Towards security testing with taint analysis and genetic algorithms

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2010, Pages 65-71

  Avancini, Andrea ^a   Ceccato, Mariano ^a  

^a ITC IRST   (Italy)

Author keywords

cross site scripting; genetic algorithms; security testing; taint analysis

Indexed keywords

AUTOMATIC ASSISTANCE; CROSS SITE SCRIPTING; FALSE POSITIVE; INPUT VECTOR; POTENTIAL BENEFITS; SECURITY TESTING; TEST CASE; WEB APPLICATION;

COMPUTER SOFTWARE; GENETIC ALGORITHMS; STATIC ANALYSIS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77954612683     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1809100.1809110     Document Type: Conference Paper

References (23)

1. B. Beizer. Software testing techniques (2nd ed.). Van Nostrand Reinhold Co., New York, NY, USA, 1990.
2. W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 39-50, New York, NY, USA, 2008. ACM.
3. B. Chess and J. West. Secure programming with static analysis. Addison-Wesley Professional, 2007.
4. S. Christey and R. A. Martin. Vulnerability type distributions in cve. Technical report, The MITRE Corporation, 2006.
5. C. Criscione and S. Zanero. Masibty: an anomaly based intrusion prevention system for web applications. In Black Hat Europe 2009, 2009.
6. D. E. Cristian Cadar, Daniel Dunbar. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation, pages 209-224. USENIX Association, 2008.
7. R. H. Gong, M. Zulkernine, and P. Abolmaesumi. A software implementation of a genetic algorithm based approach to network intrusion detection. In Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, 2005 and First ACIS International Workshop on Self-Assembling Wireless Networks. SNPD/SAWN 2005. Sixth International Conference on, pages 246-253, May 2005.
8. C. D. Grosso, G. Antoniol, E. Merlo, and P. Galinier. Detecting buffer overflow via automatic test input data generation. Computers and Operations Research, 35(10):3125-3143, 2008. Special Issue: Search-based Software Engineering.
9. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40-52, New York, NY, USA, 2004. ACM.
10. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 258-263, Washington, DC, USA, 2006. IEEE Computer Society.
11. J. Krinke. Information flow control and taint analysis with dependence graphs. In 3rd International Workshop on Code Based Security Assessments (CoBaSSA 2007), pages 6-9, 2007.
12. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium, pages 271-286, Berkeley, CA, USA, 2005. USENIX Association.
13. R. Majumdar and K. Sen. Hybrid concolic testing. In ICSE '07: Proceedings of the 29th international conference on Software Engineering, pages 416-426, Washington, DC, USA, 2007. IEEE Computer Society.
14. R. Pargas, M. J. Harrold, and R. Peck. Test-data generation using genetic algorithms. Journal of Software Testing, Verifications, and Reliability, 9:263-282, September 1999.
15. K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proceedings of the 10th European software engineering conference, pages 263-272, New York, NY, USA, 2005. ACM.
16. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 16-16, Berkeley, CA, USA, 2001. USENIX Association.
17. M. Sharir and A. Pnueli. Program Flow Analysis: Theory and Applications, chapter Two approaches to interprocedural data flow analysis, pages 189-233. Prentice Hall, 1981.
18. R. Strom and D. Yellin. Extending typestate checking using conditional liveness analysis. Software Engineering, IEEE Transactions on, 19(5):478-485, May 1993.
19. P. Tonella. Evolutionary testing of classes. In ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, pages 119-128, New York, NY, USA, 2004. ACM.
20. L. Wang, Q. Zhang, and P. Zhao. Automated detection of code vulnerabilities based on program analysis and model checking. In Source Code Analysis and Manipulation, 2008 Eighth IEEE International Working Conference on, pages 165-173, Sept. 2008.
21. G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE '08: Proceedings of the 30th international conference on Software engineering, pages 171-180, New York, NY, USA, 2008. ACM.
22. G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Software Engineering, 2008. ICSE '08. ACM/IEEE 30th International Conference on, pages 171-180, May 2008.
23. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis, pages 249-260, New York, NY, USA, 2008. ACM.