Abstract
Business applications are complex artefacts implementing custom business logic. While much research effort has been put in the identification of technical vulnerabilities (such as buffer overflows and SQL injections), application-level logic vulnerabilities have drawn relatively limited attention, thus putting the application’s mission at risk. In this paper, we design, implement, and evaluate a novel heuristic application-independent framework, which combines static and dynamic analysis, input vector, and information extraction analysis, along with a fuzzy logic system, so as to detect and assert the criticality of application-level logic vulnerabilities in Java stand-alone GUI applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static Detection of Vulnerabilities in x86 Executables. In: Proc. of the 22nd Annual Computer Security Applications Conference (ACSAC 2006), USA, pp. 269–278 (December 2006)
Halfond, W., Choudhary, S., Orso, A.: Penetration Testing with Improved Input Vector Identification. In: Proc. of the 2009 International Conference on Software Testing Verification and Validation (ICST 2009), pp. 346–355. IEEE Computer Society, USA (2009)
Zhou, J., Vigna, G.: Detecting Attacks That Exploit Application-Logic Errors Through Application-Level Auditing. In: Proc. of the 20th Annual Computer Security Applications Conference (ACSAC 2004), USA, pp. 168-178 (December 2004)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis and Signature Generation of Exploits on Commodity Software. In: Proc. of the Network and Distributed System Security Conference (NDSS 2005), USA (February 2005)
Tevis, J., Hamilton, A.: Static Analysis of Anomalies and Security Vulnerabilities in Executable Files. In: Proc. of the 44th Annual Southeast Regional Conference, USA (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: Proc. of IEEE Symposium on Security and Privacy (S&P 2006), USA, pp. 258–263 (2006)
Stergiopoulos G.: Development of a methodology for identifying logical vulnerabilities in application penetration testing, M.Sc. Thesis, Athens University of Economics & Business (AUEB), Greece (2011) (in Greek)
Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)
Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: Proc. of the 19th USENIX Security Symposium, USA (2010)
Charpentier, F.: Common Criteria Web Application Security Scoring (CCWAPSS) (November 2007), http://www.xmco.fr/whitepapers/ccwapss_1.1.pdf
Mehlitz, P., et al.: Java PathFinder. Ames Research Center, NASA, USA, http://babelfish.arc.nasa.gov/trac/jpf/wiki
Livshits, S., Lam, F.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proc. of the 14th USENIX Security Symposium, USA (2005)
Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation, http://jfuzzylogic.sourceforge.net/html/index.html
Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005)
OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stergiopoulos, G., Tsoumas, B., Gritzalis, D. (2012). Hunting Application-Level Logical Errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-28166-2_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28165-5
Online ISBN: 978-3-642-28166-2
eBook Packages: Computer ScienceComputer Science (R0)