Skip to main content
SpringerLink
Log in

On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework

  • Conference paper
Book cover Network and System Security (NSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7873))

Included in the following conference series:

Abstract

While considerable research effort has been put in the identification of technical vulnerabilities, such as buffer overflows or SQL injections, business logic vulnerabilities have drawn limited attention. Logic vulnerabilities are an important class of defects that are the result of faulty application logic. Business logic refers to requirements implemented in algorithms that reflect the intended functionality of an application, e.g. in an online shop application, a logic rule could be that each cart must register only one discount coupon per product. In our paper, we extend a novel heuristic and automated method for the detection of logic vulnerabilitieswhich we presented in a previous publication. This method detects logic vulnerabilities and asserts their criticality in Java GUI applications using dynamic analysis and static together with a fuzzy logic system in order to compare and rank its findings, in an effort to minimize false positives and negatives. An extensive analysis of the code ranking system is given along with empirical results in order to demonstrate its potential.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Peng, W., Wallace, D.: Software Error Analysis, National Institute of Standards and Technology, NIST SP 500-209 (December 1993)

    Google Scholar 

  2. Kimura, M.: Software vulnerability: Definition, modeling, and practical evaluation for e-mail transfer software. International Journal of Pressure Vessels and Piping (2006)

    Google Scholar 

  3. Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: Hunting application-level logical errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 135–142. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Theoharidou, M., Gritzalis, D.: A Common Body of Knowledge for Information Security. IEEE Security & Privacy 5(2), 64–67 (2007)

    Article  Google Scholar 

  5. Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward automated detection of logic vulnerabilities in web applications. In: Proc. of the19th USENIX Symposium, USA (2010)

    Google Scholar 

  6. Huth, M., Ryan, M.: Logic in Computer Science: Modeling and Reasoning about Systems. Cambridge University Press (2004)

    Google Scholar 

  7. Mehlitz, P., et al.: Java PathFinder, Ames Research Center, NASA, USA

    Google Scholar 

  8. Freiberger, P., Swaine, M.: Encyclopedia Britannica, Analytical Engine section

    Google Scholar 

  9. Burns, A., Burns, R.: Basic Marketing Research, p. 245. Pearson Education

    Google Scholar 

  10. Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proc. of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)

    Google Scholar 

  11. NIST SP 800-30, Risk Management Guide for Information Technology Systems

    Google Scholar 

  12. Leekwijck, W., Kerre, E.: Defuzzification: Criteria and classification. Fuzzy Sets and Systems 108, 159–178 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  13. Foundations of Fuzzy Logic, Fuzzy Operators, Mathworks, http://www.mathworks.com/help/toolbox/fuzzy/bp78l6_-1.html

  14. Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)

    Google Scholar 

  15. RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certification (December 1, 1992)

    Google Scholar 

  16. Pehrson, E.: CleanSheets Office Suite (2009), http://sourceforge.net/projects/csheets/

  17. OWASP, Common Types of Software Vulnerabilities, https://www.owasp.org/index.php/Category:Vulnerability

  18. Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation, http://jfuzzylogic.sourceforge.net/html/index.html

  19. Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005)

    Google Scholar 

  20. OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)

    Google Scholar 

  21. Doupe, A., Boe, B., Vigna, G.: Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities. In: Proc. of the 18th ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  22. Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proc. of the 14th ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security and Critical Infrastructure Protection Research Laboratory, Dept. of Informatics, Athens University of Economics and Business (AUEB), 76 Patission Ave., Athens, GR-10434, Greece

    George Stergiopoulos, Bill Tsoumas & Dimitris Gritzalis

Authors
  1. George Stergiopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bill Tsoumas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitris Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, ETSI Informatica, University of Malaga, Campus de Teatinos, 29071, Malaga, Spain

    Javier Lopez

  2. School of Mathematics and Computer Science, Fujian Normal University, No. 32 Shangsan Road, 350007, Fuzhou, China

    Xinyi Huang

  3. Institute for Cyber Security,, University of Texas at San Antonio, One UTSA Circle, 78249, San Antonio, TX, USA

    Ravi Sandhu

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stergiopoulos, G., Tsoumas, B., Gritzalis, D. (2013). On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38631-2_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38630-5

  • Online ISBN: 978-3-642-38631-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation