A symbolic execution framework for JavaScript

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2010, Pages 513-528

  Saxena, Prateek ^a   Akhawe, Devdatta ^a   Hanna, Steve ^a   Mao, Feng ^a   McCamant, Stephen ^a   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

String decision procedures; Symbolic execution; Web security

Indexed keywords

CODE INJECTION; DECISION PROCEDURE; JAVASCRIPT; SYMBOLIC EXECUTION; VULNERABILITY ANALYSIS; WEB APPLICATION; WEB SECURITY;

HIGH LEVEL LANGUAGES;

JAVA PROGRAMMING LANGUAGE;

EID: 77955220343     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2010.38     Document Type: Conference Paper

References (30)

1. S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding bugs in dynamic web applications. In International Symposium on Software Testing and Analysis, 2008.
2. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
3. A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In Proceedings of the 30th IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.
4. N. Bjørner, N. Tillmann, and A. Voronkov. Path feasibility analysis for string-manipulating programs. In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2009.
5. H. Bojinov, E. Bursztein, and D. Boneh. XCS: Cross channel scripting and its impact on web applications. In CCS, 2009.
6. J. R. Büchi and S. Senger. Definability in the existential theory of concatenation and undecidable extensions of this theory. Mathematical Logic Quarterly, 34(4): 337-342, 1988.
7. J. Caballero, S. McCamant, A. Barth, and D. Song. Extracting models of security-sensitive operations using stringenhanced white-box exploration on binaries. Technical Report UCB/EECS-2009-36, EECS Department, University of California, Berkeley, 2009.
8. A. Chandra, J. Halpern, A. Meyer, and R. Parikh. Equations between regular terms and an application to process logic. In Proceedings of the 13th annual ACM Symposium on Theory of Computing (STOC), pages 384-390, May 1981.
9. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In PLDI, 2009.
10. V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Computer Aided Verification, 19th International Conference (CAV), pages 519-531, July 2007.
11. P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In Network and Distributed System Security, Feb. 2008.
12. S. Guarnieri and B. Livshits. Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code. In Usenix Security, 2009.
13. R. Hansen. XSS cheat sheet, http://ha.ckers.org/xss.html.
14. P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 188-198, June 2009.
15. J. Karhumäki, W. Plandowski, and F. Mignosi. The expressibility of languages and relations by word equations. In Automata, Languages and Programming, 24th International Colloquium, (ICALP), pages 98-109, 1997.
16. A. Kieżun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A solver for string constraints. In International Symposium on Software Testing and Analysis, 2009.
17. A. Kieżun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In 30th International Conference on Software Engineering (ICSE), May 2009.
18. A. Klein. DOM based cross site scripting or XSS of the third kind. Technical report, Web Application Security Consortium, 2005.
19. M. Martin and M. S. Lam. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In 17th USENIX Security Symposium, 2008.
20. A. B. Matos. Periodic sets of integers. Theoretical Computer Science, 127(2): 287-312, May 1994.
21. A. Mesbah, E. Bozdag, and A. van Deursen. Crawling ajax by inferring user interface state changes. In Proceedings of the International Conference on Web Engineering, 2008.
22. Samy. I'm popular. Description of the MySpace worm by the author, including a technical explanation., Oct 2005.
23. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley, 2010.
24. P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In 17th Annual Network & Distributed System Security Symposium, (NDSS), 2010.
25. TwitPwn. DOM based XSS in Twitterfall. 2009.
26. M. Veanes, P. de Halleux, and N. Tillmann. Rex: Symbolic regular expression explorer. In International Conference on Software Testing, Verification and Validation, 2010.
27. W3C. HTML 5 specification. http://www.w3.org/TR/htm15/.
28. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proceedings of the International symposium on Software testing and analysis, 2008.
29. XML path language 2.0. http://www.w3.org/TR/xpath20/.
30. F. Yu, T. Bultan, and O. H. Ibarra. Symbolic string verification: Combining string analysis and size analysis. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 322-336, Mar. 2009.