中央研究院 資訊科學研究所

Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation and sanitization vulnerabilities are extremely effective and dangerous. To address this problem, we developed a differential string analysis technique that can identify erroneous or insufficient validation and sanitization of the user inputs by automatically discovering inconsistencies between client- and server-side input validation and sanitization functions. Our approach (1) automatically extracts client- and server-side input validation and sanitization functions, (2) models them as deterministic finite automata (DFAs), and (3) compares client- and server-side DFAs to identify and report the inconsistencies between the two sets of checks.

Furthermore, we developed a differential repair technique that strengthens the client and server-side checks to make them consistent. Given a reference and a target function, our differential repair technique strengthens the validation and sanitization operations in the target function based on the reference function. It does this by synthesizing three patches: a validation, a length, and a sanitization patch. Composition of the three automatically synthesized patches with the original target function results in the repaired function, which provides stronger validation and sanitization than both the target and the reference functions.

Our evaluation demonstrates that these techniques are very promising: when applied to a set of real-world web applications, our techniques are able to automatically identify a large number of inconsistencies and repair them.

Tevfik Bultan is a Professor in the Department of Computer Science at the University of California, Santa Barbara (UCSB). His current research interests are in dependability of web software and services, automated verification, string analysis, and data model specification and analysis.

Dr. Bultan co-chaired the program committees of the 9th International Symposium on Automated Technology for Verification and Analysis (ATVA 2011), the 20th International Symposium on the Foundations of Software Engineering (FSE 2012), and the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE 2013).  Dr. Bultan was a keynote speaker at the 19th International Conference on Concurrency Theory (CONCUR 2008), the 6th ACM-IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE 2008), the 9th International Symposium on Formal Aspects of Component Software (FACS 2012), and the 2013 IFIP Joint International Conference on Formal Techniques for Distributed Systems (33rd FORTE / 15th FMOODS).