Patching vulnerabilities with sanitization synthesis

Yu, Fang; Alkhalaf, Muath; Bultan, Tevfik

doi:10.1145/1985793.1985828

Cited by 46 publications

(30 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…?> directives. The first snippet (lines 9-17) performs initialization and error checking: it uses the built-in function isset to determine whether the script was passed an HTTP GET parameter hl, setting flag $highlight accordingly; it then connects to a MySQL database containing the information to be displayed and sends a query to the database (lines [11][12][13].…”

Section: Background and Overviewmentioning

confidence: 99%

Automated repair of HTML generation errors in PHP applications using string constraint solving

Samirni¹,

Schäfer²,

Artzi³

et al. 2012

2012 34th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Abstract-PHP web applications routinely generate invalid HTML. Modern browsers silently correct HTML errors, but sometimes malformed pages render inconsistently, cause browser crashes, or expose security vulnerabilities. Fixing errors in generated pages is usually straightforward, but repairing the generating PHP program can be much harder. We observe that malformed HTML is often produced by incorrect constant prints, i.e., statements that print string literals, and present two tools for automatically repairing such HTML generation errors. PHPQuickFix repairs simple bugs by statically analyzing individual prints. PHPRepair handles more general repairs using a dynamic approach. Based on a test suite, the property that all tests should produce their expected output is encoded as a string constraint over variables representing constant prints. Solving this constraint describes how constant prints must be modified to make all tests pass. Both tools were implemented as an Eclipse plugin and evaluated on PHP programs containing hundreds of HTML generation errors, most of which our tools were able to repair automatically.

show abstract

Section: Background and Overviewmentioning

confidence: 99%

Automated repair of HTML generation errors in PHP applications using string constraint solving

Samirni¹,

Schäfer²,

Artzi³

et al. 2012

2012 34th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…In the future we plan to investigate integration of relational string analysis to our JavaScript string analyzer which would allow us to analyze branch conditions on multiple variables. Another future research direction would be automatically synthesizing fixes to validation functions that violate a given policy using techniques similar to the vulnerability patching techniques presented in [4].…”

Section: Related Workmentioning

confidence: 99%

Verifying client-side input validation functions using string analysis

Alkhalaf¹,

Bultan²,

Gallegos³

2012

2012 34th International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Abstract-Client-side computation in web applications is becoming increasingly common due to the popularity of powerful client-side programming languages such as JavaScript. Clientside computation is commonly used to improve an application's responsiveness by validating user inputs before they are sent to the server. In this paper, we present an analysis technique for checking if a client-side input validation function conforms to a given policy. In our approach, input validation policies are expressed using two regular expressions, one specifying the maximum policy (the upper bound for the set of inputs that should be allowed) and the other specifying the minimum policy (the lower bound for the set of inputs that should be allowed). Using our analysis we can identify two types of errors 1) the input validation function accepts an input that is not permitted by the maximum policy, or 2) the input validation function rejects an input that is permitted by the minimum policy. We implemented our analysis using dynamic slicing to automatically extract the input validation functions from web applications and using automata-based string analysis to analyze the extracted functions. Our experiments demonstrate that our approach is effective in finding errors in input validation functions that we collected from real-world applications and from tutorials and books for teaching JavaScript.

show abstract

“…The alphabet and relation abstractions we present in this paper enable us to improve the performance of the relational string analysis by adjusting its precision. The earlier results on relational string analysis presented by Yu et al [19,21] do not use any abstraction techniques.…”

Section: Related Workmentioning

confidence: 99%

String Abstractions for String Verification

Bultan

Hardekopf

2011

Model Checking Software

Self Cite

View full text Add to dashboard Cite

Abstract. Verifying string manipulating programs is a crucial problem in computer security. String operations are used extensively within web applications to manipulate user input, and their erroneous use is the most common cause of security vulnerabilities in web applications. Unfortunately, verifying string manipulating programs is an undecidable problem in general and any approximate string analysis technique has an inherent tension between efficiency and precision. In this paper we present a set of sound abstractions for strings and string operations that allow for both efficient and precise verification of string manipulating programs. Particularly, we are able to verify properties that involve implicit relations among string variables. We first describe an abstraction called regular abstraction which enables us to perform string analysis using multi-track automata as a symbolic representation. We then introduce two other abstractions-alphabet abstraction and relation abstraction-that can be used in combination to tune the analysis precision and efficiency. We show that these abstractions form an abstraction lattice that generalizes the string analysis techniques studied previously in isolation, such as size analysis or non-relational string analysis. Finally, we empirically evaluate the effectiveness of these abstraction techniques with respect to several benchmarks and an open source application, demonstrating that our techniques can improve the performance without loss of accuracy of the analysis when a suitable abstraction class is selected.

show abstract

Patching vulnerabilities with sanitization synthesis

Cited by 46 publications

References 21 publications

Automated repair of HTML generation errors in PHP applications using string constraint solving

Automated repair of HTML generation errors in PHP applications using string constraint solving

Verifying client-side input validation functions using string analysis

String Abstractions for String Verification

Contact Info

Product

Resources

About