Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

Balzarotti, Davide; Cova, Marco; Felmetsger, Viktoria; Jovanović, Nenad; Kirda, Engin; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/sp.2008.22

Cited by 258 publications

(229 citation statements)

References 29 publications

(28 reference statements)

Supporting

Mentioning

224

Contrasting

Unclassified

Order By: Relevance

“…Many existing works try to reason about missing and/or insufficient validation to detect as well as prevent these problems e.g., [15][16][17][18][19][20]. The goal of WAVES is orthogonal to these prior works, because it allows the developer to devote the entirety of her input validation development to the server and rest assured that the client validation code will be correct by construction.…”

Section: Improper Input Validationmentioning

confidence: 99%

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Skrupsky

Monshizadeh

Bisht

et al. 2012

2012 International Conference on Cyber Security

View full text Add to dashboard Cite

The current practice of web application development treats the client and server components of the application as two separate but interacting pieces of software. Each component is written independently, usually in distinct programming languages and development platforms -a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an "impedance mismatch" occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.

show abstract

Section: Improper Input Validationmentioning

confidence: 99%

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Skrupsky

Monshizadeh

Bisht

et al. 2012

2012 International Conference on Cyber Security

View full text Add to dashboard Cite

show abstract

“…We believe that these programs are representative of how web applications use regular expression based replacement functions to modify their input (in particular, in a security context, to perform input sanitization), and, thus, are good test cases for our technique. These vulnerable functions were identified and sanitized by Balzarotti et al in [1,2]. Table 5 shows the results of applying our string analysis tool to these programs.…”

Section: Methodsmentioning

confidence: 99%

“…We also experimented with Saner [1] to check these benchmarks. We discuss this tool in related work.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Symbolic String Verification: An Automata-Based Approach

Bultan

Cova

et al.

Model Checking Software

Self Cite

View full text Add to dashboard Cite

Abstract. We present an automata-based approach for the verification of string operations in PHP programs based on symbolic string analysis. String analysis is a static analysis technique that determines the values that a string expression can take during program execution at a given program point. This information can be used to verify that string values are sanitized properly and to detect programming errors and security vulnerabilities. In our string analysis approach, we encode the set of string values that string variables can take as automata. We implement all string functions using a symbolic automata representation (MBDD representation from the MONA automata package) and leverage efficient manipulations on MBDDs, e.g., determinization and minimization. Particularly, we propose a novel algorithm for language-based replacement. Our replacement function takes three DFAs as arguments and outputs a DFA. Finally, we apply a widening operator defined on automata to approximate fixpoint computations. If this conservative approximation does not include any bad patterns (specified as regular expressions), we conclude that the program does not contain any errors or vulnerabilities. Our experimental results demonstrate that our approach works quite well in checking the correctness of sanitization operations in real-world PHP applications.

show abstract

“…The Saner project [66] combines a similar static component with an additional dynamic step to find real flaws in sanitizer behavior. The Wassermann and Su implementation [7] extends Minamide's grammar-based analysis [6].…”

Section: End-to-end String Analysismentioning

confidence: 99%

Decision Procedures for String Constraints

Hooimeijer¹

View full text Add to dashboard Cite

String-related defects are among the most prevalent and costly in modern software development. For example, in terms of frequency, cross-site scripting vulnerabilities have long surpassed traditional exploits like buffer overruns. The state of this problem is particularly disconcerting because it does not just affect legacy code: developing web applications today -even when adhering to best practices and using modern library support -remains error-prone.A number of program analysis approaches aim to prevent or mitigate string-related defects; examples include static bug detectors and automated testcase generators. Traditionally, this work has relied on built-in algorithms to reason about string-manipulating code. This arrangement is suboptimal for two reasons: first, it forces researchers to re-invent the wheel for each new analysis; and second, it does not encourage the independent improvement of domain-specific algorithms for handling strings.In this dissertation, we present research on specialized decision algorithms for string constraints.Our high-level approach is to provide a constraint solving interface; a client analysis can use that interface to reason about strings in the same way it might use a SAT solver to reason about binary state. To this end, we identify a set of string constraints that captures common programming language constructs, and permits efficient solving algorithms. We provide a core solving algorithm together with a machine-checkable proof of its correctness.Next, we focus on performance. We evaluate a variety of datastructures and algorithms in a controlled setting to inform our choice of each. Our final approach is based on two insights: (1) string constraints can be cast as an explicit search problem, and (2) to solve these constraints, we can i instantiate the search space lazily through incremental refinement. These insights lead to substantial performance gains relative to competing approaches; our experimental results show our prototype to be several of magnitude faster across several published benchmarks. iv Chapter 1 IntroductionThis dissertation focuses on a common source of software defects: string manipulation. Stringrelated defects are among the most prevalent and costly in modern software development. Reasoning about strings is a key aspect in many types of program analysis work, including static bug finding [1, 5, 6,7] and automated testing [8,9,10,11,12]. Until recently, this work has relied on ad hoc algorithms to formally reason about the values that string variables may take at runtime.That situation is suboptimal for two reasons: first, it forces researchers to re-invent the wheel for each new tool; and second, it does not encourage the independent improvement of domain-specific reasoning for strings.In this dissertation, we focus on the development of algorithms that enable formal reasoning about string operations; we refer to these algorithms as string decision procedures. Informally, a decision procedure is an algorithm that, given an input formula, answe...

show abstract

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications

Cited by 258 publications

References 29 publications

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Symbolic String Verification: An Automata-Based Approach

Decision Procedures for String Constraints

Contact Info

Product

Resources

About