A team of researchers has come out with a new software that represents a breakthrough in security for programs written in the popular web application framework Ruby on the Rails.
By exploiting some peculiarities of the popular Web programming framework Ruby on Rails, MIT researchers have developed a system that can quickly comb through tens of thousands of lines of application code to find security flaws.
In tests on 50 popular Web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program.
According to Daniel Jackson, the new system uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.
“The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero,” Jackson explained.
The static analysis would then evaluate every operation in the program according to its effect on integers’ signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.
“The problem with this is that it can’t be completely accurate, because you lose information,” Jackson says. “If you add a positive and a negative integer, you don’t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems.”
With Web applications, however, the cost of accuracy is prohibitively high, Jackson said, adding that the program under analysis is just huge. “Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks.”
The researchers will present their results at the International Conference on Software Engineering, in May.