Abstract
Web security became an alert in internet computing. To cope with ever-rising security complexity, semantic analysis is proposed to fill-in the gap that the current approaches fail to commit. Conventional methods limit their focus to the physical source codes instead of the abstraction of semantics. It bypasses new types of vulnerability and causes tremendous business loss.
For this reason, the semantic structure has been studied. Our novel approach introduces token decomposition and semantic abstraction. It aims to solve the issues by using metadata code structure to envision the semantic gap.
In consideration of the optimized control and vulnerability rate, we take SQL injection as an example to demonstrate the approach. For how the syntax abstraction be decomposed to token, and how the semantic structure is constructed by using metadata notation. As the new type of vulnerability can be precisely specified, business impact can be eliminated.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Wu, R., Hisada, M., Ranaweera, R.: Static Analysis of Web Security in generic syntax format. In: The 2009 International Conference on Internet Computing, Las Vegas, USA (2009)
Chen, K., Wager, D.: Large-Scale Analysis of Format String Vulnerabilities in Debian Linux, UC Berkeley (2007)
Xu, W., Bhatkar, S., Sekar, R.: Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications. Stony Brook University (2006)
Huang, Y., Huang, S., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. WWW 2003, 148–159 (2003)
Buehrer, G., Weide, B., Sivilotti, P.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: SEM (2005)
Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–304. Springer, Heidelberg (2004)
Buehrer, G., Weide, B., Sivilotti, P.: Using parse tree validation to prevent SQL injection attacks. In: Software Engineering and Middleware SEM, pp. 106–113 (2005)
Wu, R.: Service design and automata theory. In: International Conference on Enterprise Information System and Web Technologies, EISSWT 2007 (2007)
Christensen, A., Møller, A., Schwartzbach, M.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Dysart, F., Sherriff, M.: Automated Fix Generator for SQL Injection Attacks. University of Virginia, Charlottesville (2007)
Pietraszek1, T., Berghe, C.: Defending against Injection Attacks through Context-Sensitive String Evaluation, IBM Zurich Research Laboratory and Katholieke Universiteit (2004)
Turker, K., Gertz, M.: Semantic Integrity Support in SQL-99 and Commercial Object- Relational Database Management Systems, Swiss Federal Institute of Technology, ETH (1999)
Pretorius, A., Wijk, J.: Bridging the Semantic Gap: Visualizing Transition Graphs with User Defined Diagrams. IEEE Computer Society, Los Alamitos (2007)
Halfond, W., Viegas, J., Orso, A.: A Classification of SQL-Injection Attacks and Countermeasures. In: IEEE Symposium on Secure Software Engineering, ISSSE (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wu, R., Seki, K., Sakamoto, R., Hisada, M. (2010). Knowledge-Base Semantic Gap Analysis for the Vulnerability Detection. In: Bandyopadhyay, S.K., Adi, W., Kim, Th., Xiao, Y. (eds) Information Security and Assurance. ISA 2010. Communications in Computer and Information Science, vol 76. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13365-7_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-13365-7_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13364-0
Online ISBN: 978-3-642-13365-7
eBook Packages: Computer ScienceComputer Science (R0)