论文信息 - Vulnerabilities in Bytecode Removed by Analysis, Nuanced Confinement and Diversification (VIBRANCE) - 字舞流文

Vulnerabilities in Bytecode Removed by Analysis, Nuanced Confinement and Diversification (VIBRANCE)

Abstract : The VIBRANCE tool starts with a vulnerable Java application and automatically hardens it against SQL injection, OS command injection, file path traversal, numeric errors, denial of service, and other attacks. For a large class of attacks, the protection added by VIBRANCE blocks the attacks and safely continues execution.

Martin Rinard | Henny B. Sipma | Jeff H. Perkins | Paolo Piselli | Marcel Becker | Matthew Barry | Alessandro Coglio | Stephen Fitzpatrick | Arnaud Venet | Limei Gilham | Eric Bush | Cordell Green | Jordan Eikenberry | Daniel Willenson | Anca Browne | Doug Smith | Eric McCarthy | Douglas Kramm

[1] Ondrej Lhoták,et al. Program analysis using binary decision diagrams , 2006 .

[2] David Grove,et al. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[3] Ondrej Lhoták,et al. Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[4] Angelos D. Keromytis,et al. Using Rescue Points to Navigate Software Recovery , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5] Daniel C. DuVarney,et al. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[6] Patrick Cousot,et al. Systematic design of program analysis frameworks , 1979, POPL.

[7] David Grove,et al. Fast interprocedural class analysis , 1998, POPL '98.

[8] Arnaud Venet. A practical approach to formal software verification by static analysis , 2008, ALET.

[9] David Pichardie,et al. A Provably Correct Stackless Intermediate Representation for Java Bytecode , 2010, APLAS.

[10] Angelos D. Keromytis,et al. SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[11] Patrick Cousot,et al. The ASTREÉ Analyzer , 2005, ESOP.

[12] Patrick Cousot,et al. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13] Laurie J. Hendren,et al. Practical virtual method call resolution for Java , 2000, OOPSLA '00.

[14] Benjamin Livshits,et al. Reflection Analysis for Java , 2005, APLAS.

[15] Alessandro Orso,et al. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[16] Manuel Fähndrich,et al. On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis , 2008, CC.

[17] Mira Mezini,et al. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[18] David A. Wagner,et al. Efficient character-level taint tracking for Java , 2009, SWS '09.

[19] David F. Bacon,et al. Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[20] Jens Palsberg,et al. Scalable propagation-based call graph construction algorithms , 2000, OOPSLA '00.

[21] David Grove,et al. A framework for call graph construction algorithms , 2001, TOPL.

[22] Mark N. Wegman,et al. Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[23] D. Levandier,et al. Approved for Public Release; Distribution Unlimited , 1994 .