Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Learning-Based Testing of Distributed Microservice Architectures: Correctness and Fault Injection Kapitel lesen Erstes Kapitel lesen

2015 | OriginalPaper | Buchkapitel

GuideForce: Type-Based Enforcement of Programming Guidelines

verfasst von : Serdar Erbatur, Martin Hofmann

Erschienen in: Software Engineering and Formal Methods

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

In this paper, we introduce the GuideForce project, whose aim is to develop automatic methods based on type systems and abstract interpretation that are capable of checking that programming guidelines related to secure web programming are correctly and reasonably applied. We outline the project plan and motivation and then describe a pilot study carried out with Soot, a Java-based program analysis framework. While still maintaining high accuracy and efficiency, the focus on guidelines adds a new human-oriented component to static analysis.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Exploring the Role of Logic and Formal Methods in Information Systems Education
Nächstes Kapitel Clustering Formulation Using Constraint Optimization
Fußnoten
2
Above, fname is shorthand for first name, lname for last name and salary for annual salary.
 
Literatur
1.
2.
3.
4.
5.
6.
7.
8.
Aderhold, M., Cuellar, J., Mantel, H., Sudbrock, H.: Exemplary formalization of secure coding guidelines. Technical report TUD-CS-2010-0060, TU Darmstadt, Germany (2010)
9.
Annamaa, A., Breslav, A., Kabanov, J., Vene, V.: An interactive tool for analyzing embedded SQL queries. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 131–138. Springer, Heidelberg (2010)CrossRef
10.
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: O’Boyle, M.F.P., Pingali, K. (eds.) ACM Conference on Programming Language Design and Implementation, PLDI 2014, Edinburgh, United Kingdom, 09–11 June 2014, p. 29. ACM (2014)
11.
Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Launchbury, J., Mitchell, J.C. (eds.) The 29th ACM Symposium on Principles of Programming Languages, Portland, OR, USA, 16–18 January 2002, pp. 1–3. ACM (2002)
12.
Beringer, L., Grabowski, R., Hofmann, M.: Verifying pointer and string analyses with region type systems. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 82–102. Springer, Heidelberg (2010)CrossRef
13.
Chelf, B., Engler, D.R., Hallem, S.: How to write system-specific, static checkers in metal. In: Dwyer, M.B., Palsberg, J. (eds.) Proceedings of the Workshop on Program Analysis for Software Tools and Engineering, PASTE 2002, Charleston, South Carolina, USA, 18–19 November 2002, pp. 51–60. ACM (2002)
14.
Chess, B., West, J.: Secure Programming with Static Analysis, 1st edn. Addison-Wesley Professional, Reading (2007)
15.
Grabowski, R., Hofmann, M., Li, K.: Type-based enforcement of secure programming guidelines — code injection prevention at SAP. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 182–197. Springer, Heidelberg (2012)CrossRef
16.
Halfond, W.G.J., Orso, A.: Preventing SQL injection attacks using AMNESIA. In: 28th IEEE and ACM SIGSOFT International Conference on Software Engineering (ICSE 2006) - Formal Demos track (May 2006)
17.
Heidegger P., Bieniusa, A., Thiemann, P.: Access permission contracts for scripting languages. In: Field, J., Hicks, M. (eds.) Proceedings of the 39th ACM Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, 22–28 January 2012, pp. 111–122. ACM (2012)
18.
Heidegger, P., Thiemann, P.: Recency types for analyzing scripting languages. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 200–224. Springer, Heidelberg (2010)CrossRef
19.
Huang, W., Dong, Y., Milanova, A.: Type-based taint analysis for Java web applications. In: Gnesi, S., Rensink, A. (eds.) FASE 2014 (ETAPS). LNCS, vol. 8411, pp. 140–154. Springer, Heidelberg (2014)CrossRef
20.
Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: WWW 2003: Proceedings of the 12th International Conference on World Wide Web, pp. 148–159. ACM, New York, NY, USA (2003)
21.
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Washington, DC, USA (2006)
22.
23.
Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infastructure Workshop (CETUS 2011) (2011)
24.
Laud, P.: Secrecy types for a simulatable cryptographic library. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 26–35. ACM (2005)
25.
Laud, P., Uustalu, T., Vene, V.: Type systems equivalent to data-flow analyses for imperative languages. Theor. Comput. Sci. 364(3), 292–310 (2006)MATHMathSciNetCrossRef
26.
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: SSYM 2005: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley, CA, USA (2005)
27.
Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013)CrossRef
28.
Moy, Y.: Static analysis is not just for finding bugs. CrossTalk J. Defense Softw. Eng. 23(5), 5–8 (2010)
29.
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)MATHCrossRef
30.
31.
32.
Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002)
33.
Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Cytron, R.K., Lee, P. (eds.) POPL 1995: 22nd ACM Symposium on Principles of Programming Languages, San Francisco, California, USA, 23–25 January 1995, pp. 49–61. ACM Press (1995)
34.
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRef
35.
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis - Theory and Applications, pp. 189–233. Prentice-Hall, Englewood Cliffs (1981)
36.
Smith, G.: A new type system for secure information flow. In: CSFW, pp. 115–125. IEEE Computer Society (2001)
37.
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382, Charleston, SC, January 2006. ACM Press, New York, NY, USA
38.
Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: Andromeda: accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013)CrossRef
39.
Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a java bytecode optimization framework. In: MacKay, S.A., Johnson, J.H. (eds.) Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research, 8–11 November 1999, Mississauga, Ontario, Canada, pp. 13. IBM (1999)
40.
Walker, D.: A type system for expressive security policies. In: Wegman, M.N., Reps, T.W. (eds.) POPL 2000, Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Boston, Massachusetts, USA, 19–21 January 2000, pp. 254–267. ACM (2000)
41.
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, CA, June 2007. ACM Press, New York, NY, USA
42.
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany, May 2008. ACM Press, New York, NY, USA
Metadaten
Titel
GuideForce: Type-Based Enforcement of Programming Guidelines
verfasst von
Serdar Erbatur
Martin Hofmann
Copyright-Jahr
2015
Verlag
Springer Berlin Heidelberg
Buch
Software Engineering and Formal Methods

Print ISBN: 978-3-662-49223-9

Electronic ISBN: 978-3-662-49224-6

Copyright-Jahr: 2015

DOI
https://doi.org/10.1007/978-3-662-49224-6_8