This paper investigates how to combine techniques of static and dynamic analysis for finding security vulnerabilities in java web applications. We present a hybrid analyzer that employs test case generation and dynami...
详细信息
ISBN:
(纸本)9783642283079;9783642283086
This paper investigates how to combine techniques of static and dynamic analysis for finding security vulnerabilities in java web applications. We present a hybrid analyzer that employs test case generation and dynamic taint analysis to achieve the goal of no false negatives and reduced false positives.
Priority in the development of Web applications is the implementation of security mechanisms. In order to detect potential security vulnerabilities and implement appropriate security mechanisms, it is necessary to per...
详细信息
ISBN:
(纸本)9781467329842;9781467329835
Priority in the development of Web applications is the implementation of security mechanisms. In order to detect potential security vulnerabilities and implement appropriate security mechanisms, it is necessary to perform a detailed analysis of the application. For the detection of potential failures in the process of applications development, the static analysis of source code is used. STASEC [1] is a tool for static analysis of source code of Web applications that are implemented using the java programming language. This paper presents a proposal for expansion of this tool with new module for the automatic detection of application vulnerabilities caused by manipulation of the input data on the client.
The ability to perform strong updates is the main contributor to the precision of flow-sensitive pointer analysis algorithms. Traditional flow-sensitive pointer analyses cannot strongly update pointers residing in the...
详细信息
ISBN:
(纸本)9783642310577;9783642310560
The ability to perform strong updates is the main contributor to the precision of flow-sensitive pointer analysis algorithms. Traditional flow-sensitive pointer analyses cannot strongly update pointers residing in the heap. This is a severe restriction for java programs. In this paper, we propose a new flow-sensitive pointer analysis algorithm for java that can perform strong updates on heap-based pointers effectively. Instead of points-to graphs, we represent our points-to information as maps from access paths to sets of abstract objects. We have implemented our analysis and run it on several large java benchmarks. The results show considerable improvement in precision over the points-to graph based flow-insensitive and flow-sensitive analyses, with reasonable running time.
In unstructured information retrieval P2P systems, semantic heterogeneity comes from the use of different ontologies. Semantic interoperability refers to the ability of peers to communicate with each others. We take i...
详细信息
ISBN:
(纸本)9781467328623
In unstructured information retrieval P2P systems, semantic heterogeneity comes from the use of different ontologies. Semantic interoperability refers to the ability of peers to communicate with each others. We take into account these notions separately, as raising two different problems. Hence we propose two independent and complementary solutions. The GoOD-TA protocol aims at reducing heterogeneity through ontology-driven topology adaptation. DiQuESh is a top-k algorithm for distributed information retrieval that is intended to ensure interoperability. This distinction enables highlighting their respective benefits on the IR performances and leads to a modular architecture. For our experiments we obtained a set of actively used real-world ontologies through the NCBO BioPortal. We implemented GoOD-TA and DiQuESH in java and used the PeerSim simulator. We first show that GoOD-TA nicely reduces the semantic heterogeneity related to the system topology, handles the evolution of peers' descriptors, and is suitable for dynamic systems. Then, GoOD-TA and DiQuESh are run simultaneously, with a significant increase of precision and recall. This enables to identify the indirect contribution of heterogeneity reduction obtained with GoOD-TA to improving interoperability.
This paper presents an automatic verification technique for transactional memory java programs executing under snapshot isolation level. We certify which transactions in a program are safe to execute under snapshot is...
详细信息
ISBN:
(纸本)9783642310577;9783642310560
This paper presents an automatic verification technique for transactional memory java programs executing under snapshot isolation level. We certify which transactions in a program are safe to execute under snapshot isolation without triggering the write-skew anomaly, opening the way to run-time optimizations that may lead to considerable performance enhancements. Our work builds on a novel deep-heap analysis technique based on separation logic to statically approximate the read-and write-sets of a transactional memory java program. We implement our technique and apply our tool to a set of micro benchmarks and also to one benchmark of the STAMP package. We corroborate known results, certifying some of the examples for safe execution under snapshot isolation by proving the absence of write-skew anomalies. In other cases our analysis has identified transactions that potentially trigger previously unknown write-skew anomalies.
Access modifiers allow java developers to define package and class interfaces tailored for different groups of clients. According to the principles of information hiding and encapsulation, the accessibility of types, ...
详细信息
Atomicity enforcement in a multi-threaded application can be critical to the application's safety. In this paper, we take the challenge of enforcing atomicity in a multilingual application, which is developed in m...
详细信息
Reference immutability ensures that a reference is not used to modify the referenced object, and enables the safe sharing of object structures. A pure method does not cause side-effects on the objects that existed in ...
详细信息
ISBN:
(纸本)9781450315616
Reference immutability ensures that a reference is not used to modify the referenced object, and enables the safe sharing of object structures. A pure method does not cause side-effects on the objects that existed in the pre-state of the method execution. Checking and inference of reference immutability and method purity enables a variety of program analyses and optimizations. We present ReIm, a type system for reference immutability, and ReImInfer, a corresponding type inference analysis. The type system is concise and context-sensitive. The type inference analysis is precise and scalable, and requires no manual annotations. In addition, we present a novel application of the reference immutability type system: method purity inference. To support our theoretical results, we implemented the type system and the type inference analysis for java. We include a type checker to verify the correctness of the inference result. Empirical results on java applications and libraries of up to 348kLOC show that our approach achieves both scalability and precision.
In this work we propose MOPBox, a library-based approach to runtime verification. MOPBox is a java library for defining and evaluating parametric runtime monitors. A user can define monitors through a simple set of AP...
详细信息
The java programming language and the java API evolve and this evolution certainly will continue in future. Upgrade to a new version of programminglanguage or API is nowadays usually done manually. We describe a new ...
详细信息
暂无评论