An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving

Malicious users can attack Web applications by exploiting injection vulnerabilities in the source code. This work addresses the challenge of detecting injection vulnerabilities in the server-side code of Java Web applications in a scalable and effective way. We propose an integrated approach that se...

Full description

Saved in:
Bibliographic Details
Main Authors: THOME, Julian, SHAR, Lwin Khin, BIANCULLI, Domenico, BRIAND, Lionel
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/4892
https://ink.library.smu.edu.sg/context/sis_research/article/5895/viewcontent/an_integrated___AV.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5895
record_format dspace
spelling sg-smu-ink.sis_research-58952020-02-13T08:19:24Z An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving THOME, Julian SHAR, Lwin Khin BIANCULLI, Domenico BRIAND, Lionel Malicious users can attack Web applications by exploiting injection vulnerabilities in the source code. This work addresses the challenge of detecting injection vulnerabilities in the server-side code of Java Web applications in a scalable and effective way. We propose an integrated approach that seamlessly combines security slicing with hybrid constraint solving; the latter orchestrates automata-based solving with meta-heuristic search. We use static analysis to extract minimal program slices relevant to security from Web programs and to generate attack conditions. We then apply hybrid constraint solving to determine the satisfiability of attack conditions and thus detect vulnerabilities. The experimental results, using a benchmark comprising a set of diverse and representative Web applications/services as well as security benchmark applications, show that our approach (implemented in the JOACO tool) is significantly more effective at detecting injection vulnerabilities than state-of-the-art approaches, achieving 98% recall, without producing any false alarm. We also compared the constraint solving module of our approach with state-of-the-art constraint solvers, using six different benchmark suites; our approach correctly solved the highest number of constraints (665 out of 672), without producing any incorrect result, and was the one with the least number of time-out/failing cases. In both scenarios, the execution time was practically acceptable, given the offline nature of vulnerability detection. 2018-06-06T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4892 info:doi/10.1109/TSE.2018.2844343 https://ink.library.smu.edu.sg/context/sis_research/article/5895/viewcontent/an_integrated___AV.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Vulnerability detection constraint solving static analysis search-based software engineering Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Vulnerability detection
constraint solving
static analysis
search-based software engineering
Information Security
Software Engineering
spellingShingle Vulnerability detection
constraint solving
static analysis
search-based software engineering
Information Security
Software Engineering
THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
description Malicious users can attack Web applications by exploiting injection vulnerabilities in the source code. This work addresses the challenge of detecting injection vulnerabilities in the server-side code of Java Web applications in a scalable and effective way. We propose an integrated approach that seamlessly combines security slicing with hybrid constraint solving; the latter orchestrates automata-based solving with meta-heuristic search. We use static analysis to extract minimal program slices relevant to security from Web programs and to generate attack conditions. We then apply hybrid constraint solving to determine the satisfiability of attack conditions and thus detect vulnerabilities. The experimental results, using a benchmark comprising a set of diverse and representative Web applications/services as well as security benchmark applications, show that our approach (implemented in the JOACO tool) is significantly more effective at detecting injection vulnerabilities than state-of-the-art approaches, achieving 98% recall, without producing any false alarm. We also compared the constraint solving module of our approach with state-of-the-art constraint solvers, using six different benchmark suites; our approach correctly solved the highest number of constraints (665 out of 672), without producing any incorrect result, and was the one with the least number of time-out/failing cases. In both scenarios, the execution time was practically acceptable, given the offline nature of vulnerability detection.
format text
author THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
author_facet THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
author_sort THOME, Julian
title An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
title_short An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
title_full An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
title_fullStr An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
title_full_unstemmed An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
title_sort integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving
publisher Institutional Knowledge at Singapore Management University
publishDate 2018
url https://ink.library.smu.edu.sg/sis_research/4892
https://ink.library.smu.edu.sg/context/sis_research/article/5895/viewcontent/an_integrated___AV.pdf
_version_ 1770575087740649472