Finding security vulnerabilities in java applications with static analysis Export

by: V. Benjamin Livshits, Monica S. Lam

In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium (2005), pp. 18-18.

[Posts]

View FullText article

ACM, Rent at DeepDyve

akshayk's tags for this article

information_flow joe_e security stanford static_analysis web_application_security

Reviews [Write a review of this article]

Find related articles from these CiteULike users

akshayk, qdw1987, srccheck, praveenbala

Find related articles with these CiteULike tags

defects, information_flow, java, joe_e, no-tag, security, source_sink, stanford, static_analysis, tainted_value, web_application_security

Abstract

This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.

@inproceedings{citeulike:2637269, abstract = {This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment.}, address = {Berkeley, CA, USA}, author = {Livshits, V. Benjamin and Lam, Monica S.}, booktitle = {SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium}, citeulike-article-id = {2637269}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=1251416}, keywords = {information\_flow, joe\_e, security, stanford, static\_analysis, web\_application\_security}, location = {Baltimore, MD}, pages = {18}, posted-at = {2009-10-16 23:13:45}, priority = {2}, publisher = {USENIX Association}, title = {Finding security vulnerabilities in java applications with static analysis}, url = {http://portal.acm.org/citation.cfm?id=1251416}, year = {2005} }

RIS record

TY - CONF ID - citeulike:2637269 L3 - citeulike-article-id:2637269 N2 - This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment. CY - Baltimore, MD AD - Berkeley, CA, USA EP - 18 TI - Finding security vulnerabilities in java applications with static analysis PB - USENIX Association T2 - SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium SP - 18 KW - information_flow KW - joe_e KW - security KW - stanford KW - static_analysis KW - web_application_security AU - Livshits, Benjamin AU - Lam, Monica PY - 2005/// UR - http://portal.acm.org/citation.cfm?id=1251416 ER -

cs294-28	23
security	21
netsec	20
bioinformatics	16
berkeley	12
systems	10
joe_e	9
cs262a	9
compbio	9
networks	8
information_flow_control	5
tau	5
probabilistic	5
nids	4
ai	4
databases	4
dos	4
microarray	4
web_applications	3
web_application_security	3
networkalignment	3
stanford	3
theory	3
worms	3
alignment	3
ucsd	3
gene_pathway	3
cmu	3
motif-discovery	3
sysbio	3
algorithms	3
network	3
analogy	3
filters	3
polymorphic	2
filesystems	2
stolfo	2
ethics	2
attacks	2
cornell	2
flow	2
mirna	2
hmm	2
concurrency	2
vms	2
omcs	2
static_analysis	2
privacy	2
bro	2
information	2
control	2
graphicalmodels	2
zeldovich	2
architecture	2
detection	2
botnet	2
distributedcomputing	2
mit	2
cambridge	2
traceback	1
google	1
swap	1
snp	1
harvard	1
mapreduce	1
spam	1
regulatory	1
song	1
machinelearning	1
columbia	1
clustering	1
mafia	1
information_flow	1
mobile	1
amazon	1
forensics	1
tcp	1
application_development	1
ecology	1
language_extensions	1
svm	1
bloom	1
svd	1
processing	1
cryptosystem	1
models	1
jif	1
pig	1
anonymity	1
virus	1
cs281a	1
injection	1
replication	1
games	1
indiana	1
markovchain	1
authentication	1
insider	1
dynamic_programming	1
belllabs	1
xen	1
vmware	1
topic_models	1
microsoft	1
jordan	1
parallel	1
owasp	1
attack	1
ucsc	1
legality	1
survey	1
paxos	1
search	1
wireless	1
signatures	1
histar	1
oze	1
backscatter	1
mesa	1
hotnets	1
grammars	1
csc	1
honeypots	1
malcode	1
graphs	1
phishing	1
latin	1
nlp	1
lda	1
memorymanagement	1
multiple_sequence_alignment	1
sequence_alignment	1
kegg	1
unix	1
java	1
dynamo	1
synkill	1
capability	1
pennstate	1
randomization	1

Finding security vulnerabilities in java applications with static analysis Export

Citation Format