11. Static Detection of Security Vulnerabilities in Scripting Languages

11. Static Detection of Security Vulnerabilities in Scripting Languages
Yichen Xie, Alex Aiken

Citation
Yichen Xie, Alex Aiken. "11. Static Detection of Security Vulnerabilities in Scripting Languages". 15th USENIX Security Symposium,, 179-192, July, 2006.

Abstract
We present a static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications. Our analysis employs a novel three-tier architecture to capture information at decreasing levels of granularity at the intrablock, intraprocedural, and interprocedural level. This architecture enables us to handle dynamic features of scripting languages that have not been adequately addressed by previous techniques. We demonstrate the effectiveness of our approach on six popular open source PHP code bases, finding 105 previously unknown security vulnerabilities, most of which we believe are remotely exploitable.

Electronic downloads

http://theory.stanford.edu/~aiken/publications/papers/usenix06.pdf

Citation formats

HTML

Yichen Xie, Alex Aiken. <a
href="http://www.truststc.org/pubs/616.html"
>11.	Static Detection of Security Vulnerabilities in
Scripting Languages</a>, 15th USENIX Security
Symposium,, 179-192, July, 2006.

Plain text

Yichen Xie, Alex Aiken. "11.	Static Detection of
Security Vulnerabilities in Scripting Languages". 15th
USENIX Security Symposium,, 179-192, July, 2006.

BibTeX

@inproceedings{XieAiken06_11StaticDetectionOfSecurityVulnerabilitiesInScripting,
    author = {Yichen Xie and Alex Aiken},
    title = {11.	Static Detection of Security Vulnerabilities
              in Scripting Languages},
    booktitle = {15th USENIX Security Symposium,},
    pages = {179-192},
    month = {July},
    year = {2006},
    abstract = {We present a static analysis algorithm for
              detecting security vulnerabilities in PHP, a
              popular server-side scripting language for
              building web applications. Our analysis employs a
              novel three-tier architecture to capture
              information at decreasing levels of granularity at
              the intrablock, intraprocedural, and
              interprocedural level. This architecture enables
              us to handle dynamic features of scripting
              languages that have not been adequately addressed
              by previous techniques. We demonstrate the
              effectiveness of our approach on six popular open
              source PHP code bases, finding 105 previously
              unknown security vulnerabilities, most of which we
              believe are remotely exploitable.},
    URL = {http://www.truststc.org/pubs/616.html}
}

Posted by Jessica Gamble on 18 Mar 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.