Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
12-2013
Abstract
Input manipulation vulnerabilities such as SQL Injection, Cross-site scripting, Buffer Overflow vulnerabilities are highly prevalent and pose critical security risks. As a result, many methods have been proposed to apply static analysis, dynamic analysis or a combination of them, to detect such security vulnerabilities. Most of the existing methods classify vulnerabilities into safe and unsafe. They have both false-positive and false-negative cases. In general, security vulnerability can be classified into three cases: (1) provable safe, (2) provable unsafe, (3) unsure. In this paper, we propose a hybrid framework-Detecting Input Manipulation Vulnerabilities (DIMV), to verify the adequacy of security vulnerability defenses for input manipulation vulnerabilities by integrating formal verification with vulnerability prediction in a seamless way. The verification part takes into account sink predicates and effect of domain and custom specifications for detecting input manipulation vulnerabilities. Proving from specification is used as far as possible. Cases that cannot be proved are then predicted from the signatures mined. Our evaluation shows the practicality of the proposed framework.
Keywords
Vulnerability detection, framework, formal verification, prediction, data mining, input validation, specification, verification, input manipulation vulnerabilities
Discipline
Information Security | Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
2013 20th Asia-Pacific Software Engineering Conference (APSEC): Bangkok, December 2-5: Proceedings
First Page
363
Last Page
370
ISBN
9781479921447
Identifier
10.1109/APSEC.2013.56
Publisher
IEEE
City or Country
Piscataway, NJ
Citation
DING, Sun; TAN, Hee Beng Kuan; SHAR, Lwin Khin; and PADMANABHUNI, Bindu Madhavi.
Towards a hybrid framework for detecting input manipulation vulnerabilities. (2013). 2013 20th Asia-Pacific Software Engineering Conference (APSEC): Bangkok, December 2-5: Proceedings. 363-370.
Available at: https://ink.library.smu.edu.sg/sis_research/4837
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/APSEC.2013.56