See this document in CiteSeerX!

Finding Security Vulnerabilities in Java Applications with Static Analysis (2005)  (Make Corrections)  (2 citations)
V. Benjamin Livshits, Monica S. Lam



  Home/Search   Context   Related

 
View or download:
stanford.edu/~livshit...usenixsec05.pdf
Cached:  PS.gz  PS  PDF   Image  Update  Help

From:  stanford.edu/~livshits/work (more)
(Enter author homepages)

Rate this article: (best)
  Comment on this article  
(Enter summary)

Abstract: This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are... (Update)

Cited by:   More
Using Datalog with Binary Decision Diagrams for Program.. - Whaley, Avots, Carbin, Lam   (Correct)
A Unified Approach for Preventing Attacks Exploiting a.. - Xu, Bhatkar, Sekar   (Correct)

Active bibliography (related documents):   More   All
16.1:   Finding Security Vulnerabilities in Java Applications - With Static Analysis   (Correct)
2.5:   Finding Security Vulnerabilities in Java Applications with.. - Livshits, Lam (2005)   (Correct)
0.3:   Code Inection in C and CPP: A Survey of Vulnerabilities.. - Younan, Joosen, Piessens (2004)   (Correct)

Similar documents based on text:   More   All
1.0:   Cv - Livshits   (Correct)
0.5:   Tracking Pointers with Path and Context Sensitivity for Bug.. - Livshits, Lam (2003)   (Correct)
0.4:   Finding Application Errors and Security Flaws Using PQL: a .. - Martin, Livshits, Lam (2005)   (Correct)

Related documents from co-citation:   More   All
2:   Language-Based Information-Flow Security - Sabelfeld, Myers - 2003

BibTeX entry:   (Update)

V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities in java applications with static analysis. In USENIX Security Symposium, 2005. http://citeseer.ist.psu.edu/livshits05finding.html   More

@misc{ livshits05finding,
  author = "V. Livshits and M. Lam",
  title = "Finding security vulnerabilities in java applications with static analysis",
  text = "V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities
    in java applications with static analysis. In USENIX Security Symposium,
    2005.",
  year = "2005",
  url = "citeseer.ist.psu.edu/livshits05finding.html" }
Citations (may not include all citations):
981   Principles of Database and Knowledge-Base Systems (context) - Ullman - 1989
228   Points-to analysis in almost linear time - Steensgaard - 1996
150   Parametric shape analysis via 3-valued logic - Sagiv, Reps et al. - 1999
141   StackGuard: Automatic adaptive detection and prevention of b.. - Cowan, Pu et al. - 1998
98   JFlow: practical mostly-static information flow control - Myers - 1999
72   A first step towards automated detection of buffer overrun v.. - Wagner, Foster et al. - 2000
67   O'Reilly and Associates (context) - Wall, Christiansen et al. - 1996
64   Detecting format string vulnerabilities with type qualifiers - Shankar, Talwar et al. - 2001
59   A static analyzer for finding dynamic programming errors - Bush, Pincus et al. - 2000
47   A system and language for building system-specific (context) - Hallem, Chelf et al. - 2002
18   Cloning-based context-sensitive pointer alias analysis using.. - Whaley, Lam - 2004
15   Securing Web application code by static analysis and runtime.. (context) - Huang, Yu et al. - 2004
14   Writing Secure Code (context) - Howard, LeBlanc - 2001
8   Tracking pointers with path and context sensitivity for bug .. - Livshits, Lam - 2003
7   Advanced SQL injection in SQL Server applications (context) - Anley - 2002
6   Software penetration testing (context) - Arkin, Stender et al. - 2005
5   Finding application errors using PQL: a program query langua.. (context) - Martin, Livshits et al. - 2005
5   Finding userkernel pointer bug with type inference - Wagner, kernel et al. - 2004
5   Static checking of dynamically generated queries in database.. - Gould, Su et al. - 2004
4   Computer crime and security survey (context) - Institute - 2002
4   A comparison of publicly available tools for static intrusio.. - Wilander, Kamkar - 2002
4   Java Developer's Guide to Eclipse (context) - D'Anjou, Fairbrother et al. - 2004
4   McGraw-Hill Osborne Media (context) - Litchfield, Security - 2003
3   compapermore advanced sql injection (context) - advanced, http et al. - 2002
3   Achieving Sarbanes-Oxley compliance for Web applications thr.. (context) - Beaver - 2003
3   A Web developers guide to cross-site scripting (context) - Cook - 2003
3   Hacking Exposed JEE and Java Developing Secure Application w.. (context) - Layman, Exposed et al. - 2002
3   IEEE Security and Privacy (context) - Chess, McGraw et al. - 2004
3   Paros---a tool for Web application security assessment (context) - Technologies - 2004
3   The Common Language Infrastructure Annotated Standard (context) - Miller, Ragsdale et al. - 2003
2   of Web applications are secured against common hacking techn.. (context) - Inc - 2004
2   primary classes of Web application threats (context) - Inc - 2004
2   A guide to building secure Web applications (context) - Application, Project - 2004
2   Preventing cross-site scripting vulnerability (context) - Hu - 2004
2   New software may improve application security (context) - Hulme
2   The ten most critical Web application security vulnerabiliti.. (context) - Application, Project
2   Penetration testing: A duet (context) - Geer, Harthorne - 2002
2   SQL injection attacks by example (context) - Friedl - 2004
2   Oracle multiple PLSQL injection vulnerabilitie (context) - multiple, injection et al. - 2003
2   SnipSnap: HTTP response splitting (context) - Security - 2004
2   SQL injection: Are your Web applications vulnerable (context) - Spett - 2002
2   How safe is it out there (context) - Surf, Shulman - 2004
2   Web Applications (context) - Scambray, Shema - 2002
2   Mozilla foundation security advisory (context) - Krax - 2005
2   The new techniques and emerging threats to bypass current We.. (context) - Grossman, XST - 2003
2   Detecting security vulnerabilities in Java applications with.. (context) - Livshits, Lam - 2005
2   Cross-site scripting: are your Web applications vulnerable (context) - Spett - 2002
2   Web application security trends (context) - Grossman - 2004
2   Hacking Web applications using cookie poisoning (context) - Klein - 2002
2   An introduction to SQL injection attacks for Oracle develope.. (context) - Kost - 2004
2   Divide and conquer: HTTP response splitting (context) - Klein - 2004
2   Penetration testing for Web applications (context) - Melbourne, Jorm - 2003
2   An analysis framework for security in Web applications (context) - Wassermann, Su - 2004
http://www.imperva

Documents on the same site (http://suif.stanford.edu/~livshits/work.html):   More
Finding Security Vulnerabilities in Java Applications with.. - Livshits, Lam (2005)   (Correct)
Defining a Set of Common Benchmarks for Web Application Security - Livshits   (Correct)
Reflection Analysis for Java - Livshits, Whaley, Lam (2005)   (Correct)

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC