1) WhiteList Checker is an Eclipse plugin that aims to improve application security by helping developers perform proper input validation.
2) It identifies untrusted input sources like user-submitted parameters and interactively notifies developers to insert validation code using predefined validation rules.
3) These rules include syntactic rules using regular expressions to validate inputs like emails and filenames, as well as semantic rules that are type-specific like restricting files to a certain directory.
How to Troubleshoot Apps for the Modern Connected Worker
WhiteList Checker: An Eclipse Plugin to Improve Application Security
1. WhiteList Checker: An Eclipse Plugin to
Improve Application Security
Bill Chu, Jing Xie, Will Stranathan
University of North Carolina at
Charlotte
2. Motivation
Lack of proper input validation is a cause of many
software vulnerabilities
XSS, SQL injection, File inclusion, Log forging, Path
Manipulation etc.
White list vs. Black list validation
White list input validation is not easy to do, even
for common input types (e.g. names)
Support for input validation can be baked into IDE
7. Trust boundary definition
API calls
HttpServletRequest.getParameter()
Parameters / variables
main (String[] args)
8. Input validation rules
WhiteList Checker is initialized with a set of regular
expressions developed by OWASP for input validation
Syntactic rules
Regular expressions
e.g. email, full path file name
Semantic rules
Specific to input type
e.g. files under /usr/billchu
User defined rules
9. Building a data dictionary
Identify all input times and where they are input to
the application
Answer queries:
How many places in this application we accept credit
card numbers from the user?
Does this application accept sensitive information from
the customer?
10. Generate customized rules for static analysis
Fortify Example
Generate rules that removes taints to reduce false
positives
11. Future work
Dataflow analysis for input of composite type
Implement semantic validation rules
Dynamic languages
Evaluation including user studies