Relational String Verification Using Multi-track Automata

Verification of string manipulation operations is a crucial problem in computer security. In this paper, we present a new relational string verification technique based on multi-track automata. Our approach is capable of verifying properties that depend on relations among string variables. This enables us to prove that vulnerabilities that result from improper string manipulation do not exist in a given program. Our main contributions in this paper can be summarized as follows: (1) We formally characterize the string verification problem as the reachability analysis of string systems and show decidability/undecidability results for several string analysis problems. (2) We develop a sound symbolic analysis technique for string verification that over-approximates the reachable states of a given string system using multi-track automata and summarization. (3) We evaluate the presented techniques with respect to several string analysis benchmarks extracted from real web applications.

[1]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[2]  Ahmed Bouajjani,et al.  Abstract Regular Model Checking , 2004, CAV.

[3]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[4]  Oscar H. Ibarra,et al.  Symbolic String Verification: An Automata-Based Approach , 2008, SPIN.

[5]  Zhendong Su,et al.  Static Checking of Dynamically Generated Queries in Database Applications , 2004, ICSE 2004.

[6]  Tevfik Bultan,et al.  Widening Arithmetic Automata , 2004, CAV.

[7]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.

[8]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[9]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[10]  Oscar H. Ibarra,et al.  Symbolic String Verification: Combining String Analysis and Size Analysis , 2009, TACAS.

[11]  Nikolaj Bjørner,et al.  Path Feasibility Analysis for String-Manipulating Programs , 2009, TACAS.

[12]  O. Ibarra,et al.  Verification of String Manipulating Programs Using Multi-Track Automata , 2009 .

[13]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[14]  D. Shannon,et al.  Abstracting Symbolic Execution with String Analysis , 2007, Testing: Academic and Industrial Conference Practice and Research Techniques - MUTATION (TAICPART-MUTATION 2007).