Advertisement

String Analysis for Software Verification and Security

  • Tevfik Bultan
  • Fang Yu
  • Muath Alkhalaf
  • Abdulbaki Aydin

Table of contents

  1. Front Matter
    Pages i-ix
  2. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 1-13
  3. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 15-22
  4. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 23-35
  5. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 37-55
  6. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 57-68
  7. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 69-81
  8. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 83-102
  9. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 103-122
  10. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 123-147
  11. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 149-154
  12. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 155-164
  13. Tevfik Bultan, Fang Yu, Muath Alkhalaf, Abdulbaki Aydin
    Pages 165-166
  14. Back Matter
    Pages 167-174

About this book

Introduction

This book discusses automated string-analysis techniques, focusing particularly on automata-based static string analysis. It covers the following topics: automata-bases string analysis, computing pre and post-conditions of basic string operations using automata, symbolic representation of automata, forward and backward string analysis using symbolic automata representation, constraint-based string analysis, string constraint solvers, relational string analysis, vulnerability detection using string analysis, string abstractions, differential string analysis, and automated sanitization synthesis using string analysis.

String manipulation is a crucial part of modern software systems; for example, it is used extensively in input validation and sanitization and in dynamic code and query generation. The goal of string-analysis techniques and this book is to determine the set of values that string expressions can take during program execution. String analysis can be used to solve many problems in modern software systems that relate to string manipulation, such as: (1) Identifying security vulnerabilities by checking if a security sensitive function can receive an input string that contains an exploit; (2) Identifying possible behaviors of a program by identifying possible values for dynamically generated code; (3) Identifying html generation errors by computing the html code generated by web applications; (4) Identifying the set of queries that are sent to back-end database by analyzing the code that generates the SQL queries; (5) Patching input validation and sanitization functions by automatically synthesizing repairs illustrated in this book.

Like many other program-analysis problems, it is not possible to solve the string analysis problem precisely (i.e., it is not possible to precisely determine the set of string values that can reach a program point). However, one can compute over- or under-approximations of possible string values. If the approximations are precise enough, they can enable developers to demonstrate existence or absence of bugs in string manipulating code. String analysis has been an active research area in the last decade, resulting in a wide variety of string-analysis techniques.

This book will primarily target researchers and professionals working in computer security, software verification, formal methods, software engineering and program analysis. Advanced level students or instructors teaching or studying courses in computer security, software verification or program analysis will find this book useful as a secondary text. 

Keywords

Automated sanitization synthesis Automated string analysis Computer security Input validation and sanitization Java Modern programming languages Modern software systems Software verification String analysis Vulnerability detection Program verification Formal methods Symbolic verification Automated abstraction Automata-based strong analysis String constraints Automated code repair

Authors and affiliations

  • Tevfik Bultan
    • 1
  • Fang Yu
    • 2
  • Muath Alkhalaf
    • 3
  • Abdulbaki Aydin
    • 4
  1. 1.Department of Computer ScienceUniversity of California, Santa BarbaraSanta BarbaraUSA
  2. 2.Department of Management, Information SystemsNational Chenchi UniversityTaipeiTaiwan
  3. 3.Computer Science DepartmentKing Saud UniversityRiyadhSaudi Arabia
  4. 4.Microsoft (United States)RedmondUSA

Bibliographic information

  • DOI https://doi.org/10.1007/978-3-319-68670-7
  • Copyright Information Springer International Publishing AG 2017
  • Publisher Name Springer, Cham
  • eBook Packages Computer Science
  • Print ISBN 978-3-319-68668-4
  • Online ISBN 978-3-319-68670-7
  • Buy this book on publisher's site
Industry Sectors
Pharma
Automotive
Finance, Business & Banking
Electronics
IT & Software
Telecommunications
Consumer Packaged Goods
Aerospace
Engineering