research-article

Semantic differential repair for input validation and sanitization

Authors:

Muath Alkhalaf,

Abdulbaki Aydin,

Tevfik BultanAuthors Info & Claims

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Pages 225 - 236

https://doi.org/10.1145/2610384.2610401

Published: 21 July 2014 Publication History

Abstract

Correct validation and sanitization of user input is crucial in web applications for avoiding security vulnerabilities and erroneous application behavior. We present an automated differential repair technique for input validation and sanitization functions. Differential repair can be used within an application to repair client and server-side code with respect to each other, or across applications in order to strengthen the validation and sanitization checks. Given a reference and a target function, our differential repair technique strengthens the validation and sanitization operations in the target function based on the reference function. It does this by synthesizing three patches: a validation, a length, and a sanitization patch. Our automated patch synthesis algorithms are based on forward and backward symbolic string analyses that use automata as a symbolic representation. Composition of the three automatically synthesized patches with the original target function results in the repaired function, which provides stronger validation and sanitization than both the target and the reference functions.

References

[1]

M. Alkhalaf, T. Bultan, and J. L. Gallegos. Verifying client-side input validation functions using string analysis. In Proceedings of the 2012 International Conference on Software Engineering, ICSE 2012, pages 947–957, Piscataway, NJ, USA, 2012. IEEE Press.

Digital Library

[2]

M. Alkhalaf, S. R. Choudhary, M. Fazzini, T. Bultan, A. Orso, and C. Kruegel. Viewpoints: differential string analysis for discovering client- and server-side input validation inconsistencies. In ISSTA, 2012.

Digital Library

[3]

J. Andersen and J. L. Lawall. Generic patch inference. In Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering, ASE ’08, pages 337–346, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[4]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the Symposium on Security and Privacy, 2008.

Digital Library

[5]

C. Bartzis and T. Bultan. Widening arithmetic automata. In In Computer Aided Verification 04, pages 321–333, 2004.

[6]

M. Biehl, N. Klarlund, and T. Rauhe. Algorithms for guided tree automata. In First International Workshop on Implementing Automata, WIA ’96, London, Ontario, Canada, LNCS 1260. Springer Verlag, 1997.

Digital Library

[7]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. Notamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 607–618, New York, NY, USA, 2010. ACM.

Digital Library

[8]

P. Bisht, T. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan. Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pages 575–586, New York, NY, USA, 2011. ACM.

Digital Library

[9]

T.-H. Choi, O. Lee, H. Kim, and K.-G. Doh. A practical string analyzer by the widening approach. In APLAS, pages 374–388, 2006.

Digital Library

[10]

T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to Algorithms. MIT Press, 1990.

Digital Library

[11]

Gargoyle Software. HtmlUnit: headless browser for testing web applications. http://htmlunit.sourceforge.net/.

[12]

P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with bek. In Proceedings of the 20th USENIX Conference on Security, SEC’11, pages 1–1, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[13]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, pages 258–263, 2006.

Digital Library

[14]

S. K. Lahiri, C. Hawblitzel, M. Kawaguchi, and H. Rebˆ elo. Symdiff: A language-agnostic semantic diff tool for imperative programs. In Proceedings of the 24th International Conference on Computer Aided Verification, CAV’12, pages 712–717, Berlin, Heidelberg, 2012. Springer-Verlag.

Digital Library

[15]

S. K. Lahiri, K. L. McMillan, R. Sharma, and C. Hawblitzel. Differential assertion checking. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 345–355, New York, NY, USA, 2013. ACM.

Digital Library

[16]

S. K. Lahiri, K. Vaswani, and C. A. R. Hoare. Differential static analysis: Opportunities, applications, and challenges. In Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, FoSER ’10, pages 201–204, New York, NY, USA, 2010. ACM.

Digital Library

[17]

B. Livshits and S. Chong. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13, pages 385–398, New York, NY, USA, 2013. ACM.

Digital Library

[18]

Microsoft Inc. Z3 SMT Solver. http://z3.codeplex.com.

[19]

Y. Minamide. Static approximation of dynamically generated web pages. In WWW, pages 432–441, 2005.

Digital Library

[20]

H. D. T. Nguyen, D. Qi, A. Roychoudhury, and S. Chandra. Semfix: Program repair via semantic analysis. In Proceedings of the 2013 International Conference on Software Engineering, ICSE ’13, pages 772–781, Piscataway, NJ, USA, 2013. IEEE Press.

Digital Library

[21]

S. J. Person. Differential Symbolic Execution. PhD thesis, Lincoln, NB, USA, 2009. AAI3365729.

Digital Library

[22]

H. Samimi, M. Schäfer, S. Artzi, T. Millstein, F. Tip, and L. Hendren. Automated repair of html generation errors in php applications using string constraint solving. In Proceedings of the 2012 International Conference on Software Engineering, ICSE 2012, pages 277–287, Piscataway, NJ, USA, 2012. IEEE Press.

Digital Library

[23]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. Security and Privacy, IEEE Symposium on, 0:513–528, 2010.

