Programming Perl (2nd ed.)
Interconvertbility of set constraints and context-free language reachability
PEPM '97 Proceedings of the 1997 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
An efficient context-free parsing algorithm
Communications of the ACM
Flow-sensitive type qualifiers
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
XDuce: A Typed XML Processing Language (Preliminary Report)
Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
An efficient compiler for weighted rewrite rules
ACL '96 Proceedings of the 34th annual meeting on Association for Computational Linguistics
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
Grammar-based analysis of string expressions
TLDI '05 Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation
Static approximation of dynamically generated Web pages
WWW '05 Proceedings of the 14th international conference on World Wide Web
Context-sensitive program analysis as database queries
Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems
Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Precise alias analysis for static detection of web application vulnerabilities
Proceedings of the 2006 workshop on Programming languages and analysis for security
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
Static analysis for java servlets and JSP
SAS'06 Proceedings of the 13th international conference on Static Analysis
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hang analysis: fighting responsiveness bugs
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Better abstractions for secure server-side scripting
Proceedings of the 17th international conference on World Wide Web
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Dynamic test input generation for web applications
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Finding bugs in dynamic web applications
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Symbolic String Verification: An Automata-Based Approach
SPIN '08 Proceedings of the 15th international workshop on Model Checking Software
Security benchmarking using partial verification
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Automatic generation of XSS and SQL injection attacks with goal-directed model checking
SS'08 Proceedings of the 17th conference on Security symposium
Automated Software Engineering
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
A decision procedure for subset constraints over regular languages
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Modular string-sensitive permission analysis with demand-driven precision
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Locating need-to-translate constant strings for software internationalization
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
TranStrL: An automatic need-to-translate string locator for software internationalization
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
HAMPI: a solver for string constraints
Proceedings of the eighteenth international symposium on Software testing and analysis
Abstract Parsing: Static Analysis of Dynamically Generated String Output Using LR-Parsing Technology
SAS '09 Proceedings of the 16th International Symposium on Static Analysis
Abstract parsing for two-staged languages with concatenation
GPCE '09 Proceedings of the eighth international conference on Generative programming and component engineering
Improving application security with data flow assertions
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
A hybrid analysis framework for detecting web application vulnerabilities
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
User-input dependence analysis via graph reachability
User-input dependence analysis via graph reachability
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
ACM Transactions on Information and System Security (TISSEC)
Using an Evolutionary Neural Network for web intrusion detection
AIA '08 Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Efficient, context-sensitive detection of real-world semantic attacks
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Solving string constraints lazily
Proceedings of the IEEE/ACM international conference on Automated software engineering
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Proceedings of the 17th ACM conference on Computer and communications security
Locating need-to-translate constant strings in web applications
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
Phantm: PHP analyzer for type mismatch
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
The case for software evolution
Proceedings of the FSE/SDP workshop on Future of software engineering research
Runtime instrumentation for precise flow-sensitive type analysis
RV'10 Proceedings of the First international conference on Runtime verification
An evaluation of automata algorithms for string analysis
VMCAI'11 Proceedings of the 12th international conference on Verification, model checking, and abstract interpretation
Code-motion for API migration: fixing SQL injection vulnerabilities in Java
Proceedings of the 4th Workshop on Refactoring Tools
Patching vulnerabilities with sanitization synthesis
Proceedings of the 33rd International Conference on Software Engineering
Tainted flow analysis on e-SSA-form programs
CC'11/ETAPS'11 Proceedings of the 20th international conference on Compiler construction: part of the joint European conferences on theory and practice of software
Conformance verification of privacy policies
WS-FM'10 Proceedings of the 7th international conference on Web services and formal methods
Path- and index-sensitive string analysis based on monadic second-order logic
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Saving the world wide web from vulnerable JavaScript
Proceedings of the 2011 International Symposium on Software Testing and Analysis
PHP Aspis: using partial taint tracking to protect against injection attacks
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Towards client-side HTML security policies
