Title :
Static Detection of Logic Vulnerabilities in Java Web Applications
Author :
Kong, Ying ; Zhang, Yuqing ; Fang, Zhejun ; Liu, Qixu
Author_Institution :
Nat. Comput. Network Intrusion Protection Center, GUCAS, Beijing, China
Abstract :
Logic vulnerabilities occur when mistakes arise in the control flow associated to critical functionalities. We propose a lightweight static analysis approach to detect logic vulnerabilities in Java Web applications. The core idea of our approach is to discover deviant behaviors among duplication samples. Program slicing technique is leveraged to extract duplicated invocations targeted similar functionalities. Subsequently, path exploration is conducted to split slices into several path sensitive slices. Then we make comparison between any two similar slices on their path condition, and report the slices with abnormal path condition as logic vulnerabilities. We implemented our approach in a prototype tool named LVD (Logic Vulnerability Detector), and evaluated it on seven real world applications scaled from thousands to million lines of code. The evaluation results show that our approach achieves bigger coverage with acceptable cost and better scalability than previous approaches.
Keywords :
Internet; Java; data flow analysis; program slicing; security of data; Java Web applications; LVD; abnormal path condition; control flow; duplicated invocation extraction; duplication samples; logic vulnerability detector; path exploration; path sensitive slices; program slicing technique; static analysis; static detection; Access control; Approximation methods; Computer bugs; Electronic mail; Java; Navigation; Prototypes; Logic Vulnerabilities; Path Sensitive; Program Slicing; Static Detection;
Conference_Titel :
Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on
Conference_Location :
Liverpool
Print_ISBN :
978-1-4673-2172-3
DOI :
10.1109/TrustCom.2012.266
