Toward automated detection of logic vulnerabilities in web applications

Proceedings of the 19th USENIX Security Symposium

Volumn , Issue , 2010, Pages 143-160

  Felmetsger, Viktoria ^a   Cavedon, Ludovico ^a   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a University of California   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION PROGRAMS; KNOWLEDGE MANAGEMENT; MODEL CHECKING; NETWORK SECURITY; SPECIFICATIONS;

APPLICATION LOGIC; AUTOMATED DETECTION; BEHAVIORAL SPECIFICATION; CROSS SITE SCRIPTING; EXECUTION PARADIGM; LOGIC VULNERABILITIES; NORMAL OPERATIONS; SECURITY PROBLEMS;

COMPUTER CIRCUITS;

EID: 84894088425     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. AMMONS, G., BODÍK, R., AND LARUS, J. Mining specifications. In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (2002), ACM, pp. 4–16.
2. ANAND, S., PASAREANU, C., AND VISSER, W. JPF-SE: A Symbolic Execution Extension to Java PathFinder. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2007), Springer.
3. ANLEY, C. Advanced SQL Injection in SQL Server Applications. Tech. rep., Next Generation Security Software, Ltd, 2002.
4. BALIGA, A., GANAPATHY, V., AND IFTODE, L. Automatic Inference and Enforcement of Kernel Data Structure Invariants. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual (2008), pp. 77–86.
5. BALZAROTTI, D., COVA, M., FELMETSGER, V., AND VIGNA, G. Multi-module Vulnerability Analysis of Web-based Applications. In Proceedings of the ACM conference on Computer and Communications Security (CCS) (2007), pp. 25–35.
6. BOND, M., SRIVASTAVA, V., MCKINLEY, K., AND SHMATIKOV, V. Efficient, Context-Sensitive Detection of Semantic Attacks. Tech. Rep. TR-09-14, UT Austin Computer Sciences, 2009.
7. COVA, M., BALZAROTTI, D., FELMETSGER, V., AND VIGNA, G. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID) (2007), pp. 63–86.
8. CSALLNER, C., SMARAGDAKIS, Y., AND XIE, T. Article 8 (37 pages)-DSD-Crasher: A Hybrid Analysis Tool for Bug Finding. In ACM Transactions on Software Engineering and Methodology (TOSEM) (April 2008).
9. The Daikon invariant detector. http://groups.csail.mit.edu/pag/daikon/.
10. ENGLER, D., CHEN, D., HALLEM, S., CHOU, A., AND CHELF, B. Bugs as deviant behavior: a general approach to inferring errors in systems code. ACM SIGOPS Operating Systems Review 35, 5 (2001), 57–72.
11. ERNST, M., PERKINS, J., GUO, P., MCCAMANT, S., PACHECO, C., TSCHANTZ, M., AND XIAO, C. The Daikon System for Dynamic Detection of Likely Invariants. Science of Computer Programming 69, 1–3 (Dec. 2007), 35–45.
12. FOSSI, M. Symantec Global Internet Security Threat Report. Tech. rep., Symantec, April 2009. Volume XIV.
13. FOUNDATION, T. A. S. Apache Tomcat. http://tomcat.apache.org/.
14. GROSSMAN, J. Seven Business Logic Flaws That Put Your Website at Risk. http://www.whitehatsec.com/home/assets/WP bizlogic092407.pdf, September 2007.
15. GUHA, A., KRISHNAMURTHI, S., AND JIM, T. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th international conference on World wide web (2009), ACM New York, NY, USA, pp. 561–570.
16. HALFOND, W., AND ORSO, A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering (ASE) (November 2005), pp. 174–183.
17. HUANG, Y.-W., YU, F., HANG, C., TSAI, C.-H., LEE, D., AND KUO, S.-Y. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the International World Wide Web Conference (WWW) (May 2004), pp. 40–52.
18. JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy (May 2006).
19. Java pathfinder. http://javapathfinder.sourceforge.net/.
20. KLEIN, A. Cross Site Scripting Explained. Tech. rep., Sanctum Inc., June 2002.
21. KREMENEK, T., TWOHEY, P., BACK, G., NG, A., AND ENGLER, D. From Uncertainty to Belief: Inferring the Specification Within. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI) (November 2006), pp. 161–176.
22. LIVSHITS, V., AND LAM, M. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the USENIX Security Symposium (August 2005), pp. 271–286.
23. MARTIN, M., AND LAM, M. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In Proceedings of the USENIX Security Symposium (July 2008), pp. 31–43.
24. MICROSYSTEMS, S. Java Servlet Specification Version 2.4. http://java.sun.com/products/servlet/reference/api/index.html, 2003.
25. MI D D L E WA R E, O. W. O. S. ASM. http://asm.objectweb.org/.
26. NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., AND EVANS, D. Automatically Hardening Web Applications Using Precise Tainting. In Proceedings of the International Information Security Conference (SEC) (May 2005), pp. 372–382.
27. NIMMER, J., AND ERNST, M. Static verification of dynamically detected program invariants: Integrating Daikon and ESC/Java. In Proceedings of RV’01, First Workshop on Runtime Verification (2001).
28. OP E N SO U R C E SO F T WA R E. SourceForge. http://sourceforge.net.
29. PALEARI, R., MARRONE, D., BRUSCHI, D., AND MONGA, M. On race vulnerabilities in web applications. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (July 2008).
30. PIETRASZEK, T., AND BERGHE, C. V. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detections (RAID) (2005), pp. 372–382.
31. SELENIUM DEVELOPMENT TEAM. Selenium: Web Application Testing System. http://seleniumhq.org.
32. SPETT, K. Blind SQL Injection. Tech. rep., SPI Dynamics, 2003.
33. SU, Z., AND WASSERMANN, G. The Essence of Command Injection Attacks in Web Applications. In Proceedings of the Annual Symposium on Principles of Programming Languages (POPL) (2006), pp. 372–382.
34. TAN, L., ZHANG, X., MA, X., XIONG, W., AND ZHOU, Y. AutoISES: Automatically Inferring Security Specifications and Detecting Violations. In Proceedings of the USENIX Security Symposium (July 2008), pp. 379–394.
35. VISSER, W., HAVELUND, K., BRAT, G., PARK, S., AND LERDA, F. Model Checking Programs. Automated Software Engineering Journal 10, 2 (Apr. 2003).
36. XIE, Y., AND AIKEN, A. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the USENIX Security Symposium (August 2006).