Security slicing for auditing common injection vulnerabilities

Bianculli, Domenico ; Thome, Julian ; et al.

In: Journal of Systems and Software, Jg. 137 (2018-03-01), S. 766-783

Online unknown

Zugriff:

Cross-site scripting and injection vulnerabilities are among the most common and serious security issues for Web applications. Although existing static analysis approaches can detect potential vulnerabilities in source code, they generate many false warnings and source-sink traces with irrelevant information, making their adoption impractical for security auditing. One suitable approach to support security auditing is to compute a program slice for each sink, which contains all the information required for security auditing. However, such slices are likely to contain a large amount of information that is irrelevant to security, thus raising scalability issues for security audits. In this paper, we propose an approach to assist security auditors by defining and experimenting with pruning techniques to reduce original program slices to what we refer to as security slices, which contain sound and precise information. To evaluate the proposed approach, we compared our security slices to the slices generated by a state-of-the-art program slicing tool, based on a number of open-source benchmarks. On average, our security slices are 76% smaller than the original slices. More importantly, with security slicing, one needs to audit approximately 1% of the total code to fix all the vulnerabilities, thus suggesting significant reduction in auditing costs.

Titel:	Security slicing for auditing common injection vulnerabilities
Autor/in / Beteiligte Person:	Bianculli, Domenico ; Thome, Julian ; Briand, Lionel C. ; Lwin Khin Shar ; Fonds National de la Recherche - FnR [sponsor] ; Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab) [research center]
Link:	View record in OpenAIRE (Volltext) E-Journal im Bestand der UB Hagen? https://doi.org/10.1016/j.jss.2017.02.040
Zeitschrift:	Journal of Systems and Software, Jg. 137 (2018-03-01), S. 766-783
Veröffentlichung:	Elsevier BV, 2018
Medientyp:	unknown
ISSN:	0164-1212 (print)
DOI:	10.1016/j.jss.2017.02.040
Schlagwort:	Computer science vulnerability automated code fixing Vulnerability 02 engineering and technology Audit Computer security computer.software_genre Asset (computer security) Security testing Security information and event management Information security audit 0202 electrical engineering, electronic engineering, information engineering Web application Vulnerability (computing) Computer science [C05] [Engineering, computing & technology] Security bug business.industry 020207 software engineering Static analysis Computer security model Sciences informatiques [C05] [Ingénierie, informatique & technologie] Security auditing static analysis Security service Hardware and Architecture Software security assurance Security through obscurity 020201 artificial intelligence & image processing business computer Software Countermeasure (computer) Information Systems
Sonstiges:	Nachgewiesen in: OpenAIRE Rights: OPEN

Klicken Sie ein Format an und speichern Sie dann die Daten oder geben Sie eine Empfänger-Adresse ein und lassen Sie sich per Email zusenden.

BibTeX Citavi, JabRef, u.a.
(Literaturverwaltung)

PDF kein Volltext!
(Merkzettel, Notizen)

RIS Endnote, Citavi u.a.
(Literaturverwaltung)

MODS
(XML zur Weiterverarbeitung)

oder

Wählen Sie das für Sie passende Zitationsformat und kopieren Sie es dann in die Zwischenablage, lassen es sich per Mail zusenden oder speichern es als PDF-Datei.

Gewünschter Zitations-Stil:

oder

Bitte prüfen Sie, ob die Zitation formal korrekt ist, bevor Sie sie in einer Arbeit verwenden. Benutzen Sie gegebenenfalls den "Exportieren"-Dialog, wenn Sie ein Literaturverwaltungsprogramm verwenden und die Zitat-Angaben selbst formatieren wollen.