ISSTA 2016

25th International Symposium on Software Testing and Analysis (ISSTA), July 18–20, 2016, Saarbrücken, Germany

Desktop Layout

Debugging and Repair
Research Papers
Optimal Sanitization Synthesis for Web Application Vulnerability Repair
Fang Yu, Ching-Yuan Shueh, Chun-Han Lin, Yu-Fang Chen, Bow-Yaw Wang, and Tevfik Bultan
(National Chengchi University, Taiwan; Academia Sinica, Taiwan; University of California at Santa Barbara, USA)
Publisher's Version
Abstract: We present a code- and input-sensitive sanitization synthesis approach for repairing string vulnerabilities that are common in web applications. The synthesized sanitization patch modifies the user input in an optimal way while guaranteeing that the repaired web application is not vulnerable. Given a web application, an input pattern and an attack pattern, we use automata-based static string analysis techniques to compute a sanitization signature that characterizes safe input values that obey the given input pattern and are safe with respect to the given attack pattern. Using the sanitization signature, we synthesize an optimal sanitization patch that converts malicious user inputs to benign ones with minimal editing. When the generated patch is added to the web application, it is guaranteed that the repaired web application is no longer vulnerable. We present refinements to previous sanitization synthesis algorithms that reduce the runtime sanitization cost significantly. We evaluate our approach on open source web applications using common input and attack patterns, demonstrating the effectiveness of our approach.


Time stamp: 2019-05-24T16:50:48+02:00