CS 595C -
Dependable Web Applications via String Analysis - Spring 2009
Description:
Most web applications contain bugs and vulnerabilities that are due to incorrect manipulation of strings.
In this seminar we will discuss techniques for analyzing Web applications to find bugs and vulnerabilities related to
strings.
Each student will be asked to present a paper and read the papers
that are presented.
Instructor:
Tevfik Bultan
Meeting time:
Tuesdays 4:00pm-5:00pm
Location: Computer Science Meeting Room (HFH 1152)
Enrollement Code: 75929
Presentations
- April 14th: Fang Yu will present papers 1 and 2.
- April 21st: Chris Coakley will present paper 3.
- April 28th: Muath Alkhalaf will present paper 4.
- May 5th: Jaideep Nijjar will present paper 8.
- May 12th: Jeff Browne will present paper 6.
- May 19th: Krithika Ananthakrishnan will present paper 5.
- May 26th: Yiming Li will present paper 7.
- June 2nd: Marcus Jang will present paper 9.
Papers
-
Fang Yu, Tevfik Bultan, Marco Cova, Oscar H. Ibarra:
Symbolic String Verification: An Automata-Based Approach. SPIN 2008: 306-324
-
Fang Yu, Tevfik Bultan, Oscar H. Ibarra:
Symbolic String Verification: Combining String Analysis and Size Analysis. TACAS 2009: 322-336
- Nikolaj Bjørner, Nikolai Tillmann, Andrei Voronkov:
Path Feasibility Analysis for String-Manipulating Programs. TACAS 2009: 307-321
- Adam Kiezun,
Vijay Ganesh,
Philip Guo,
Pieter Hooimeijer,
Michael D. Ernst:
HAMPI: A solver for string constraints. MIT technical report.
- Michael Emmi, Rupak Majumdar, Koushik Sen:
Dynamic test input generation for database applications. ISSTA 2007: 151-162
-
Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, Zhendong Su:
Dynamic test input generation for web applications. ISSTA 2008: 249-260
- Gary Wassermann, Zhendong Su:
Static detection of cross-site scripting vulnerabilities. ICSE 2008: 171-180
- William G. J. Halfond, Alessandro Orso:
Improving test case generation for web applications using automated interface discovery. ESEC/SIGSOFT FSE 2007: 145-154
- William G. J. Halfond, Alessandro Orso:
Automated identification of parameter mismatches in web applications. SIGSOFT FSE 2008: 181-191
- W. Halfond, S. Anand, and A. Orso:
Precise Interface Identification to Improve Testing and Analysis of Web Applications
International Symposium on Testing and Analysis (ISSTA 2009) - To Appear.
- S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst:
Finding bugs in dynamic web applications
In ISSTA 2008, Proceedings of the 2008 International Symposium on Software Testing and Analysis, (Seattle, WA, USA), July 22-24, 2008, pp. 261-272.
- A. Kieżun, P. J. Guo, K. Jayaraman, and M. D. Ernst:
Automatic creation of SQL injection and cross-site scripting attacks
In ICSE'09, Proceedings of the 30th International Conference on Software Engineering, (Vancouver, BC, Canada), May 20-22, 2009.