ABASH: Finding bugs in bash scripts

PLAS'07 - Proceedings of the 2007 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security

Volumn , Issue , 2007, Pages 105-114

  Mazurak, Karl ^a   Zdancewic, Steve ^a  

^a UNIVERSITY OF PENNSYLVANIA   (United States)

Author keywords

Abstract Interpretation; Bash; Scripting Languages

Indexed keywords

ABSTRACT INTERPRETATION; BASH SCRIPTING LANGUAGE; LINUX DISTRIBUTION; UNIX COMMANDS;

COMPUTER OPERATING SYSTEMS; COMPUTER PROGRAMMING LANGUAGES; ERROR ANALYSIS; INTERNET;

COMPUTER VIRUSES;

EID: 36448936040     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1255329.1255347     Document Type: Conference Paper

References (34)

1. Robert Auger. Feed, injection in Web 2.0. www. spidynamics.com/assets/ documents/HackingFeeds. pdf, 2006.
2. Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. Thorough, static analysis of device drivers. In Proceedings of the European Systems Conference, 2006.
3. CGI Security. The cross-site scripting FAQ. http: //www.cgisecurity.net/ articles/xss-faq.shtml.
4. Eric Chien. Malicious Yahooligans. http://www. Symantec.com/avcenter/ reference/malicious. yahooligans. pdf, August 2006.
5. Dojo Foundation. Dojo, the JavaScript toolkit, http: //doj otoolkit. org, 2007.
6. Ulfar Erlingsson, Benjamin Livshits, and Yinglian Xie. Endto-end Web application security. In Proceedings of the Workshop on Hot Topics in Operating Systems, May 2007.
7. Ulfar Erlingsson and Fred B. Schneider. IRM enforcement of Java stack inspection. In IEEE Symposium on Security and Privacy, pages 246-255, 2000.
8. Steven Garrity. Private RSS feeds: Support for security in aggregators, http://labs.silverorange.com/archives/ 2003/july/privaterss, July 2003.
9. Google Web toolkit, http://code.google.com/ webtoolkit.
10. Jeremiah Grossman. Cross-site scripting worms and viruses: the impending threat and the best defense, http:// www.whitehatsec.com/downloads/WHXSSThreats. pdf, April 2006.
11. Vivek Haldar, Deepak Chandra, and Michael Franz. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference, pages 303-311, December 2005.
12. Seth. Hallem, Ben Chelf, Yichen Xie, and Dawson Engler. A system, and language for building system-specific, static analyses. In Proceedings of the Conference on Programming Language Design and Implementation, pages 69-82, June 2002.
13. Jon Howell, Collin Jackson, Helen J. Wang, and Xiaofeng Fan. MashupOS: Operating system abstractions for client mashups. In Proceedings of the Workshop on Hot Topics in Operating Systems, May 2007.
14. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the Conference on World Wide Web, pages 40-52, May 2004.
15. Collin Jackson and Helen J. Wang. Subspace: Secure crossdomain communication for Web mashups. In Proceedings of the World Wide Web Conference, May 2007.
16. Trevor Jim, Nikhil Swamy, and Michael Hicks. BEEP: Browser-enforced embedded policies. Technical report, Department of Computer Science, University of Maryland, 2006.
17. Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International World Wide Web Conference, 2007.
18. Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: a static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the Symposium on Security and Privacy, May 2006.
19. David Kierznowski. Cross context scripting with. sage, http://michaeldaw.org/md-hacks/ rss-injectlon-in-sage-part-2, September 2006.
20. Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the Symposium on Applied Computing, April 2006.
21. Laszlo Systems, Inc. OpenLaszlo: the premier open-source platform for rich Internet applications, http: //www. openlaszlo. org, 2007.
22. Benjamin Livshits and Monica S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, pages 271-286, August 2005.
23. Michael Martin, Benjamin Livshits, and Monica S. Lam. Finding application errors and security vulnerabilities using PQL: a program, query language. In Proceedings of the Conference on Object-Oriented Programming, Systems, Languages, and Applications, October 2005.
24. Michael Martin, Benjamin Livshits, and Monica S. Lam. SecuriFly: Runtime vulnerability protection for Web applications. Technical report, Stanford University, October 2006.
25. Jeremy Moeder. Yahoo RSS XSS vulnerability, http:// www.securityfocus. com/archive/1/413594, October 2005.
26. Laurence Moroney. Foundations of Atlas: Rapid Ajax Development with ASPNET2.0. Apress, 2006.
27. Ann Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, June 2005.
28. Tadeusz Pietraszek and Chris Vanden Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, September 2005.
29. C. Reis, J. Dunagan, H. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of Operating Systems Design and Implementation, 2006.
30. RSnake. XSS cheat sheet for filter evasion, http: //ha.ckers.org/xss. html.
31. Samy. The Samy worm, http://namb.la/popular, October 2005.
32. willCode4Beer. Introducing the Dojo tree widget, http:// willcode4beer.com/ware.jsp?set=dojoTreeWidget, January 2007.
33. Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, pages 271-286, August 2006.
34. Dachuan Yu, Ajay Chander, Nayeem Islam., and Igor Serikov. JavaScript instrumentation for browser security. In Proceedings of the Conference on the Principle of Programming Languages, January 2007.