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
Static detection of access control vulnerabilities in web applications
SEC'11 Proceedings of the 20th USENIX conference on Security
HAMPI: a string solver for testing, analysis and vulnerability detection
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
String abstractions for string verification
Proceedings of the 18th international SPIN conference on Model checking software
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
RoleCast: finding missing security checks when you do not know what checks are
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Model checking dataflow for malicious input
WESS '11 Proceedings of the Workshop on Embedded Systems Security
Formal modeling
Defining code-injection attacks
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SAFERPHP: finding semantic vulnerabilities in PHP applications
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
STRANGER: an automata-based string analysis tool for PHP
TACAS'10 Proceedings of the 16th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
Automated code injection prevention for web applications
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
Automated web application testing using search based software engineering
ASE '11 Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering
A practical solution for achieving language compatibility in scripting language compilers
Science of Computer Programming
An empirical analysis of input validation mechanisms in web applications and languages
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Hash-flow taint analysis of higher-order programs
Proceedings of the 7th Workshop on Programming Languages and Analysis for Security
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Verifying client-side input validation functions using string analysis
Proceedings of the 34th International Conference on Software Engineering
Type-Based enforcement of secure programming guidelines -- code injection prevention at SAP
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars
ACM Transactions on Software Engineering and Methodology (TOSEM)
Leveraging "choice" to automate authorization hook placement
Proceedings of the 2012 ACM conference on Computer and communications security
Automating presentation changes in dynamic web applications via collaborative hybrid analysis
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
SQL injection detection via program tracing and machine learning
IDCS'12 Proceedings of the 5th international conference on Internet and Distributed Computing Systems
An empirical study on the effectiveness of security code review
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
ANDROMEDA: accurate and scalable security analysis of web applications
FASE'13 Proceedings of the 16th international conference on Fundamental Approaches to Software Engineering
Unbounded model-checking with interpolation for regular language constraints
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis
Proceedings of the 2013 International Conference on Software Engineering
Path sensitive static analysis of web applications for remote code execution vulnerability detection
Proceedings of the 2013 International Conference on Software Engineering
Making automated testing of cloud applications an integral component of PaaS
Proceedings of the 4th Asia-Pacific Workshop on Systems
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
Diglossia: detecting code injection attacks with precision and efficiency
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
deDacota: toward preventing server-side XSS via automatic code and data separation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Path- and index-sensitive string analysis based on monadic second-order logic
ACM Transactions on Software Engineering and Methodology (TOSEM) - Testing, debugging, and error handling, formal methods, lifecycle concerns, evolution and maintenance
Word equations with length constraints: what's decidable?
HVC'12 Proceedings of the 8th international conference on Hardware and Software: verification and testing
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Efficient static checker for tainted variable attacks
Science of Computer Programming
Proceedings of the 23rd international conference on World wide web
Automata-based symbolic string analysis for vulnerability detection
Formal Methods in System Design
Hi-index | 0.00 |
Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries. Bothstatic and dynamic approaches have been proposed to detect or prevent SQL injections; while dynamic approaches provide protection for deployed software, static approaches can detect potential vulnerabilities before software deployment. Previous static approaches are mostly based on tainted information flow tracking and have at least some of the following limitations: (1) they do not model the precise semantics of input sanitization routines; (2) they require manually written specifications, either for each query or for bug patterns; or (3) they are not fully automated and may require user intervention at various points in the analysis. In this paper, we address these limitations by proposing a precise, sound, and fully automated analysis technique for SQL injection. Our technique avoids the need for specifications by consideringas attacks those queries for which user input changes the intended syntactic structure of the generated query. It checks conformance to this policy byconservatively characterizing the values a string variable may assume with a context free grammar, tracking the nonterminals that represent user-modifiable data, and modeling string operations precisely as language transducers. We have implemented the proposed technique for PHP, the most widely-used web scripting language. Our tool successfully discovered previously unknown and sometimes subtle vulnerabilities in real-world programs, has a low false positive rate, and scales to large programs (with approx. 100K loc).