Team for Research in
Ubiquitous Secure Technology

11. Static Detection of Security Vulnerabilities in Scripting Languages
Yichen Xie, Alex Aiken

Citation
Yichen Xie, Alex Aiken. "11. Static Detection of Security Vulnerabilities in Scripting Languages". 15th USENIX Security Symposium,, 179-192, July, 2006.

Abstract
We present a static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications. Our analysis employs a novel three-tier architecture to capture information at decreasing levels of granularity at the intrablock, intraprocedural, and interprocedural level. This architecture enables us to handle dynamic features of scripting languages that have not been adequately addressed by previous techniques. We demonstrate the effectiveness of our approach on six popular open source PHP code bases, finding 105 previously unknown security vulnerabilities, most of which we believe are remotely exploitable.

Electronic downloads

Citation formats  
  • HTML
    Yichen Xie, Alex Aiken. <a
    href="http://www.truststc.org/pubs/616.html"
    >11.	Static Detection of Security Vulnerabilities in
    Scripting Languages</a>, 15th USENIX Security
    Symposium,, 179-192, July, 2006.
  • Plain text
    Yichen Xie, Alex Aiken. "11.	Static Detection of
    Security Vulnerabilities in Scripting Languages". 15th
    USENIX Security Symposium,, 179-192, July, 2006.
  • BibTeX
    @inproceedings{XieAiken06_11StaticDetectionOfSecurityVulnerabilitiesInScripting,
        author = {Yichen Xie and Alex Aiken},
        title = {11.	Static Detection of Security Vulnerabilities
                  in Scripting Languages},
        booktitle = {15th USENIX Security Symposium,},
        pages = {179-192},
        month = {July},
        year = {2006},
        abstract = {We present a static analysis algorithm for
                  detecting security vulnerabilities in PHP, a
                  popular server-side scripting language for
                  building web applications. Our analysis employs a
                  novel three-tier architecture to capture
                  information at decreasing levels of granularity at
                  the intrablock, intraprocedural, and
                  interprocedural level. This architecture enables
                  us to handle dynamic features of scripting
                  languages that have not been adequately addressed
                  by previous techniques. We demonstrate the
                  effectiveness of our approach on six popular open
                  source PHP code bases, finding 105 previously
                  unknown security vulnerabilities, most of which we
                  believe are remotely exploitable.},
        URL = {http://www.truststc.org/pubs/616.html}
    }
    

Posted by Jessica Gamble on 18 Mar 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.