论文信息 - Data-flow based vulnerability analysis and java bytecode

Data-flow based vulnerability analysis and java bytecode

The security of information systems has been the focus because of network applications. Vulnerability analysis is widely used to evaluate the security of a system to assure system security. With the help of vulnerability analysis, the security risk of a system can be predicted so that the countermeasures are arranged in advance. These will promote system security effectively. The object of vulnerability analysis is to find out the unknown security holes in a system. It could be helpful to understand the characteristics of security holes and to assess the security risk of a system. Data-flow based analysis shows its predominance in vulnerability analysis because the vulnerability is data-flow dependent. The paper discusses how to use data-flow analysis in vulnerability analysis. The way to apply data-flow analysis in Java bytecode vulnerability analyzing is presented.

Dongxia Wang | Tao Zou | Hua Chen

[1] Steven S. Muchnick,et al. Advanced Compiler Design and Implementation , 1997 .

[2] Benjamin Livshits,et al. Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[3] ChessBrian,et al. Dynamic taint propagation , 2008 .

[4] Kendra J Kratkiewicz,et al. Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code , 2005 .

[5] Grigore Rosu,et al. Java PathExplorer: A Runtime Verification Tool , 2001 .

[6] Alfred V. Aho,et al. Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[7] Benjamin Livshits,et al. Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[8] Chris Anley,et al. Advanced SQL Injection In SQL Server Applications , 2002 .

[9] Michael Franz,et al. Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10] José Meseguer,et al. Formal Analysis of Java Programs in JavaFAN , 2004, CAV.

[11] Bill Venners,et al. Inside the Java Virtual Machine , 1997 .

[12] Paul E. Black. SAMATE's Contribution to Information Assurance , 2006 .