Muath Alkhalaf scite author profile

Abstract. STRANGER is an automata-based string analysis tool for finding and eliminating string-related security vulnerabilities in PHP applications. STRANGER uses symbolic forward and backward reachability analyses to compute the possible values that the string expressions can take during program execution. STRANGER can automatically (1) prove that an application is free from specified attacks or (2) generate vulnerability signatures that characterize all malicious inputs that can be used to generate attacks.

show abstract

Automata-based symbolic string analysis for vulnerability detection

Alkhalaf

Bultan

et al. 2013

Form Methods Syst Des

View full text Add to dashboard Cite

Patching vulnerabilities with sanitization synthesis

Alkhalaf

Bultan

2011

View full text Add to dashboard Cite

We present automata-based static string analysis techniques that automatically generate sanitization statements for patching vulnerable web applications. Our approach consists of three phases: Given an attack pattern we first conduct a vulnerability analysis to identify if strings that match the attack pattern can reach the security-sensitive functions. Next, we compute vulnerability signatures that characterize all input strings that can exploit the discovered vulnerability. Given the vulnerability signatures, we then construct sanitization statements that 1) check if a given input matches the vulnerability signature and 2) modify the input in a minimal way so that the modified input does not match the vulnerability signature. Our approach is capable of generating relational vulnerability signatures (and corresponding sanitization statements) for vulnerabilities that are due to more than one input.

show abstract

Runtime Verification of Web Service Interface Contracts

et al. 2010

View full text Add to dashboard Cite

Web applications are required to follow an interface contract that specifies their expected behaviour when they communicate with a web service. Using the Amazon E-Commerce Service as an example, we show how we can automatically test an implementation for conformance as well as monitor at runtime that each partner fulfils its part of the contract. T He term Asynchronous JavaScript and XML (Ajax)refers to a collection of technologies used to develop rich and interactive web applications. A typical Ajax client runs locally in the user's web browser and refreshes its interface on-the-fly in response to user input. Popular Ajax applications, such as Google Maps and Facebook, communicate in the background with a server: entering information in the Facebook portal sends it to its remote database; dragging Google's map triggers the retrieval of new portions of the image from their server.In many cases, the server's functionality is made publicly available as an instance of a web service and can be freely accessed by any third-party Ajax application. However, this appealing modularity is also the source of one major issue: how can one ensure the interaction between each application and each service proceeds as was intended by their respective providers? Whether for specifying interoperability constraints, business policies or legal guidelines, a good web service has to have a well defined and enforceable interface contract [1].

show abstract

String Analysis for Software Verification and Security

Bultan

Alkhalaf

et al. 2017

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Muath Alkhalaf

Stranger: An Automata-Based String Analysis Tool for PHP

Automata-based symbolic string analysis for vulnerability detection

Patching vulnerabilities with sanitization synthesis

Runtime Verification of Web Service Interface Contracts

String Analysis for Software Verification and Security

Contact Info

Product

Resources

About