A Hybrid Vulnerability Analysis Tool Using a Risk Evaluation Technique

Park, Jae-Pyo; Choo, Yeunsoo; Lee, Jonghee

doi:10.1007/s11277-018-5959-z

Cited by 3 publications

(4 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DAST approach detailing is not as much as agreeable in various examples. From the existing study RanWang et al [82], Park et al [83] are useful approaches in dynamic Analysis. The methods of dynamic analysis are summarized year-wise shows in Fig.…”

Section: ) Discussionmentioning

confidence: 99%

“…They modify all JavaScript highlights and DOM APIs to corrupt the rendering procedure of programs and vectors are inferred to check the vulnerabilities naturally. In the recent study Park, et al [83], a vulnerability detection technique is proposed that develops and manages safe applications and can resolve and analyze these problems. They developed a prototype analysis tool using our technique to test the application's vulnerability-detection ability, and show our proposed technique is superior to existing ones.…”

Section: Fuzzing and Dynamic Analysismentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Detection and Prevention of Web Vulnerabilities

Noman¹,

Iqbal²,

Manzoor³

2020

IJACSA

View full text Add to dashboard Cite

The Internet provides a vast range of benefits to society and empowers the users in a variety of ways to use web applications. Simply, the internet has become the most transformative and fast-growing technology ever built, but it also brings new security challenges to web services in internet applications because of the scattered and open nature of the internet. A simple vulnerability in the program code could favor/benefit an attacker to obtain unauthorized access and perform adversary actions. Hence, the security of web applications from a hacking attempt is of paramount importance. This paper focuses on a literature survey recapitulating security solutions and major vulnerabilities to promote further research by systemizing the existing methods, on a bigger horizon. The data is collected from an absolute of 86 primary studies that are taken from well-known digital libraries. Different methods comprising secure programming, static, Dynamic, Hybrid analysis, and machine learning classify the data from articles. The quantity of references or the significance of a developing strategy is kept in account while selecting articles. Overall, our survey suggests that there is no way to alleviate all the web vulnerabilities therefore more studies is desirable in the area of web information security. All methods' complexity is addressed and some recommendations regarding when to use the application of given methods are provided. Finally, we typify the experience gained and examine future research openings in web application security.

show abstract

Section: ) Discussionmentioning

confidence: 99%

Section: Fuzzing and Dynamic Analysismentioning

confidence: 99%

A Survey on Detection and Prevention of Web Vulnerabilities

Noman¹,

Iqbal²,

Manzoor³

2020

IJACSA

View full text Add to dashboard Cite

show abstract

“…For memory deallocation primitive, the mutation space of its parameter addr contains the addresses of all the allocated and deallocated chunks in the current state. For the writing primitive, the mutation space of its parameter addr contains the addresses to be controlled in the target state (the definition of target state will be given later), and the mutation space of width is the set [1,2,4,8,16,32,64,128]. en, we input these mutated MOPs into the heap allocator model one by one and process them according to the mapping relationship to obtain the final new program state.…”

Section: Heap Allocator Modelmentioning

confidence: 99%

“…In recent years, due to the deployment of mitigation mechanisms for stack-based vulnerabilities and compiler-level inspections, stack exploits have become increasingly more difficult to execute against hardened programs [5,6]. However, there are still a large number of heap-based vulnerabilities in software written in insecure programming languages such as C and C++ [7][8][9]. ese heap vulnerabilities increase the possibility of malicious attacks and pose a serious threat to software security [10].…”

Section: Introductionmentioning

confidence: 99%

A Pattern-Based Software Testing Framework for Exploitability Evaluation of Metadata Corruption Vulnerabilities

Deng

Wang

Zhang

et al. 2020

Scientific Programming

View full text Add to dashboard Cite

In recent years, increased attention is being given to software quality assurance and protection. With considerable verification and protection schemes proposed and deployed, today’s software unfortunately still fails to be protected from cyberattacks, especially in the presence of insecure organization of heap metadata. In this paper, we aim to explore whether heap metadata could be corrupted and exploited by cyberattackers, in an attempt to assess the exploitability of vulnerabilities and ensure software quality. To this end, we propose RELAY, a software testing framework to simulate human exploitation behavior for metadata corruption at the machine level. RELAY employs the heap layout serialization method to construct exploit patterns from human expertise and decomposes complex exploit-solving problems into a series of intermediate state-solving subproblems. With the heap layout procedural method, RELAY makes use of the fewer resources consumed to solve a layout problem according to the exploit pattern, activates the intermediate state, and generates the final exploit. Additionally, RELAY can be easily extended and can continuously assimilate human knowledge to enhance its ability for exploitability evaluation. Using 20 CTF&RHG programs, we then demonstrate that RELAY has the ability to evaluate the exploitability of metadata corruption vulnerabilities and works more efficiently compared with other state-of-the-art automated tools.

show abstract