Journal ArticleDOI
Automata-based symbolic string analysis for vulnerability detection
Fang Yu,Muath Alkhalaf,Tevfik Bultan,Oscar H. Ibarra +3 more
- Vol. 44, Iss: 1, pp 44-70
TLDR
Based on the presented techniques, Stranger, an automata-based string analysis tool for detecting string-related security vulnerabilities in PHP applications is implemented and able to detect known/unknown vulnerabilities, and prove the absence of vulnerabilities with respect to given attack patterns.Abstract:
Verifying string manipulating programs is a crucial problem in computer security. String operations are used extensively within web applications to manipulate user input, and their erroneous use is the most common cause of security vulnerabilities in web applications. We present an automata-based approach for symbolic analysis of string manipulating programs. We use deterministic finite automata (DFAs) to represent possible values of string variables. Using forward reachability analysis we compute an over-approximation of all possible values that string variables can take at each program point. Intersecting these with a given attack pattern yields the potential attack strings if the program is vulnerable. Based on the presented techniques, we have implemented Stranger, an automata-based string analysis tool for detecting string-related security vulnerabilities in PHP applications. We evaluated Stranger on several open-source Web applications including one with 350,000+ lines of code. Stranger is able to detect known/unknown vulnerabilities, and, after inserting proper sanitization routines, prove the absence of vulnerabilities with respect to given attack patterns.read more
Citations
More filters
Book ChapterDOI
Automata-Based Model Counting for String Constraints
TL;DR: This paper presents a constraint solver that, given a string constraint, constructs an automaton that accepts all solutions that satisfy the constraint, and generates a function that gives the total number of solutions within that bound.
Proceedings ArticleDOI
String analysis for side channels with segmented oracles
TL;DR: An efficient technique for segmented oracles that computes information leakage for multiple runs using only the path constraints generated from a single run symbolic execution is presented.
Proceedings ArticleDOI
String solving with word equations and transducers: towards a logic for analysing mutation XSS
Anthony W. Lin,Pablo Barceló +1 more
TL;DR: The main contribution is to show that the "straight-line fragment" of the logic is decidable, which can express the program logics of straight-line string-manipulating programs with concatenations and transductions as atomic operations, which arise when performing bounded model checking or dynamic symbolic executions.
Journal ArticleDOI
String constraints with concatenation and transducers solved efficiently
TL;DR: This paper provides the first string solver that can reason about constraints involving both concatenation and finite-state transductions, and has a completeness and termination guarantee for several important fragments.
Journal ArticleDOI
Decision procedures for path feasibility of string-manipulating programs with complex operations
TL;DR: The OSTRICH solver as mentioned in this paper provides a decidable decision procedure for checking path feasibility in string-manipulating programs, which can be used to detect XSS vulnerabilities in web applications.
References
More filters
Proceedings ArticleDOI
CUTE: a concolic unit testing engine for C
TL;DR: In this paper, the authors address the problem of automating unit testing with memory graphs as inputs, and develop a method to represent and track constraints that capture the behavior of a symbolic execution of a unit with memory graph as inputs.
Proceedings ArticleDOI
Pixy: a static analysis tool for detecting Web application vulnerabilities
TL;DR: This paper uses flow-sensitive, interprocedural and context-sensitive dataflow analysis to discover vulnerable points in a program and applies it to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection.
Proceedings ArticleDOI
A Symbolic Execution Framework for JavaScript
TL;DR: This paper builds an automatic end-to-end tool, Kudzu, and applies it to the problem of finding client-side code injection vulnerabilities, and designs a new language of string constraints and implements a solver for it.
Proceedings ArticleDOI
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
Davide Balzarotti,Marco Cova,Viktoria Felmetsger,Nenad Jovanovic,Engin Kirda,Christopher Kruegel,Giovanni Vigna +6 more
TL;DR: This paper combines static and dynamic analysis techniques to identify faulty sanitization procedures that can be bypassed by an attacker, and is able to identify several novel vulnerabilities that stem from erroneous sanitized procedures.
Proceedings ArticleDOI
Sound and precise analysis of web applications for injection vulnerabilities
Gary Wassermann,Zhendong Su +1 more
TL;DR: This paper proposes a precise, sound, and fully automated analysis technique for SQL injection that successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs.