TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

朱辉,沈明星,李善平

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.10.059

2010-01-01

Abstract:This paper studies the code injection vulnerabilities of Web application,modifies and expands the definition of this kind of vulnerabilities with summarizing and analyzing the features of them,and transforms the causes of vulnerabilities into two kinds of coding errors to present a new test method based on testing the two kinds of coding errors.Experimental result shows that the test method can test all the code injection vulnerabilities of Web application effectively with less test workload.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Zhefei Zhang,Qinghua Zheng,Xiaohong Guan,Qing Wang,Tuo Wang

DOI: https://doi.org/10.1007/s11460-008-0047-x

2008-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.

Hui Yuan,Lei Zheng,Liang Dong,Xiangli Peng,Yan Zhuang,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_66

2019-04-25

Abstract:With the rapid development of Internet technology, Web applications are widely used in all walks of life, and their security requirements are increasing. Unfortunately, at present, the development of Web security technology still lags behind the development of Web application technology itself. The Web application itself and its operating environment are still relatively fragile, and its operating environment is easily forged or modified, making Web applications gradually become malicious. The object of the attack is frequently attacked. This paper investigates and analyzes the common vulnerabilities in web applications, deeply studies the basic characteristics of these vulnerabilities, and understands the principles and solutions of vulnerabilities. The static analysis method is used to analyze the vulnerabilities, and the static analysis methods are used to solve the security vulnerabilities in the Java web project.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Ruiguo Yang,Jiajin Cai,Xinhui Han

DOI: https://doi.org/10.1145/3548606.3563527

2022-01-01

Abstract:ABSTRACTIn this poster, we present TaintGrep, a novel static analysis approach to detect vulnerabilities of Android applications. This approach combines the advantages of semantic pattern matching and taint analysis to get better accuracy and be able to detect cross-function vulnerabilities. Compared with many traditional tools, TaintGrep does not require the full source code or building environment to analyze. Moreover, it supports users in defining their customized matching rules using their vulnerability mining experience, which makes this approach more flexible and scalable. In the preliminary experiment, we give a detailed analysis of the rules of two typical vulnerabilities: generic DoS and arbitrary file read/write, and have detected 77 0day vulnerabilities with these rules in 16 well-known Android applications.

Zhang Tao,Chen Xiarun,Chen Zhong

DOI: https://doi.org/10.1109/ICIPCA59209.2023.10257912

2023-01-01

Abstract:As the Internet environment becomes increasingly complex, network security gradually has more and more impact on people's real life. The research on static vulnerability detection is of great significance to the security of software systems. To solve the problems of imperfect technical support for basic analysis and high false alarm rate in the current mainstream static vulnerability detection methods, we design a vulnerability detection method based on taint value range propagation analysis, combining data flow analysis and abstract interpretation to achieve cross-functional variable value range analysis, and combining the identification and analysis of data security checks to achieve an automated vulnerability detection system prototype—RVDetecor, with good performance and detection, and applicable to real-world scenarios. In its analysis of the Linux kernel source code, RVDetecor verified 15 fixed issues.

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1109/sp.2010.37

2010-01-01

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Corresponding patches from vendors are released or in progress based on our reports.

Nicholas Allen,François Gauthier,Alexander Jordan

DOI: https://doi.org/10.48550/arXiv.2103.16240

2021-03-30

Abstract:Over the years, static taint analysis emerged as the analysis of choice to detect some of the most common web application vulnerabilities, such as SQL injection (SQLi) and cross-site scripting (XSS)~\cite{OWASP}. Furthermore, from an implementation perspective, the IFDS dataflow framework stood out as one of the most successful vehicles to implement static taint analysis for real-world Java applications. While existing approaches scale reasonably to medium-size applications (e.g. up to one hour analysis time for less than 100K lines of code), our experience suggests that no existing solution can scale to very large industrial code bases (e.g. more than 1M lines of code). In this paper, we present our novel IFDS-based solution to perform fast and precise static taint analysis of very large industrial Java web applications. Similar to state-of-the-art approaches to taint analysis, our IFDS-based taint analysis uses \textit{access paths} to abstract objects and fields in a program. However, contrary to existing approaches, our analysis is demand-driven, which restricts the amount of code to be analyzed, and does not rely on a computationally expensive alias analysis, thereby significantly improving scalability.

Programming Languages,Software Engineering

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1145/2019599.2019600

2011-01-01

ACM Transactions on Information and System Security

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic-execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.

