Supporting automated vulnerability analysis using formalized vulnerability signatures

2012 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012 - Proceedings

Volumn , Issue , 2012, Pages 100-109

  Almorsy, Mohamed ^a   Grundy, John ^a   Ibrahim, Amani S ^a  

^a SWINBURNE UNIVERSITY OF TECHNOLOGY   (Australia)

Author keywords

Common weaknesses enumeration (CWE); Formal vulnerability specification; Software security; Vulnerability analysis

Indexed keywords

BENCHMARK APPLICATIONS; COMMON WEAKNESSES ENUMERATION (CWE); IT SYSTEM; PROGRAM ANALYSIS; REACHABILITY; SECURITY REQUIREMENTS; SOFTWARE SECURITY; TARGET SYSTEMS; VULNERABILITY ANALYSIS; VULNERABILITY SIGNATURE; WEB APPLICATION; PUBLICLY ACCESSIBLE;

AUTOMATION; PERSONAL COMPUTING; SOFTWARE ENGINEERING; SPECIFICATIONS;

NETWORK SECURITY;

EID: 84866913797     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2351676.2351691     Document Type: Conference Paper

References (22)

1. BALZAROTTI, D., COVA, et al 2008. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proc. of 2008 IEEE Symposium on Security and Privacy, 387-401.
2. BAU, J., BURSZTEIN, E., GUPTA, D., and MITCHELL, J., 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proc. of 2010 IEEE Symposium on Security and Privacy, 332-345.
3. CENGARLE, M.V. and KNAPP, A., 2004. OCL 1.4/5 vs. 2.0 Expressions Formal semantics and expressiveness. Software and Systems Modeling 3, 1, 9-30.
4. DASGUPTA, A., NARASAYYA, V., and SYAMALA, M., 2009. A Static Analysis Framework for Database Applications. In Proc. of 2009 IEEE Int. Conf. on Data Engineering, 1403-1414.
5. FELMETSGER, V., et al, 2010. Toward automated detection of logic vulnerabilities in web applications. In 19th USENIX Conf. on Security, Washington, DC.
6. GANESH, V., et al, 2011. HAMPI: a string solver for testing, analysis and vulnerability detection. In Proc. of 23rd Int. Conf. on Computer aided verification Springer-Verlag, Snowbird, UT, 1-19.
7. HALFOND, W.G.J., ORSO, A., and MANOLIOS, P., 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In 14th ACM Int. symposium on Foundations of software engineering, Oregon, 175-185.
8. HOOIMEIJER, P., et al, 2011. Fast and precise sanitizer analysis with BEK. In 20th USENIX Conf. on Security (San Francisco, CA2011).
9. JOVANOVIC, N., KRUEGEL, C., et al, 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy, 258-263.
10. KALS, S., et al, 2006. SecuBat: a web vulnerability scanner. In 15th Int. Conf. on World Wide Web. Edinburgh, 247-256.
11. KIEYZUN, et al, 2009. Automatic creation of SQL Injection and cross-site scripting attacks. In Proc. of 31st Int.Conf. on Software Engineering, 199-209.
12. LAM, M.S., MARTIN, M., LIVSHITS, B., and WHALEY, J., 2008. Securing web applications with static and dynamic information flow tracking. In 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, California, USA, 3-12.
13. LEI, W., QIANG, Z., and PENGCHAO, Z., 2008. Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking. In 8th IEEE Int. Conf. on Source Code Analysis and Manipulation, 165-173.
14. MANADHATA, P.K. and WING, J.M., 2011. An Attack Surface Metric. IEEE Transactions on Software Engineering 37, 3, 371-386.
15. MARTIN, M., LIVSHITS, B., and LAM, M.S., 2005. Finding application errors and security flaws using PQL: a program query language. In 20th annual Conf. on Objectoriented programming, systems, languages, and applications ACM, CA, USA, 365-383.
16. MONGA, M., PALEARI, R., and PASSERINI, E., 2009. A hybrid analysis framework for detecting web application vulnerabilities. In Proc. 2009 ICSE Workshop on Software Engineering for Secure Systems, 1656378, 25-32.
17. NIST, May 2007, Accessed 2011. Source Code Security Analysis Tool Functional Specification Version 1.1.
18. WASSERMANN, G. and SU, Z., 2008. Static detection of cross-site scripting vulnerabilities. In Proc. 30th Int. Conf. on Software engineering ACM, Leipzig, Germany, 171-180.
19. WEINBERGER, J., SAXENA, P., et al, 2011. A systematic analysis of XSS sanitization in web application frameworks. In 16th European Conf. on Research in computer security, Belgium, 150-171.
20. WILLY JIMENEZ, A.M., ANA CAVALLI 2009. Software Vulnarabilities, Prevention and Detection Methods: A Reviw. In 2009 European Workshop on Security in Model Driven Architecture, Enschede, The Netherlands, 6-13.
21. ZHANG, R., HUANG, S., et al, 2012. Static program analysis assisted dynamic taint tracking for software vulnerability discovery. Computers & Mathematics with Application 63, 2, 469-480.
22. VAJK, T., MEZEI, G., and LEVEDOVSZKY T., 2008. An Incremental OCL Compiler for Modelling Environments. In Electronic Communications of the EASST, vol. Volume 15: OCL Concepts and Tools.