Title :
Patching vulnerabilities with sanitization synthesis
Author :
Yu, Fang ; Alkhalaf, Muath ; Bultan, Tevfik
Author_Institution :
Nat. Chengchi Univ., Taipei, Taiwan
Abstract :
We present automata-based static string analysis techniques that automatically generate sanitization statements for patching vulnerable web applications. Our approach consists of three phases: Given an attack pattern we first conduct a vulnerability analysis to identify if strings that match the attack pattern can reach the security-sensitive functions. Next, we compute vulnerability signatures that characterize all input strings that can exploit the discovered vulnerability. Given the vulnerability signatures, we then construct sanitization statements that 1) check if a given input matches the vulnerability signature and 2) modify the input in a minimal way so that the modified input does not match the vulnerability signature. Our approach is capable of generating relational vulnerability signatures (and corresponding sanitization statements) for vulnerabilities that are due to more than one input.
Keywords :
Internet; automata theory; program diagnostics; security of data; automata-based static string analysis techniques; automatic sanitization statement generation; security-sensitive functions; vulnerability signatures; vulnerable Web application patching; Approximation methods; Automata; Doped fiber amplifiers; Impedance matching; Input variables; Reachability analysis; Security; automata; sanitization synthesis; string analysis;
Conference_Titel :
Software Engineering (ICSE), 2011 33rd International Conference on
Conference_Location :
Honolulu, HI
Print_ISBN :
978-1-4503-0445-0
Electronic_ISBN :
0270-5257
DOI :
10.1145/1985793.1985828
