Skip to main content
SpringerLink
Log in

Eliminating Human Specification in Static Analysis

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Included in the following conference series:

Abstract

We present a totally automatic static analysis approach for detecting code injection vulnerabilities in web applications on top of JSP/servlet framework. Our approach incorporates origin and destination information of data passing in information flows, and developer’s beliefs on vulnerable information flows extracted via statistical analysis and pattern recognition technique, to infer specifications for flaws without any human participation. According to experiment, our algorithm is proved to be able to cover the most comprehensive range of attack vectors and lessen the manual labor greatly.

This work is supported by the National Natural Science Foundation of China under Grant No. 60970140, No.60773135 and No.90718007.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Sridharan, M., Fink, S.J., Bodik, R.: Thin slicing. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, vol. 42(6), pp. 112–122 (2007)

    Google Scholar 

  2. Tripp, O., Pistoia, M., Fink, S., Sridharan, M., Weisman, O.: TAJ: Effective Taint Analysis of Web Applications. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 87–97 (2009)

    Google Scholar 

  3. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: The 14th USENIX Security Symposium, pp. 271–286 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. GUCAS, National Computer Network Intrusion Protection Center, Beijing, 100049, China

    Ying Kong, Yuqing Zhang & Qixu Liu

  2. GUCAS, State Key Laboratory of Information Security, Beijing, 100049, China

    Ying Kong, Yuqing Zhang & Qixu Liu

Authors
  1. Ying Kong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuqing Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qixu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kong, Y., Zhang, Y., Liu, Q. (2010). Eliminating Human Specification in Static Analysis. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_30

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation