Analysis of pointers and structures
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
The essence of compiling with continuations
PLDI '93 Proceedings of the ACM SIGPLAN 1993 conference on Programming language design and implementation
Programming Perl (2nd ed.)
A lattice model of secure information flow
Communications of the ACM
The calculi of lambda-nu-cs conversion: a syntactic theory of control and state in imperative higher-order programming languages
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static approximation of dynamically generated Web pages
WWW '05 Proceedings of the 14th international conference on World Wide Web
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Guest Editor's Introduction: The State of Web Security
IEEE Security and Privacy
Improving flow analyses via ΓCFA: abstract garbage collection and counting
Proceedings of the eleventh ACM SIGPLAN international conference on Functional programming
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Environment analysis of higher-order languages
Environment analysis of higher-order languages
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Efficient and extensible security enforcement using dynamic data flow analysis
Proceedings of the 15th ACM conference on Computer and communications security
Exploiting reachability and cardinality in higher-order flow analysis
Journal of Functional Programming
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Proceedings of the 15th ACM SIGPLAN international conference on Functional programming
Shape analysis in the absence of pointers and structure
VMCAI'10 Proceedings of the 11th international conference on Verification, Model Checking, and Abstract Interpretation
Sound and precise malware analysis for android via pushdown reachability and entry-point saturation
Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
| Hi-index | 0.00 |
As web applications have grown in popularity, so have attacks on such applications. Cross-site scripting and injection attacks have become particularly problematic. Both vulnerabilities stem, at their core, from improper sanitization of user input. We propose static taint analysis, which can verify the absence of unsanitized input errors at compile-time. Unfortunately, precise static analysis of modern scripting languages like Python is challenging: higher-orderness and complex control-flow collide with opaque, dynamic data structures like hash maps and objects. The interdependence of data-flow and control-flow make it hard to attain both soundness and precision. In this work, we apply abstract interpretation to sound and precise taint-style static analysis of scripting languages. We first define λH, a core calculus of modern scripting languages, with hash maps, dynamic objects, higher-order functions and first class control. Then we derive a framework of k-CFA-like CESK-style abstract machines for statically reasoning about λH, but with hash maps factored into a "Curried Object store." The Curried object store---and shape analysis on this store---allows us to recover field sensitivity, even in the presence of dynamically modified fields. Lastly, atop this framework, we devise a taint-flow analysis, leveraging its field-sensitive, interprocedural and context-sensitive properties to soundly and precisely detect security vulnerabilities, like XSS attacks in web applications. We have prototyped the analytical framework for Python, and conducted preliminary experiments with web applications. A low rate of false alarms demonstrates the promise of this approach.