Researchers at Massachusetts Institute of Technology (MIT) have developed a new software that can identify in a quick and (almost) accurate way any flaws regarding the security of Web applications that are written in Ruby on Rails (RoR).
According to Daniel Jackson, a professor in the Department of Electrical Engineering and Computer Science, MIT’s new developed system uses static analysis technique, which generally describes the way data flows through a program.
“The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero,” according to Jackson. “The problem with this is that it can’t be completely accurate, because you lose information. If you add a positive and a negative integer, you don’t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems,” added Jackson.
Daniel Jackson along with University of California at Berkeley researcher Joseph Near, after testing 50 popular Web apps written in RoR discovered 23 security flaws that were previously unknown spending no more than 63 seconds inspecting each app in particular.
“Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice,” according to Jackson.
By using “non-conventional” methods to test the 50 chosen well-known apps written in Ruby on Rails and rather focusing on logical reasoning helped researchers to not only find the flaws in a quick manner, but also understand the 23 found ones more accurately.
Former student of Jackson, Joseph Near who is now doing a postdoc at the University of California at Berkeley, where he recently graduated, has rewritten the libraries defined by Ruby on Rails in order to discover how their operations worked and describe the finding is an a logical language, not a programming language.
“That turns the Rails interpreter, which converts high-level Rails programs into machine-readable code, into a static-analysis tool. With Near’s libraries, running a Rails program through the interpreter produces a formal, line-by-line description of how the program handles data,” according to MIT news. http://news.mit.edu/2016/patching-web-applications-0415
Researchers Jackson and Near will present their final results at the International Conference on Software Engineering which will take place from May 14, 2016 until May 22, 2016 in Austin, Texas.
Image Source: www.eecs.mit.edu