Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach

Sophie Lathouwers, Maarten Everts, Marieke Huisman

Abstract

String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer’s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers.

Download


Paper Citation


in Harvard Style

Lathouwers S., Everts M. and Huisman M. (2020). Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach.In Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ForSE, ISBN 978-989-758-399-5, pages 784-795. DOI: 10.5220/0009371207840795


in Bibtex Style

@conference{forse20,
author={Sophie Lathouwers and Maarten Everts and Marieke Huisman},
title={Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach},
booktitle={Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ForSE,},
year={2020},
pages={784-795},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009371207840795},
isbn={978-989-758-399-5},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ForSE,
TI - Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach
SN - 978-989-758-399-5
AU - Lathouwers S.
AU - Everts M.
AU - Huisman M.
PY - 2020
SP - 784
EP - 795
DO - 10.5220/0009371207840795