Title :
Vulnerabilities static detection for Web applications with false positive suppression
Author :
Huang, Jianjun ; Liang, Bin ; Zhong, Jiagui ; Wang, Qianqian ; Cai, Jingjing
Author_Institution :
Key Lab. of Data Eng. & Knowledge Eng., Renmin Univ. of China, Beijing, China
Abstract :
Web applications become more and more important, and the corresponding security problems have been concerned about. This paper presents TASA, an ASP static analyzer, which employs a path-sensitive, inter-procedural and context-sensitive data flow analysis, mainly concerning the taint propagation and sanitization. This paper also discusses some techniques used in TASA, such as sanitization routines modeling, ASP specific features, alias analysis and path-related routines modeling, to prune false positives. Experiments on four open source applications show that TASA has a rate of false positive of 4.98% and it can avoid certain false warnings owing to the proposed approaches.
Keywords :
Internet; data flow analysis; security of data; ASP static analyzer; Web application; context-sensitive data flow analysis; false positive suppression; interprocedural data flow analysis; path-sensitive data flow analysis; propagation; sanitization routines modeling; security problem; vulnerabilities static detection; Analytical models; Browsers; Computer bugs; Detectors; Merging; Portals; Security; ASP; data flow analysis; false positive suppression; vulnerabilities static detection;
Conference_Titel :
Information Theory and Information Security (ICITIS), 2010 IEEE International Conference on
Conference_Location :
Beijing
Print_ISBN :
978-1-4244-6942-0
DOI :
10.1109/ICITIS.2010.5689529
