Semantic differential repair for input validation and sanitization

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis Pub Date : 2014-07-21 DOI:10.1145/2610384.2610401

Muath Alkhalaf, Abdulbaki Aydin, T. Bultan

{"title":"Semantic differential repair for input validation and sanitization","authors":"Muath Alkhalaf, Abdulbaki Aydin, T. Bultan","doi":"10.1145/2610384.2610401","DOIUrl":null,"url":null,"abstract":"Correct validation and sanitization of user input is crucial in web applications for avoiding security vulnerabilities and erroneous application behavior. We present an automated differential repair technique for input validation and sanitization functions. Differential repair can be used within an application to repair client and server-side code with respect to each other, or across applications in order to strengthen the validation and sanitization checks. Given a reference and a target function, our differential repair technique strengthens the validation and sanitization operations in the target function based on the reference function. It does this by synthesizing three patches: a validation, a length, and a sanitization patch. Our automated patch synthesis algorithms are based on forward and backward symbolic string analyses that use automata as a symbolic representation. Composition of the three automatically synthesized patches with the original target function results in the repaired function, which provides stronger validation and sanitization than both the target and the reference functions.","PeriodicalId":20624,"journal":{"name":"Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis","volume":"1 1","pages":"225-236"},"PeriodicalIF":0.0000,"publicationDate":"2014-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"43","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2610384.2610401","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 43

Abstract

Correct validation and sanitization of user input is crucial in web applications for avoiding security vulnerabilities and erroneous application behavior. We present an automated differential repair technique for input validation and sanitization functions. Differential repair can be used within an application to repair client and server-side code with respect to each other, or across applications in order to strengthen the validation and sanitization checks. Given a reference and a target function, our differential repair technique strengthens the validation and sanitization operations in the target function based on the reference function. It does this by synthesizing three patches: a validation, a length, and a sanitization patch. Our automated patch synthesis algorithms are based on forward and backward symbolic string analyses that use automata as a symbolic representation. Composition of the three automatically synthesized patches with the original target function results in the repaired function, which provides stronger validation and sanitization than both the target and the reference functions.

查看原文本刊更多论文

用于输入验证和清理的语义差异修复

在web应用程序中，正确验证和清理用户输入对于避免安全漏洞和错误的应用程序行为至关重要。我们提出了一种用于输入验证和消毒功能的自动差分修复技术。可以在应用程序中使用差异修复来相互修复客户机和服务器端代码，或者跨应用程序修复，以加强验证和清理检查。给定参考和目标函数，我们的微分修复技术在参考函数的基础上加强了目标函数中的验证和消毒操作。它通过合成三个补丁来实现这一点:一个验证补丁、一个长度补丁和一个消毒补丁。我们的自动补丁合成算法基于向前和向后的符号字符串分析，使用自动机作为符号表示。将三个自动合成的patch与原目标函数组合得到修复函数，比目标函数和参考函数具有更强的验证性和清洁性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

自引率

0.00%

发文量