On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework

  • George Stergiopoulos
  • Bill Tsoumas
  • Dimitris Gritzalis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


While considerable research effort has been put in the identification of technical vulnerabilities, such as buffer overflows or SQL injections, business logic vulnerabilities have drawn limited attention. Logic vulnerabilities are an important class of defects that are the result of faulty application logic. Business logic refers to requirements implemented in algorithms that reflect the intended functionality of an application, e.g. in an online shop application, a logic rule could be that each cart must register only one discount coupon per product. In our paper, we extend a novel heuristic and automated method for the detection of logic vulnerabilitieswhich we presented in a previous publication. This method detects logic vulnerabilities and asserts their criticality in Java GUI applications using dynamic analysis and static together with a fuzzy logic system in order to compare and rank its findings, in an effort to minimize false positives and negatives. An extensive analysis of the code ranking system is given along with empirical results in order to demonstrate its potential.


Bug Detection Vulnerability Business Logic Propositional Logic 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Peng, W., Wallace, D.: Software Error Analysis, National Institute of Standards and Technology, NIST SP 500-209 (December 1993)Google Scholar
  2. 2.
    Kimura, M.: Software vulnerability: Definition, modeling, and practical evaluation for e-mail transfer software. International Journal of Pressure Vessels and Piping (2006)Google Scholar
  3. 3.
    Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: Hunting application-level logical errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 135–142. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Theoharidou, M., Gritzalis, D.: A Common Body of Knowledge for Information Security. IEEE Security & Privacy 5(2), 64–67 (2007)CrossRefGoogle Scholar
  5. 5.
    Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward automated detection of logic vulnerabilities in web applications. In: Proc. of the19th USENIX Symposium, USA (2010)Google Scholar
  6. 6.
    Huth, M., Ryan, M.: Logic in Computer Science: Modeling and Reasoning about Systems. Cambridge University Press (2004)Google Scholar
  7. 7.
    Mehlitz, P., et al.: Java PathFinder, Ames Research Center, NASA, USAGoogle Scholar
  8. 8.
    Freiberger, P., Swaine, M.: Encyclopedia Britannica, Analytical Engine sectionGoogle Scholar
  9. 9.
    Burns, A., Burns, R.: Basic Marketing Research, p. 245. Pearson EducationGoogle Scholar
  10. 10.
    Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proc. of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)Google Scholar
  11. 11.
    NIST SP 800-30, Risk Management Guide for Information Technology SystemsGoogle Scholar
  12. 12.
    Leekwijck, W., Kerre, E.: Defuzzification: Criteria and classification. Fuzzy Sets and Systems 108, 159–178 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Foundations of Fuzzy Logic, Fuzzy Operators, Mathworks,
  14. 14.
    Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)Google Scholar
  15. 15.
    RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certification (December 1, 1992)Google Scholar
  16. 16.
    Pehrson, E.: CleanSheets Office Suite (2009),
  17. 17.
    OWASP, Common Types of Software Vulnerabilities,
  18. 18.
    Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation,
  19. 19.
    Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005)Google Scholar
  20. 20.
    OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)Google Scholar
  21. 21.
    Doupe, A., Boe, B., Vigna, G.: Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities. In: Proc. of the 18th ACM Conference on Computer and Communications Security (2011)Google Scholar
  22. 22.
    Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proc. of the 14th ACM Conference on Computer and Communications Security (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • George Stergiopoulos
    • 1
  • Bill Tsoumas
    • 1
  • Dimitris Gritzalis
    • 1
  1. 1.Information Security and Critical Infrastructure Protection Research Laboratory, Dept. of InformaticsAthens University of Economics and Business (AUEB)AthensGreece

Personalised recommendations