WhiteList Checker: An Eclipse Plugin to Improve Application Security
Making With Eclipse · Lightning (12 mins)
Tags: Emerging Technology , Java , Tools
Monday, 17:14, 26 minutes | Lafayette
Current tools for reducing software vulnerability, such as static analyzers, are designed to include software security as a step in the software development process. We believe support for secure coding should be baked into software development tools and become an integral part of every step of the software development process.
We demonstrate our work of integrating white-list input validation into the Eclipse Java development environment. Lack of proper input validation is a large class of programming errors leading to vulnerable software. It can expose software to many types of malicious attacks including: XSS, SQL Injection, File Inclusion, Log Forging, Path Manipulation. Our approach is implemented in an Eclipse plugin, WhiteList Checker, which identifies places in a Java program where untrusted input is being read. The developer is immediately alerted, in a similar way as a syntax error, and given a white list of choices of input types to validate (e.g. name, email, or url). Upon choosing the appropriate input type, input validation code is inserted into the program being developed.
Trust boundary of the application is defined by a set of API calls (e.g. HttpServletRequest.getParameter()), or as parameters / variables (e.g. main (String args)). Inputs are validated by rules (e.g. regular expressions) that can be customized to enforce local standards (e.g. particular types of account numbers). WhiteList Checker maintains a list of uses of input types. This could be helpful for design reviews, e.g. one might be interested in finding out places where social security numbers are fed into the systems. WhiteList Checker can be extended to generate customized rules to increase accuracy of static analysis.
Bill Chu is Professor of Software and Information Systems at the University of North Carolina at Charlotte. He has over 25 years of research and education experiences in Computer Science and Information Technology. His current research interests include secure software engineering, cognitive psychology, and IT education. He has published in areas of software assurance, information technology education, enterprise integration, access control, and artificial intelligence. He received his Ph.D. and M.S. in Computer Science and B.S. in Electrical Engineering all from the University of Maryland at College Park.
Jing Xie is a second year Ph.D. student at Department of Software and Information System at UNC Charlotte. Her general interests are software security and secure programming. Her advisor is Dr. Bill Chu.