Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis

Author

Lwin Khin SHAR, Singapore Management UniversityFollow
Hee Beng Kuan TAN
Lionel C. BRIAND

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

5-2013

Abstract

In previous work, we proposed a set of static attributes that characterize input validation and input sanitization code patterns. We showed that some of the proposed static attributes are significant predictors of SQL injection and cross site scripting vulnerabilities. Static attributes have the advantage of reflecting general properties of a program. Yet, dynamic attributes collected from execution traces may reflect more specific code characteristics that are complementary to static attributes. Hence, to improve our initial work, in this paper, we propose the use of dynamic attributes to complement static attributes in vulnerability prediction. Furthermore, since existing work relies on supervised learning, it is dependent on the availability of training data labeled with known vulnerabilities. This paper presents prediction models that are based on both classification and clustering in order to predict vulnerabilities, working in the presence or absence of labeled training data, respectively. In our experiments across six applications, our new supervised vulnerability predictors based on hybrid (static and dynamic) attributes achieved, on average, 90% recall and 85% precision, that is a sharp increase in recall when compared to static analysis-based predictions. Though not nearly as accurate, our unsupervised predictors based on clustering achieved, on average, 76% recall and 39% precision, thus suggesting they can be useful in the absence of labeled training data.

Keywords

Defect prediction, vulnerability, input validation and sanitization, static and dynamic analysis, empirical study

Discipline

Software Engineering

Research Areas

Cybersecurity

Publication

Proceedings of the 35th ACM/IEEE International Conference on Software Engineering (ICSE), San Francisco, 2013 May 18-26

First Page

1

Last Page

10

Identifier

10.1109/ICSE.2013.6606610

Publisher

IEEE

City or Country

San Francisco, USA

Citation

SHAR, Lwin Khin; TAN, Hee Beng Kuan; and BRIAND, Lionel C.. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. (2013). Proceedings of the 35th ACM/IEEE International Conference on Software Engineering (ICSE), San Francisco, 2013 May 18-26. 1-10.
Available at: https://ink.library.smu.edu.sg/sis_research/4781

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/ICSE.2013.6606610