Digital Library

[24]

S. Son, K. S. McKinley, and V. Shmatikov. Rolecast: Finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’11, pages 1069–1084, New York, NY, USA, 2011. ACM.

Digital Library

[25]

S. Son, K. S. McKinley, and V. Shmatikov. Fix me up: Repairing access-control bugs in web applications. In NDSS, 2013.

[26]

G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41, 2007.

Digital Library

[27]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th International Conference on Software Engineering, ICSE ’08, pages 171–180, New York, NY, USA, 2008. ACM.

Digital Library

[28]

W. Weimer, S. Forrest, C. Le Goues, and T. Nguyen. Automatic program repair with evolutionary computation. Commun. ACM, 53(5):109–116, May 2010.

Digital Library

[29]

W. Weimer, T. Nguyen, C. Le Goues, and S. Forrest. Automatically finding patches using genetic programming. In Proceedings of the 31st International Conference on Software Engineering, ICSE ’09, pages 364–374, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[30]

F. Yu, M. Alkhalaf, and T. Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In ASE, 2009.

Digital Library

[31]

F. Yu, M. Alkhalaf, and T. Bultan. Patching vulnerabilities with sanitization synthesis. In International Conference on Software Engineering (ICSE), pages 131–134, 2011.

Digital Library

[32]

F. Yu, T. Bultan, M. Cova, and O. H. Ibarra. Symbolic string verification: An automata-based approach. In SPIN, pages 306–324, 2008.

Digital Library

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Sintaha MNashid NMesbah A(2023) Katana: Dual Slicing Based Context for Learning Bug FixesACM Transactions on Software Engineering and Methodology10.1145/357964032:4(1-27)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3579640
Pan ZChen YChen YShen YLi Y(2022)LogInjector: Detecting Web Application Log Injection VulnerabilitiesApplied Sciences10.3390/app1215768112:15(7681)Online publication date: 30-Jul-2022
https://doi.org/10.3390/app12157681
Show More Cited By

Index Terms

Semantic differential repair for input validation and sanitization

Recommendations

Optimal sanitization synthesis for web application vulnerability repair
ISSTA 2016: Proceedings of the 25th International Symposium on Software Testing and Analysis

We present a code- and input-sensitive sanitization synthesis approach for repairing string vulnerabilities that are common in web applications. The synthesized sanitization patch modifies the user input in an optimal way while guaranteeing that the ...
Sanitization's slippery slope: the design and study of a text revision assistant
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

For privacy reasons, sensitive content may be revised before it is released. The revision often consists of redaction, that is, the "blacking out" of sensitive words and phrases. Redaction has the side effect of reducing the utility of the content, ...
A Data Sanitization Method for Privacy Preserving Data Re-publication
NCM '08: Proceedings of the 2008 Fourth International Conference on Networked Computing and Advanced Information Management - Volume 02

When a table containing personal information is published, sensitive information should not be revealed. Although k-anonymity and l-diversity models are popular approaches to protect privacy, they are limited to one time data publishing. After a dataset ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

July 2014

460 pages

ISBN:9781450326452

DOI:10.1145/2610384

General Chair:
Corina S. Păsăreanu
NASA Ames, USA
,
Program Chair:
Darko Marinov
University of Illinois at Urbana-Champaign, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '14

Sponsor:

SIGSOFT

ISSTA '14: International Symposium on Software Testing and Analysis

July 21 - 25, 2014

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
417
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Sintaha MNashid NMesbah A(2023) Katana: Dual Slicing Based Context for Learning Bug FixesACM Transactions on Software Engineering and Methodology10.1145/357964032:4(1-27)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3579640
Pan ZChen YChen YShen YLi Y(2022)LogInjector: Detecting Web Application Log Injection VulnerabilitiesApplied Sciences10.3390/app1215768112:15(7681)Online publication date: 30-Jul-2022
https://doi.org/10.3390/app12157681
Eiers WSankaran GLi AO'Mahony EPrince BBultan TDwyer MDamian DZeller A(2022)Quantifying permissiveness of access control policiesProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510233(1805-1817)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510233
Motwani MSoto MBrun YJust RLe Goues C(2022)Quality of Automated Program Repair on Real-World DefectsIEEE Transactions on Software Engineering10.1109/TSE.2020.299878548:2(637-661)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TSE.2020.2998785
Klein DBarber TBensalim SStock BJohns M(2022)Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00023(236-250)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00023
Singh NGupta PSingh VRanjan R(2021)Attacks on Vulnerable Web Applications2021 International Conference on Intelligent Technologies (CONIT)10.1109/CONIT51480.2021.9498396(1-5)Online publication date: 25-Jun-2021
https://doi.org/10.1109/CONIT51480.2021.9498396
Gazzola LMicucci DMariani L(2019)Automatic Software RepairIEEE Transactions on Software Engineering10.1109/TSE.2017.275501345:1(34-67)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TSE.2017.2755013
Endres MSakkas GCosman BJhala RWeimer WZimmermann TLawall JMarinov D(2019)InFixProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00045(399-410)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00045
Sondhi DPurandare RZimmermann TLawall JMarinov D(2019)SegateProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00028(200-212)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00028
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten