generation for web applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11747-3_8CrossRefGoogle Scholar
  18. 18.
    Johns, M.: Code-injection vulnerabilities in web applications — exemplified at cross-site scripting. IT Inf. Technol. Methoden Innov. Anwend. Inform. Inf. 53(5), 256–260 (2011)MathSciNetGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Vinh Pham
    • 1
  • Namuk Kim
    • 2
  • Eunil Seo
    • 2
  • Jun Suk Ha
    • 3
  • Tai-Myoung Chung
    • 1
    Email author
  1. 1.Department of Computer Science and EngineeringSungkyunkwan UniversitySuwonKorea
  2. 2.Department of Electrical and Computer EngineeringSungkyunkwan UniversitySuwonKorea
  3. 3.Department of Mathematics and Computer ScienceUniversity of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations