A Symbolic Execution Framework for Java']JavaScript

被引:203
作者
Saxena, Prateek [1 ]
Akhawe, Devdatta [1 ]
Hanna, Steve [1 ]
Mao, Feng [1 ]
McCamant, Stephen [1 ]
Song, Dawn [1 ]
机构
[1] Univ Calif Berkeley, Dept EECS, Div Comp Sci, Berkeley, CA 94720 USA
来源
2010 IEEE SYMPOSIUM ON SECURITY AND PRIVACY | 2010年
关键词
web security; symbolic execution; string decision procedures;
D O I
10.1109/SP.2010.38
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code's complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.
引用
收藏
页码:513 / 528
页数:16
相关论文
共 30 条
[1]  
[Anonymous], 2005, IM POPULAR DESCRIPTI
[2]  
[Anonymous], XML PATH LANGUAGE 2
[3]  
[Anonymous], P 13 ANN ACM S THEOR
[4]  
[Anonymous], HTML 5 SPEC
[5]  
Artzi S., 2008, INT S SOFTW TEST AN
[6]  
Balzarotti D., 2008, P IEEE S SEC PRIV OA
[7]  
Barth A., 2009, P 30 IEEE S SEC PRIV
[8]  
Bjorner N., 2009, P 15 INT C TOOLS ALG
[9]  
Bojinov Hristo., 2009, CCS
[10]  
Buchi J. R., 1988, MATH LOGIC QUART, V34, P337
123