Abstracting Symbolic Execution with String Analysis

Shannon, Daryl; Hajra, Sukant; Lee, Alison; Zhan, Daiqian; Khurshid, Sarfraz

doi:10.1109/taicpart.2007.4344094

Cited by 17 publications

(28 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are also several other string analysis tools that use symbolic string analysis based on DFA encodings [18], [5], [23]. Some of them are based on symbolic execution and use a DFA representation to model and verify the string manipulation operations in Java programs [18], [5].…”

Section: Related Workmentioning

confidence: 99%

Verifying client-side input validation functions using string analysis

Alkhalaf¹,

Bultan²,

Gallegos³

2012

2012 34th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Abstract-Client-side computation in web applications is becoming increasingly common due to the popularity of powerful client-side programming languages such as JavaScript. Clientside computation is commonly used to improve an application's responsiveness by validating user inputs before they are sent to the server. In this paper, we present an analysis technique for checking if a client-side input validation function conforms to a given policy. In our approach, input validation policies are expressed using two regular expressions, one specifying the maximum policy (the upper bound for the set of inputs that should be allowed) and the other specifying the minimum policy (the lower bound for the set of inputs that should be allowed). Using our analysis we can identify two types of errors 1) the input validation function accepts an input that is not permitted by the maximum policy, or 2) the input validation function rejects an input that is permitted by the minimum policy. We implemented our analysis using dynamic slicing to automatically extract the input validation functions from web applications and using automata-based string analysis to analyze the extracted functions. Our experiments demonstrate that our approach is effective in finding errors in input validation functions that we collected from real-world applications and from tutorials and books for teaching JavaScript.

show abstract

Section: Related Workmentioning

confidence: 99%

Verifying client-side input validation functions using string analysis

Alkhalaf¹,

Bultan²,

Gallegos³

2012

2012 34th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…We use restrict to denote the restriction of a string value in order to model branch conditions. For instance, considering a branch condition v = e, where e is a regular expression, we add restrict(v, e) at the beginning of the truth branch and restrict(v,ē) at the beginning of the false branch whereē indicates to restrict the string values of v to the complement set of e. A similar idea has been discussed in [15]. Finally, we use input to denote a read operation, where a string variable is assigned a value provided by a user.…”

Section: Automata-based String Analysismentioning

confidence: 99%

“…Wassermann et al [18] proposed a static analysis to detect SQL injections following Minamide [13]. There are some other tools for string analysis [6,9,15,19]. Shannon et al [15] propose forward bounded symbolic execution to perform string analysis on Java programs.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Symbolic String Verification: An Automata-Based Approach

Bultan

Cova

et al.

Model Checking Software

View full text Add to dashboard Cite

Abstract. We present an automata-based approach for the verification of string operations in PHP programs based on symbolic string analysis. String analysis is a static analysis technique that determines the values that a string expression can take during program execution at a given program point. This information can be used to verify that string values are sanitized properly and to detect programming errors and security vulnerabilities. In our string analysis approach, we encode the set of string values that string variables can take as automata. We implement all string functions using a symbolic automata representation (MBDD representation from the MONA automata package) and leverage efficient manipulations on MBDDs, e.g., determinization and minimization. Particularly, we propose a novel algorithm for language-based replacement. Our replacement function takes three DFAs as arguments and outputs a DFA. Finally, we apply a widening operator defined on automata to approximate fixpoint computations. If this conservative approximation does not include any bad patterns (specified as regular expressions), we conclude that the program does not contain any errors or vulnerabilities. Our experimental results demonstrate that our approach works quite well in checking the correctness of sanitization operations in real-world PHP applications.

show abstract

“…Strings form a fundamental data type used in most programming languages. Recently, a number of techniques producing string constraints have been suggested for automatic testing [8,1] and program verification [16]. String-constraint solvers are used in many testing and analysis tools [5,2,6,15,23].…”

Section: Introductionmentioning

confidence: 99%

On Unfolding for Programs Using Strings as a Data Type

Nemytykh¹

EPiC Series in Computing

View full text Add to dashboard Cite

As a rule, program transformation methods based on operational semantics unfold a semantic tree of a given program. Sometimes that allows ones to optimize the program or to automatically prove its certain properties. Unfolding is one of the basic operations, which is a meta-extension of one step of the abstract machine executing the program. This paper is interested in unfolding for programs based on pattern matching and manipulating the strings. The corresponding computation model originates with Markov's normal algorithms and extends this theoretical base. Even though algorithms unfolding programs were being intensively studied for a long time in the context of variety of programming languages, as far as we know, the associative concatenation was stood at the wayside of the stream. We define a class of term rewriting systems manipulating with strings and describe an algorithm unfolding the programs from the class. The programming language defined by this class is Turing-complete. The pattern language of the program class in turn fixes a class of word equations. Given an equation from the class, one of the algorithms suggested in this paper results in a description of the corresponding solution set.

show abstract

Abstracting Symbolic Execution with String Analysis

Cited by 17 publications

References 17 publications

Verifying client-side input validation functions using string analysis

Verifying client-side input validation functions using string analysis

Symbolic String Verification: An Automata-Based Approach

On Unfolding for Programs Using Strings as a Data Type

Contact Info

Product

Resources

About