New code analyzer of Ruby on Rails unveiled security flaws in well-known web apps

Run through 50 most widespread apps written in Ruby on Rails; a new code analyzer SPACE discovered 23 vulnerabilities undetected before. Maximum time per one application scan did not exceed 64 seconds.

What is ruby on rails? RUBY ON RAILS, often called just “Rails”, is a full-scale multilevel Web application framework popular for building applications which are advanced and database-intensive. Rails is a dynamic reflective high-level interpreted language valued by many for making programming fast and comfortable.

With all the exciting features its dynamic nature provides for web development, it also caused some difficulties with bug finding. Namely, it made finding the flaws related to variable type conflicts possible only during program execution. The developers handled this issue from MIT who delivered a new code analyzer. According to its authors, SPACE security scanner not only performs static analysis of the app code, but also does it unbelievably quickly, and which is more important, thoroughly. These claims are supported by the results of testing 50 most widespread open source Web apps written in Ruby. In scanned applications, SPACE managed to diagnose 23 flaws undetected before. The longest scanning for bugs lasted just 1 minute and 4 seconds, which means that 23 programs were audited in less than 1 hour.

The newly-developed code analyzer is based on certain execution peculiarities typical of Ruby-based programs.

Ruby on Rails is well-known for defining any assignment of a certain value to a variable, any addition or other basic operation, in a library. SPACE developers exploited this peculiarity and rewrote the libraries. Doing so, the researchers expected that operations kept in the libraries would be able not only to describe own behavior, but also deliver those descriptions in a logical language.

This manipulation turns SPACE, which transforms complicated Ruby programs into machine-readable code, into a static analysis tool. With updated libraries, testing a Ruby program with the code analyzer gives full information about data-handling safety of the scanned program.

Developing SPACE, its authors singled out 7 specific levels of data access for apps. It means that some information is open for anyone, to access other data the user must log in, certain users — app administrators – can enjoy unrestricted access to any information, etc. After identifying data access differences, a simple logical model was built which would describe data access levels for different types of users and circumstances in which data access is either possible or denied. Examining information obtained from the scanned libraries, SPACE bug finder can automatically determine app adherence to the patterns. If the conformity is broken, there’s a big chance of vulnerability.

SPACE which is expected to increase programming productivity was presented to the general public in May 2016.