Jiahui Xiang,Lirong Fu,Tong Ye,Peiyu Liu,Huan Le,Liming Zhu,Wenhai Wang

DOI: https://doi.org/10.1109/jiot.2024.3490661

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The diversity of web configuration interfaces for IoT devices has exacerbated issues such as inadequate permission controls and insecure interfaces, resulting in various vulnerabilities. Owing to the varying interface configurations across various devices, the existing methods are inadequate for identifying these vulnerabilities precisely and comprehensively. This study addresses these issues by introducing an automated vulnerability detection system, called LuaTaint. It is designed for the commonly used web configuration interface of IoT devices. LuaTaint combines static taint analysis with a large language model (LLM) to achieve widespread and high-precision detection. The extensive traversal of the static analysis ensures the comprehensiveness of the detection. The system also incorporates rules related to page handler control logic within the taint detection process to enhance its precision and extensibility. Moreover, we leverage the prodigious abilities of LLM for code analysis tasks. By utilizing LLM in the process of pruning false alarms, the precision of LuaTaint is enhanced while significantly reducing its dependence on manual analysis. We develop a prototype of LuaTaint and evaluate it using 2,447 IoT firmware samples from 11 renowned vendors. LuaTaint has discovered 111 vulnerabilities. Moreover, LuaTaint exhibits a vulnerability detection precision rate of up to 89.29

Manas Gaur

DOI: https://doi.org/10.48550/arXiv.1208.3205

2012-08-16

Abstract:The main stretch in the paper is buffer overflow anomaly occurring in major source codes, designed in various programming language. It describes the various as to how to improve your code and increase its strength to withstand security theft occurring at vulnerable areas in the code. The main language used is JAVA, regarded as one of the most object oriented language still create lot of error like stack overflow, illegal/inappropriate method overriding. I used tools confined to JAVA to test as how weak points in the code can be rectified before compiled. The byte code theft is difficult to be conquered, so it's a better to get rid of it in the plain java code itself. The tools used in the research are PMD(Programming mistake detector), it helps to detect line of code that make pop out error in near future like defect in hashcode(memory maps) overriding due to which the java code will not function correctly. Another tool is FindBUGS which provide the tester of the code to analyze the weak points in the code like infinite loop, unsynchronized wait, deadlock situation, null referring and dereferencing. Another tool which provides the base to above tools is JaCoCo code coverage analysis used to detect unreachable part and unused conditions of the code which improves the space complexity and helps in easy clarification of errors. Through this paper, we design an algorithm to prevent the loss of data. The main audience is the white box tester who might leave out essential line of code like, index variables, infinite loop, and inappropriate hashcode in the major source program. This algorithm serves to reduce the damage in case of buffer overflow

Cryptography and Security,Software Engineering

Arvinder Kaur,Ruchikaa Nayyar

DOI: https://doi.org/10.1016/j.procs.2020.04.217

2020-01-01

Procedia Computer Science

Abstract:<p>Software security has become an essential component of software development process. It is necessary for an organisation to maintain software security in order to ensure integrity, authenticity and availability of the software product. To ensure software security, one of the major task is to identify vulnerabilities present in the source code before the software is being deployed. Detecting vulnerabilities in early phases of software development cycle, makes the process of fixing those vulnerabilities much easier for software developers. The vulnerability detection can be done either at the production phase, this means when the software is still being developed by statically auditing the source code, or dynamically at run time. In this study, vulnerability detection was done through Static code analysis process. Static code analysis can be done either manually or through automated tools. This paper focuses on using automated source code scanning tools for vulnerabilities detection in a software. Automated static Code Analysis tools audits the entire source code for its quality and identify any potential security vulnerability, if present. Unlike dynamic source code analysis that evaluates the source code behaviour during code execution, which is done quite late in the software development life cycle, Static Code Analysis leads to detection of security vulnerabilities in a source code in early stages of software development process, when the software is still in production phase because it does not require code to be in execution state. This paper firstly explains the importance of incorporating static code analysis in software development life cycle process so as to facilitate early detection of vulnerabilities in software product, and then present a comparative study of various static code analysis tools available for vulnerability detection in C/C++ and JAVA source code. The comparative study of three C/C++ static code analysis tools (flawfinder, RATS and CPPCheck) and two JAVA static code analysis tools (spotbugs and PMD) is done using Juliet (version1.3) test suite and APACHE tomcat dataset respectively, on the basis of category of vulnerability detected by each of the selected tool and the likelihood of false positive reported by each tool. Results showed that Flawfinder detected maximum categories of vulnerabilities and RATS and CPPCheck were almost similar in types of vulnerabilities detected. Also, it was observed that CPPCheck reported maximum number of false positives as compared to other two tools. Java static code analysis tools Spot bugs was able to detect more number of vulnerabilities than PMD.</p>

Ranjith Krishnamurthy,Goran Piskachev,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.2207.09379

