مرکز منطقه ای اطلاع رساني علوم و فناوري - Towards a Hybrid Framework for Detecting Input Manipulation Vulnerabilities

DocumentCode :

685528

Title :

Towards a Hybrid Framework for Detecting Input Manipulation Vulnerabilities

Author :

Sun Ding ; Hee Beng Kuan Tan ; Lwin Khin Shar ; Padmanabhuni, Bindu Madhavi

Author_Institution :

Sch. of Electr. & Electron. Eng., Nanyang Technol. Univ., Singapore, Singapore

Volume :

fYear :

2013

fDate :

2-5 Dec. 2013

Firstpage :

363

Lastpage :

370

Abstract :

Input manipulation vulnerabilities such as SQL Injection, Cross-site scripting, Buffer Overflow vulnerabilities are highly prevalent and pose critical security risks. As a result, many methods have been proposed to apply static analysis, dynamic analysis or a combination of them, to detect such security vulnerabilities. Most of the existing methods classify vulnerabilities into safe and unsafe. They have both false-positive and false-negative cases. In general, security vulnerability can be classified into three cases: (1) provable safe, (2) provable unsafe, (3) unsure. In this paper, we propose a hybrid framework-Detecting Input Manipulation Vulnerabilities (DIMV), to verify the adequacy of security vulnerability defenses for input manipulation vulnerabilities by integrating formal verification with vulnerability prediction in a seamless way. The verification part takes into account sink predicates and effect of domain and custom specifications for detecting input manipulation vulnerabilities. Proving from specification is used as far as possible. Cases that cannot be proved are then predicted from the signatures mined. Our evaluation shows the practicality of the proposed framework.

Keywords :

formal verification; program diagnostics; security of data; DIMV; SQL injection; buffer overflow vulnerabilities; critical security risks; cross-site scripting; custom specifications; detecting input manipulation vulnerabilities; domain specifications; dynamic analysis; false-negative vulnerabilities; false-positive vulnerabilities; formal verification; hybrid framework; provable safe; safe vulnerabilities; security vulnerability defenses; sink predicates; static analysis; vulnerability prediction; Buffer overflows; Data mining; Databases; Educational institutions; Formal verification; Security; Software; Vulnerability detection; data mining; formal verification; framework; input manipulation vulnerabilities; input validation; prediction; specification; verification;

fLanguage :

English

Publisher :

ieee

Conference_Titel :

Software Engineering Conference (APSEC), 2013 20th Asia-Pacific

Conference_Location :

Bangkok

ISSN :

1530-1362

Print_ISBN :

978-1-4799-2143-0

Type :

conf

DOI :

10.1109/APSEC.2013.56

Filename :

6805427

Link To Document :

https://search.ricest.ac.ir/dl/search/defaultta.aspx?DTC=49&DC=685528