A Brief Survey of Related Work

In this chapter we provide a brief survey of related research work. We first give an overview of alternative approaches to string analysis, followed by a discussion on recent work on string constraint solvers. We discuss application of string analysis and string constraint solving techniques to bug and vulnerability detection in web applications. We conclude the section with a discussion in differential analysis and program repair techniques.

[1]  Tevfik Bultan,et al.  Semantic differential repair for input validation and sanitization , 2014, ISSTA 2014.

[2]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[3]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[4]  Julia L. Lawall,et al.  Generic Patch Inference , 2008, ASE.

[5]  C. A. R. Hoare,et al.  Differential static analysis: opportunities, applications, and challenges , 2010, FoSER '10.

[6]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[7]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[8]  Lauri Karttunen,et al.  The Replace Operator , 1995, ACL.

[9]  D. Shannon,et al.  Abstracting Symbolic Execution with String Analysis , 2007, Testing: Academic and Industrial Conference Practice and Research Techniques - MUTATION (TAICPART-MUTATION 2007).

[10]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[11]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[12]  Fang Yu,et al.  Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[13]  Margus Veanes,et al.  Rex: Symbolic Regular Expression Explorer , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[14]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[15]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[16]  Armando Solar-Lezama,et al.  Word Equations with Length Constraints: What's Decidable? , 2012, Haifa Verification Conference.

[17]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[18]  Vinod Ganapathy,et al.  Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[19]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[20]  Kyung-Goo Doh,et al.  A Practical String Analyzer by the Widening Approach , 2006, APLAS.

[21]  Gertjan van Noord,et al.  An Extendible Regular Expression Compiler for Finite-State Approaches in Natural Language Processing , 1999, WIA.

[22]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[23]  V. N. Venkatakrishnan,et al.  WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction , 2011, CCS '11.

[24]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[25]  Matthew B. Dwyer,et al.  Differential symbolic execution , 2008, SIGSOFT '08/FSE-16.

[26]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[27]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[28]  Mihai Christodorescu,et al.  String analysis for x86 binaries , 2005, PASTE '05.

[29]  Claire Le Goues,et al.  Automatic program repair with evolutionary computation , 2010, Commun. ACM.

[30]  Nils Klarlund,et al.  Mona: Monadic Second-Order Logic in Practice , 1995, TACAS.

[31]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[32]  Thorsten Holz,et al.  Simulation of Built-in PHP Features for Precise Static Code Analysis , 2014, NDSS.

[33]  Marco Pistoia,et al.  Path- and index-sensitive string analysis based on monadic second-order logic , 2011, ISSTA '11.

[34]  Alessandro Orso,et al.  ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies , 2012, ISSTA 2012.

[35]  Nikolaj Bjørner,et al.  Symbolic finite state transducers: algorithms and applications , 2012, POPL '12.

[36]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[37]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[38]  Cesare Tinelli,et al.  A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions , 2014, CAV.

[39]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[40]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.

[41]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[42]  Nikolai Tillmann,et al.  MiTV: multiple-implementation testing of user-input validators for web applications , 2010, ASE '10.

[43]  Ben Hardekopf,et al.  Type refinement for static analysis of JavaScript , 2013, DLS '13.

[44]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[45]  Parosh Aziz Abdulla,et al.  Norn: An SMT Solver for String Constraints , 2015, CAV.

[46]  Oscar H. Ibarra,et al.  Symbolic String Verification: Combining String Analysis and Size Analysis , 2009, TACAS.

[47]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[48]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[49]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[50]  Somesh Jha,et al.  Buffer overrun detection using linear programming and static analysis , 2003, CCS '03.

[51]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[52]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[53]  Fang Yu,et al.  Patching vulnerabilities with sanitization synthesis , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[54]  Loris D'Antoni,et al.  Minimization of symbolic automata , 2014, POPL.

[55]  Shuvendu K. Lahiri,et al.  SYMDIFF: A Language-Agnostic Semantic Diff Tool for Imperative Programs , 2012, CAV.

[56]  Shweta Shinde,et al.  A model counter for constraints over unbounded strings , 2014, PLDI.

[57]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[58]  Westley Weimer,et al.  A decision procedure for subset constraints over regular languages , 2009, PLDI '09.

[59]  Viktor Kuncak,et al.  Phantm: PHP analyzer for type mismatch , 2010, FSE '10.

[60]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[61]  Gertjan van Noord,et al.  Transducers from Rewrite Rules with Backreferences , 1999, EACL.

[62]  Loris D'Antoni,et al.  Static Analysis of String Encoders and Decoders , 2013, VMCAI.

[63]  Oscar H. Ibarra,et al.  Automata-based symbolic string analysis for vulnerability detection , 2014, Formal Methods Syst. Des..

[64]  Nikolaj Bjørner,et al.  Symbolic Automata: The Toolkit , 2012, TACAS.

[65]  Christian Kirkegaard,et al.  Static analysis of XML transformations in Java , 2003, IEEE Transactions on Software Engineering.

[66]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[67]  Nikolaj Bjørner,et al.  Path Feasibility Analysis for String-Manipulating Programs , 2009, TACAS.

[68]  Margus Veanes Symbolic String Transformations with Regular Lookahead and Rollback , 2014, Ershov Memorial Conference.

[69]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[70]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[71]  Claire Le Goues,et al.  Automatically finding patches using genetic programming , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[72]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[73]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[74]  Frank Tip,et al.  Automated repair of HTML generation errors in PHP applications using string constraint solving , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[75]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[76]  Guodong Li,et al.  PASS: String Solving with Parameterized Array and Interval Automaton , 2013, Haifa Verification Conference.

[77]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[78]  Oscar H. Ibarra,et al.  Relational String Verification Using Multi-Track Automata , 2011, Int. J. Found. Comput. Sci..

[79]  Benjamin Livshits,et al.  Towards fully automatic placement of security sanitizers and declassifiers , 2013, POPL 2013.

[80]  Richard Sproat,et al.  An Efficient Compiler for Weighted Rewrite Rules , 1996, ACL.

[81]  Parosh Aziz Abdulla,et al.  String Constraints for Verification , 2014, CAV.

[82]  Oscar H. Ibarra,et al.  Symbolic String Verification: An Automata-Based Approach , 2008, SPIN.

[83]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[84]  Tevfik Bultan,et al.  Verifying client-side input validation functions using string analysis , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[85]  Westley Weimer,et al.  Solving string constraints lazily , 2010, ASE.

[86]  Loris D'Antoni,et al.  Equivalence of Extended Symbolic Finite Transducers , 2013, CAV.

[87]  Frank Tip,et al.  Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking , 2010, IEEE Transactions on Software Engineering.

[88]  Nikolaj Bjørner,et al.  Symbolic Automata Constraint Solving , 2010, LPAR.

[89]  Dawei Qi,et al.  SemFix: Program repair via semantic analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).