Open AccessProceedings Article
Finding security vulnerabilities in java applications with static analysis
V. Benjamin Livshits,Monica S. Lam +1 more
- pp 18-18
Reads0
Chats0
TLDR
This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks based on a scalable and precise points-to analysis.Abstract:
This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.
Our static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities residing in widely-used Java libraries. In fact, all but one application in our benchmark suite had at least one vulnerability. Context sensitivity, combined with improved object naming, proved instrumental in keeping the number of false positives low. Our approach yielded very few false positives in our experiments: in fact, only one of our benchmarks suffered from false alarms.read more
Citations
More filters
Font Level Tainting: Another Approach for Preventing SQL Injection Attacks
TL;DR: The strange idea of combining the declarative method and the quest method is included, that uses an approach called schatten algorithm, not only to prevent the sql injection attacks, but also reduces the time and space complexity.
Posted Content
Searching for Replacement Classes.
TL;DR: ClassFinder as mentioned in this paper uses a distributed embeddings-based search and type-based analysis, using the former to prune down candidates for an optimization-based approach based on the latter.
Posted Content
D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using Differential Analysis
Yunhui Zheng,Saurabh Pujar,Burn L. Lewis,Luca Buratti,Edward A. Epstein,Bo Yang,Jim A. Laredo,Alessandro Morari,Zhong Su +8 more
TL;DR: D2A as mentioned in this paper is a dataset built by analyzing version pairs from multiple open source projects, where each project selects bug fixing commits and runs static analysis on the versions before and after such commits.
Proceedings ArticleDOI
Negative Results of Fusing Code and Documentation for Learning to Accurately Identify Sensitive Source and Sink Methods : An Application to the Android Framework for Data Leak Detection
Jordan Samhi,Maria Kober,Abdoul Kader Kaboreé,Steven Arzt,Tegawend'e F. Bissyand'e,Jacques Klein +5 more
TL;DR: CoDoC as mentioned in this paper uses deep learning techniques and combines the source code with the documentation of API methods to identify privacy-related SOURCE and SINK API methods, and it achieves a precision, recall, and F1 score of 91% in 10-fold cross-validation.
DissertationDOI
Automatic static analysis of software performance
TL;DR: In this paper, the authors propose a method to solve the problem of "uniformity" and "uncertainty" in the context of health care, and propose a solution.
References
More filters
Book
Principles of database and knowledge-base systems
TL;DR: This book goes into the details of database conception and use, it tells you everything on relational databases from theory to the actual used algorithms.
Proceedings Article
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Crispin Cowan,Calton Pu,Dave Maier,Heather Hintony,Jonathan Walpole,Peat Bakke,Steve Beattie,Aaron Grier,Perry Wagle,Qian Zhang +9 more
TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Proceedings ArticleDOI
JFlow: practical mostly-static information flow control
TL;DR: The new language JFlow is described, an extension to the Java language that adds statically-checked information flow annotations and provides several new features that make information flow checking more flexible and convenient than in previous models.
Proceedings ArticleDOI
Points-to analysis in almost linear time
TL;DR: This is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described and is based on a non-standard type system for describing a universally valid storage shape graph for a program in linear space.