Path- and index-sensitive string analysis based on monadic second-order logic

2011 International Symposium on Software Testing and Analysis, ISSTA 2011 - Proceedings

Volumn , Issue , 2011, Pages 166-176

  Tateishi, Takaaki ^a   Pistoia, Marco ^b   Tripp, Omer ^c,d  

^a IBM RESEARCH TOKYO   (Japan)

^b IBM T J WATSON RESEARCH CENTER   (United States)

^c IBM   (United States)

^d TEL AVIV UNIVERSITY   (Israel)

Author keywords

static program analysis; string analysis; web security

Indexed keywords

MONADIC SECOND-ORDER LOGIC; NOVEL TECHNIQUES; PROGRAM VARIABLES; SECURITY ANALYSIS; STATIC PROGRAM ANALYSIS; STRING ANALYSIS; THEOREM PROVERS; WEB APPLICATION; WEB SECURITY;

COMPUTER SOFTWARE SELECTION AND EVALUATION; ENCODING (SYMBOLS); SECURITY SYSTEMS; USER INTERFACES;

SOFTWARE TESTING;

EID: 80051944491     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2001420.2001441     Document Type: Conference Paper

References (37)

1. IBM Rational AppScan Source Edition. ibm.com/software/r ational/products/appscan/source.
2. Open Web Application Security Project (OWASP). owasp.org/index.php/ Category:Attack.
3. A. Ayari and D. Basin. Bounded model construction for monadic second-order logics. In CAV, 2000.
4. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Security and Privacy (Oakland), 2008.
5. N. Bjørner, N. Tillmann, and A. Voronkov. Path feasibility analysis for string-manipulating programs. In TACAS, 2009.
6. D. Brumley, H. Wang, S. Jha, and D. Song. Creating vulnerability signatures using weakest preconditions. In CSF, 2007.
7. A. S. Christensen, A. Feldthaus, and A. Møller. JSA - the Java String Analyzer. brics.dk/JSA, 2009.
8. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In SAS, 2003.
9. P. Cousot and R. Cousot. Formal language, grammar and set-constraint-based program analysis by abstract interpretation. In FPCA, 1995.
10. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 1991.
11. X. Fu and C.-C. Li. A string constraint solver for detecting web application vulnerability. In SEKE, 2010.
12. E. Geay, M. Pistoia, T. Tateishi, B. Ryder, and J. Dolby. Modular string-sensitive permission analysis with demand-driven precision. In ICSE, 2009.
13. D. Grove and C. Chambers. A Framework for Call Graph Construction Algorithms. TOPLSA, 2001.
14. D. Grove, G. DeFouw, J. Dean, and C. Chambers. Call graph construction in object-oriented languages. In OOPSLA, 1997.
15. C. Hammer, R. Schaade, and G. Snelting. Static path conditions for java. In PLAS, 2008.
16. J. G. Henriksen, J. L. Jensen, M. E. Jørgensen, N. Klarlund, R. Paige, T. Rauhe, and A. Sandholm. MONA: Monadic second-order logic in practice. In TACAS, 1995.
17. P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In PLDI, 2009.
18. M. Kay and R. M. Kaplan. Regular models of phonological rule systems. Computational Linguistics, 20(3), 1994.
19. A. Kieżun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A solver for string constraints. In ISSTA, 2009.
20. N. Klarlund and A. Møller. MONA Version 1.4 User Manual. BRICS, 2001. Notes Series NS-01-1. http://www.brics.dk/mona.
21. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merline: Specification inference for explicit information flow problems. In PLDI, 2009.
22. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In USENIX Security, 2005.
23. Y. Minamide. Static approximation of dynamically generated web pages. In WWW, 2005.
24. B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Global value numbers and redundant computations. In POPL, 1988.
25. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Security and Privacy (Oakland), 2010.
26. D. Shannon, I. Ghosh, S. Rajan, and S. Khurshid. Efficient symbolic execution of strings for validating web applications. In DEFECTS, 2009.
27. G. Snelting. Combining slicing and constraint solving for validation of measurement software. In SAS, 1996.
28. T. Tateishi, M. Pistoia, and O. Tripp. Path- and index-sensitive string analysis based on monadic second-order logic. IBM Research Report RT0930, 2011.
29. N. Tillmann and J. D. Halleux. Pex: white box test generation for .NET. In TAP, 2008.
30. O. Tripp, M. Pistoia, S. Fink, M. Sridharan, and O. Weisman. TAJ: Effective taint analysis of web applications. In PLDI, 2009.
31. M. Veanes, P. de Halleux, and N. Tillmann. Rex: Symbolic regular expression explorer. Microsoft Research Technical Report MSR-TR-2009-137, 2009.
32. T. J. Watson Libraries for Analysis, wala.sf.net/.
33. G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007.
34. M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. TOPLAS, 1991.
35. F. Yu, M. Alkhalaf, and T. Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, 2009.
36. F. Yu, T. Bultan, M. Cova, and O. Ibarra. Symbolic string verification: An automata-based approach. In SPIN Workshop, 2008.
37. Z3, research.microsoft.com/projects/z3.