More Precise Analysis of Dynamically Generated String Expressions in Web Applications with Input Validation
Summary :
The string analysis is a static analysis of dynamically generated strings in a target program, which is applied to check well-formed string construction in web applications. The string analysis constructs a finite state automaton that approximates a set of possible strings generated for a particular string variable at a program location at runtime. A drawback in the string analysis is imprecision in the analysis result, leading to false positives in the well-formedness checkers. To address the imprecision, this paper proposes an improvement technique of the string analysis to make it perform more precise analysis with respect to input validation in web applications. This paper presents the improvement by annotations representing screening of a set of possible strings, and empirical evaluation with experiments of the improved analyzer on real-world web applications.
- Publication
- IEICE TRANSACTIONS on Information Vol.E96-D No.6 pp.1278-1285
- Publication Date
- 2013/06/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.E96.D.1278
- Type of Manuscript
- Special Section PAPER (Special Section on Formal Approach)
- Category
- Static Analysis
Authors
Seikoh NISHITA
Takushoku University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Seikoh NISHITA, "More Precise Analysis of Dynamically Generated String Expressions in Web Applications with Input Validation" in IEICE TRANSACTIONS on Information,
vol. E96-D, no. 6, pp. 1278-1285, June 2013, doi: 10.1587/transinf.E96.D.1278.
Abstract: The string analysis is a static analysis of dynamically generated strings in a target program, which is applied to check well-formed string construction in web applications. The string analysis constructs a finite state automaton that approximates a set of possible strings generated for a particular string variable at a program location at runtime. A drawback in the string analysis is imprecision in the analysis result, leading to false positives in the well-formedness checkers. To address the imprecision, this paper proposes an improvement technique of the string analysis to make it perform more precise analysis with respect to input validation in web applications. This paper presents the improvement by annotations representing screening of a set of possible strings, and empirical evaluation with experiments of the improved analyzer on real-world web applications.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E96.D.1278/_p
Copy
@ARTICLE{e96-d_6_1278,
author={Seikoh NISHITA, },
journal={IEICE TRANSACTIONS on Information},
title={More Precise Analysis of Dynamically Generated String Expressions in Web Applications with Input Validation},
year={2013},
volume={E96-D},
number={6},
pages={1278-1285},
abstract={The string analysis is a static analysis of dynamically generated strings in a target program, which is applied to check well-formed string construction in web applications. The string analysis constructs a finite state automaton that approximates a set of possible strings generated for a particular string variable at a program location at runtime. A drawback in the string analysis is imprecision in the analysis result, leading to false positives in the well-formedness checkers. To address the imprecision, this paper proposes an improvement technique of the string analysis to make it perform more precise analysis with respect to input validation in web applications. This paper presents the improvement by annotations representing screening of a set of possible strings, and empirical evaluation with experiments of the improved analyzer on real-world web applications.},
keywords={},
doi={10.1587/transinf.E96.D.1278},
ISSN={1745-1361},
month={June},}
Copy
TY - JOUR
TI - More Precise Analysis of Dynamically Generated String Expressions in Web Applications with Input Validation
T2 - IEICE TRANSACTIONS on Information
SP - 1278
EP - 1285
AU - Seikoh NISHITA
PY - 2013
DO - 10.1587/transinf.E96.D.1278
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E96-D
IS - 6
JA - IEICE TRANSACTIONS on Information
Y1 - June 2013
AB - The string analysis is a static analysis of dynamically generated strings in a target program, which is applied to check well-formed string construction in web applications. The string analysis constructs a finite state automaton that approximates a set of possible strings generated for a particular string variable at a program location at runtime. A drawback in the string analysis is imprecision in the analysis result, leading to false positives in the well-formedness checkers. To address the imprecision, this paper proposes an improvement technique of the string analysis to make it perform more precise analysis with respect to input validation in web applications. This paper presents the improvement by annotations representing screening of a set of possible strings, and empirical evaluation with experiments of the improved analyzer on real-world web applications.
ER -
English
