Dynamic taint propagation for Java

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn 2005, Issue , 2005, Pages 303-311

  Haldar, Vivek ^a   Chandra, Deepak ^a   Franz, Michael ^a  

^a Ringgold Standard Institution Informatics   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); INFORMATION SERVICES; SECURITY OF DATA; USER INTERFACES; WORLD WIDE WEB;

RUNTIME ENFORCEMENT; SOURCE CODES; USER TRACKS;

COMPUTER PROGRAMMING LANGUAGES;

EID: 33846310068     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSAC.2005.21     Document Type: Conference Paper

References (21)

1. K. Beaver. Achieving sarbanes-oxley compliance for web applications through security testing, http://www.spidynamics.com/support/whitepapers/ WLSOXwhitepaper.pdf.
2. CERT, Cert advisory ca-2000-02. malicious html tags embedded in client web requests, February 2000.
3. B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, 2(6), 2004.
4. S. Chiba, Javassist: Java bytecode engineering made simple. Java Developer's Journa, 9(1), January 2004.
5. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In USENIX Security Symposium, 2004.
6. D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, Jan/Feb, 2002.
7. V. Haldar, D. Chandra, and M. Franz. Practical, dynamic information flow for virtual machines. Technical Report TR 05-02, Department of Information and Computer Science, University of California, Irvine, Feb 2005.
8. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, Securing web application code by static analysis and runtime protection. In Thirteenth International World Wide Web Conference, May 2004.
9. V. B. Livshits and M. Lam. Finding security vulnerabilities in Java using siatis analysis. In USENIX Technology Symposium, 2005.
10. A. C. Myers, JFlow: Practical Mostly-Static Information Flow Control. In Conference Record of POPL'99: The 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228-241, San Antonio, Texas, January 20-22, 1999.
11. N. Nethercote and J. Seward. Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2), 2003.
12. J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on Commodity software. In Network and Distributed Systems Security Symposium, February 2005.
13. A. Nguyen-Tuong, S. Guarnieri, D. Green, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In IFIP Security Conference, May 2005.
14. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. Technical Report RZ 3615, IBM Research Report, June 2005.
15. O. W. A. S. Project. The webgoat project. http://www.owasp.org/software/ webgoat.html.
16. O. W. A. S. Project. Top ten most critical web application security vulnerabilities, http://www.owasp.org/documentation/topten.html, January 2004.
17. A. Sabelfeld and A. Myers. Language-based information-flow security. 21(1), 2003.
18. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001.
19. M. Surf and A. Shulman. How safe is it out there? http:www.imperva.com/ application.defense_center/papers/how_safe_is_it.html, June 2004.
20. D. Thomas, C. Fowler, and A. Hunt. Programming Ruby: The Pragmatic Programmers Guide, 2nd ed.
21. L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly and Associates, 2000.