A String Constraint Solver for Detecting Web Application Vulnerability

Given the bytecode of a software system, is it possible to automatically generate attack signatures that reveal it s vulnerabilities? A natural solution would be symbolically executing the target system and constructing constraints for matching path conditions and attack patterns. Clearly, the constraint solving technique is the key to the above research. This paper presents Simple Linear String Equation (SISE), a formalism for specifying constraints on strings. SISE uses finite state transducers to precisely model variou s regular replacement operations, which makes it applicable for analyzing text processing programs such as web applications. We present a recursive algorithm that computes the solution pool of a SISE. Given the solution pool, a concrete variable solution can be generated. The algorithm is implemented in a Java constraint solver called SUSHI, which is applied to security analysis of web applications.

[1]  Fang Yu,et al.  Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[2]  Oscar H. Ibarra,et al.  Symbolic String Verification: An Automata-Based Approach , 2008, SPIN.

[3]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[4]  Martin Kay,et al.  Regular Models of Phonological Rule Systems , 1994, CL.

[5]  Christian Kirkegaard,et al.  Static Analysis for Java Servlets and JSP , 2006, SAS.

[6]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[7]  Xiang Fu,et al.  Modeling Regular Replacement for String Constraint Solving , 2010, NASA Formal Methods.

[8]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[9]  Westley Weimer,et al.  A decision procedure for subset constraints over regular languages , 2009, PLDI '09.

[10]  Aske Simon Christensen,et al.  Extending Java for high-level Web service construction , 2002, TOPL.

[11]  J. Allouche Algebraic Combinatorics on Words , 2005 .

[12]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[13]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[14]  Nikolaj Bjørner,et al.  Path Feasibility Analysis for String-Manipulating Programs , 2009, TACAS.

[15]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[16]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[17]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[18]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[19]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).