(2020) Raccoon: Automated Verification of Guarded Race Conditions in Web Applications.
|
Text
raccoon_acmsac2020.pdf - Published Version Download (804kB) | Preview |
Abstract
Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Giancarlo Pellegrino (GP) |
| Conference: | SAC ACM Symposium on Applied Computing |
| Depositing User: | Giancarlo Pellegrino |
| Date Deposited: | 18 Jan 2020 14:28 |
| Last Modified: | 05 Nov 2020 11:52 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/3028 |
Actions
Actions (login required)
 |
View Item |