Patching vulnerabilities with sanitization synthesis

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2011, Pages 251-260

  Yu, Fang ^a   Alkhalaf, Muath ^b   Bultan, Tevfik ^b  

^a NATIONAL CHENGCHI UNIVERSITY   (Taiwan)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

automata; sanitization synthesis; string analysis

Indexed keywords

ATTACK PATTERNS; AUTOMATA; INPUT MATCH; INPUT STRING; SANITIZATION; STRING ANALYSIS; THREE PHASIS; VULNERABILITY ANALYSIS; VULNERABILITY SIGNATURE; WEB APPLICATION;

SOFTWARE ENGINEERING; USER INTERFACES;

NETWORK SECURITY;

EID: 79959887208     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1985793.1985828     Document Type: Conference Paper

References (19)

1. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In S&P, pages 387-401, 2008.
2. C. Bartzis and T. Bultan. Widening arithmetic automata. In CAV, pages 321-333, 2004.
3. BRICS. The MONA project. http://www.brics.dk/mona/.
4. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In SAS, pages 1-18, 2003.
5. T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to Algorithms. MIT Press, 1990.
6. M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In SOSP, pages 117-130, 2007.
7. X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting sql injection vulnerabilities. In COMPSAC, pages 87-96, 2007.
8. C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In ICSE, pages 645-654, 2004.
9. G.Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, pages 171-180, 2008.
10. J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, 1979.
11. N. Jovanovic, C. Krügel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In S&P, pages 258-263, 2006.
12. A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: a solver for string constraints. In ISSTA, pages 105-116, 2009.
13. Y. Minamide. Static approximation of dynamically generated web pages. In WWW, pages 432-441, 2005.
14. D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In TAICPART-MUTATION, pages 13-22, 2007.
15. G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32-41, 2007.
16. F. Yu, M. Alkhalaf, and T. Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, pages 605-609, 2009.
17. F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automata-based string analysis tool for php. In TACAS, pages 154-157, 2010.
18. F. Yu, T. Bultan, M. Cova, and O. H. Ibarra. Symbolic string verification: An automata-based approach. In SPIN, pages 306-324, 2008.
19. F. Yu, T. Bultan, and O. H. Ibarra. Relational string verification using multi-track automata. In CIAA, 2010.