A Researchers Team Found A New Debugger Can Discover Security Bugs in Ruby Code in 64 Seconds
There is a team of researchers from the MIT (Massachusetts Institute of Technology) that have manually put a new code which is used for debugging an application. It can find 23 vulnerabilities in Ruby on Rails framework in less than 64 seconds.
This new code debugger is known as Space is announced in a study paper that will be presented in May, at the International Conference on Software Engineering.
According to the team of the researchers that they have done efforted on the projects and they say that they have modified the whole code of the Ruby on Rails (Rails or RoR) framework so it could be defined by easy operations that could be logical.
According to Daniel Jackson who is a professor in the Department of Electrical Engineering and Computer Science said, that these operations would then be supplied to a fixed code analyzer that took into account seven ways by which users would interrelate with the context which is based on the data as well as based on also their permission levels.
Jackson describes that "The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero. The static analysis would then evaluate every operation in the program according to its effect on integers' signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.”
Jackson also says, "The problem with this is that it can't be completely accurate because you lose information. If you add a positive and a negative integer, you don't know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems."
He also added that "The program under analysis is just huge. Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a Web application written in a language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice."
If these communications were outside of a reasonable model of which Space was expecting, the debugger would believe that the operation as the source of a security bug in the fundamental code.
The researchers of MIT said that they have experienced Space on 50 popular Ruby on Rails applications as well as it discovered the 23 new security bugs. Throughout all tests, researchers say that Space never took more than 64 seconds to examine the each application.