2022-07-29

Abstract:As an alternative to Java, Kotlin has gained rapid popularity since its introduction and has become the default choice for developing Android apps. However, due to its interoperability with Java, Kotlin programs may contain almost the same security vulnerabilities as their Java counterparts. Hence, we question: to what extent can one use an existing Java static taint analysis on Kotlin code? In this paper, we investigate the challenges in implementing a taint analysis for Kotlin compared to Java. To answer this question, we performed an exploratory study where each Kotlin construct was examined and compared to its Java equivalent. We identified 18 engineering challenges that static-analysis writers need to handle differently due to Kotlin's unique constructs or the differences in the generated bytecode between the Kotlin and Java compilers. For eight of them, we provide a conceptual solution, while six of those we implemented as part of SecuCheck-Kotlin, an extension to the existing Java taint analysis SecuCheck.

Programming Languages,Cryptography and Security,Software Engineering

Kai Cheng,Tao Liu,Le Guan,Peng Liu,Hong Li,Hongsong Zhu,Limin Sun

DOI: https://doi.org/10.48550/arXiv.2109.12209

2021-09-25

Abstract:Although the importance of using static analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by three major limitations. (a) Approaches based on symbolic execution may miss alias information and therefore suffer from a high false-negative rate. (b) Approaches based on VSA (value set analysis) often provide an over-approximate pointer range. As a result, many false positives could be produced. (c) Existing work for detecting taint-style vulnerability does not consider indirect call resolution, whereas indirect calls are frequently used in Internet-facing embedded devices. As a result, many false negatives could be produced. In this work, we propose a precise demand-driven flow-, context- and field-sensitive alias analysis approach. Based on this new approach, we also design a novel indirect call resolution scheme. Combined with sanitization rule checking, our solution discovers taint-style vulnerabilities by static taint analysis. We implemented our idea with a prototype called EmTaint and evaluated it against 35 real-world embedded firmware samples from six popular vendors. EmTaint discovered at least 192 bugs, including 41 n-day bugs and 151 0-day bugs. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared to state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more bugs on the same dataset in less time.

Cryptography and Security,Software Engineering

Qing Wang,Qinghua Zheng,Xiaohong Guan,Zhefei Zhang

DOI: https://doi.org/10.3321/j.issn:0253-987X.2007.04.013

2007-01-01

Abstract:Based on reverse deduction with proof-tree, a method for detecting SQL injection vulnerabilities which are ubiquitous in Web applications is presented. Differing from traditional real time security strategies such as IDS and firewall, the origin of producing attack can be found by directly mining source codes vulnerabilities. The essentials are to track reversely the variables that are related to database (DB) script operations and check whether they are influenced from outside so as to control the hidden damage existing in the DB operations. The experimental results show that the proposed method can accurately verify the security of 53. 8% DB operations, and it is applicable for any type of Web application platforms configured with different script languages and database systems.

Jun Liu,Xiaoming Liu,Bo Zheng,Tang, J.

DOI: https://doi.org/10.1109/csss.2011.5974598

2011-01-01

Abstract:This paper proposes a code security inspection system based on the Subversion, which aims to avoid the submission of risk codes that contain vulnerabilities such as SQL injection, XSS (Cross Site Script) attacks and CSRF (Cross-site request forgery) to SVN repositories. In the proposed system, the submitted code will be scanned and checked and then the results will be sent to the SQA (Software Quality Assurance) units to ensure the product's safety. The system mainly adopts dependency injection and inversion of control used in the spring framework, and thus it has high scalability and maintainability. The system is also practical, independent, and highly configurable which can meet the needs of different users.

Midya Alqaradaghi,Tamás Kozsik

DOI: https://doi.org/10.1109/access.2024.3389955

IF: 3.9

2024-04-27

IEEE Access

Abstract:Various static code analysis tools have been designed to automatically detect software faults and security vulnerabilities. This paper aims to 1) conduct an empirical evaluation to assess the performance of five free and state-of-the-art static analysis tools in detecting Java security vulnerabilities using a well-defined and repeatable approach; 2) report on the vulnerabilities that are best and worst detected by static Java analyzers. We used the Juliet benchmark test suite in a controlled experiment to assess the effectiveness of five widely used Java static analysis tools. The vulnerabilities were successfully detected by one, two, or three tools. Only one vulnerability has been detected by four tools. The tools missed 13% of the Java vulnerability categories appearing in our experiment. More critically, none of the five tools could identify all the vulnerabilities in our experiment. We conclude that, despite recent improvements in their methodologies, current state-of-the-art static analysis tools are still ineffective for identifying the security vulnerabilities occurring in a small-scale, artificial test suite.

computer science, information systems,telecommunications,engineering, electrical & electronic