loading
Papers Papers/2020

Research.Publish.Connect.

Paper

Authors: Sophie Lathouwers 1 ; Maarten Everts 2 and Marieke Huisman 1

Affiliations: 1 Formal Methods and Tools, University of Twente, Enschede, The Netherlands ; 2 Services and Cybersecurity, University of Twente & TNO, Enschede, The Netherlands

Keyword(s): Automata Learning, Sanitizers, Symbolic Finite Transducers, Injection Attacks, Software Verification.

Abstract: String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer’s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source too l of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.237.16.210

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Lathouwers, S.; Everts, M. and Huisman, M. (2020). Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach. In Proceedings of the 6th International Conference on Information Systems Security and Privacy - ForSE, ISBN 978-989-758-399-5; ISSN 2184-4356, pages 784-795. DOI: 10.5220/0009371207840795

@conference{forse20,
author={Sophie Lathouwers. and Maarten Everts. and Marieke Huisman.},
title={Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach},
booktitle={Proceedings of the 6th International Conference on Information Systems Security and Privacy - ForSE,},
year={2020},
pages={784-795},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009371207840795},
isbn={978-989-758-399-5},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 6th International Conference on Information Systems Security and Privacy - ForSE,
TI - Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach
SN - 978-989-758-399-5
IS - 2184-4356
AU - Lathouwers, S.
AU - Everts, M.
AU - Huisman, M.
PY - 2020
SP - 784
EP - 795
DO - 10.5220/0009371207840795

0123movie.net