Skip to main content
SpringerLink
Log in

Hunting Application-Level Logical Errors

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7159))

Included in the following conference series:

Abstract

Business applications are complex artefacts implementing custom business logic. While much research effort has been put in the identification of technical vulnerabilities (such as buffer overflows and SQL injections), application-level logic vulnerabilities have drawn relatively limited attention, thus putting the application’s mission at risk. In this paper, we design, implement, and evaluate a novel heuristic application-independent framework, which combines static and dynamic analysis, input vector, and information extraction analysis, along with a fuzzy logic system, so as to detect and assert the criticality of application-level logic vulnerabilities in Java stand-alone GUI applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static Detection of Vulnerabilities in x86 Executables. In: Proc. of the 22nd Annual Computer Security Applications Conference (ACSAC 2006), USA, pp. 269–278 (December 2006)

    Google Scholar 

  2. Halfond, W., Choudhary, S., Orso, A.: Penetration Testing with Improved Input Vector Identification. In: Proc. of the 2009 International Conference on Software Testing Verification and Validation (ICST 2009), pp. 346–355. IEEE Computer Society, USA (2009)

    Chapter  Google Scholar 

  3. Zhou, J., Vigna, G.: Detecting Attacks That Exploit Application-Logic Errors Through Application-Level Auditing. In: Proc. of the 20th Annual Computer Security Applications Conference (ACSAC 2004), USA, pp. 168-178 (December 2004)

    Google Scholar 

  4. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis and Signature Generation of Exploits on Commodity Software. In: Proc. of the Network and Distributed System Security Conference (NDSS 2005), USA (February 2005)

    Google Scholar 

  5. Tevis, J., Hamilton, A.: Static Analysis of Anomalies and Security Vulnerabilities in Executable Files. In: Proc. of the 44th Annual Southeast Regional Conference, USA (2006)

    Google Scholar 

  6. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: Proc. of IEEE Symposium on Security and Privacy (S&P 2006), USA, pp. 258–263 (2006)

    Google Scholar 

  7. Stergiopoulos G.: Development of a methodology for identifying logical vulnerabilities in application penetration testing, M.Sc. Thesis, Athens University of Economics & Business (AUEB), Greece (2011) (in Greek)

    Google Scholar 

  8. Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)

    MATH  Google Scholar 

  9. Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: Proc. of the 19th USENIX Security Symposium, USA (2010)

    Google Scholar 

  10. Charpentier, F.: Common Criteria Web Application Security Scoring (CCWAPSS) (November 2007), http://www.xmco.fr/whitepapers/ccwapss_1.1.pdf

  11. Mehlitz, P., et al.: Java PathFinder. Ames Research Center, NASA, USA, http://babelfish.arc.nasa.gov/trac/jpf/wiki

  12. Livshits, S., Lam, F.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proc. of the 14th USENIX Security Symposium, USA (2005)

    Google Scholar 

  13. Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation, http://jfuzzylogic.sourceforge.net/html/index.html

  14. Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005)

    Google Scholar 

  15. OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security and Critical Infrastructure Protection Research Laboratory, Dept. of Informatics, Athens University of Economics and Business (AUEB), 76 Patission Ave., Athens, GR-10434, Greece

    George Stergiopoulos, Bill Tsoumas & Dimitris Gritzalis

Authors
  1. George Stergiopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bill Tsoumas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitris Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Gilles Barthe Benjamin Livshits Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stergiopoulos, G., Tsoumas, B., Gritzalis, D. (2012). Hunting Application-Level Logical Errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28166-2_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28165-5

  • Online ISBN: 978-3-642-28166-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation