58,158 research outputs found
Combining Static and Dynamic Analysis for Vulnerability Detection
In this paper, we present a hybrid approach for buffer overflow detection in
C code. The approach makes use of static and dynamic analysis of the
application under investigation. The static part consists in calculating taint
dependency sequences (TDS) between user controlled inputs and vulnerable
statements. This process is akin to program slice of interest to calculate
tainted data- and control-flow path which exhibits the dependence between
tainted program inputs and vulnerable statements in the code. The dynamic part
consists of executing the program along TDSs to trigger the vulnerability by
generating suitable inputs. We use genetic algorithm to generate inputs. We
propose a fitness function that approximates the program behavior (control
flow) based on the frequencies of the statements along TDSs. This runtime
aspect makes the approach faster and accurate. We provide experimental results
on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur
Structural Learning of Attack Vectors for Generating Mutated XSS Attacks
Web applications suffer from cross-site scripting (XSS) attacks that
resulting from incomplete or incorrect input sanitization. Learning the
structure of attack vectors could enrich the variety of manifestations in
generated XSS attacks. In this study, we focus on generating more threatening
XSS attacks for the state-of-the-art detection approaches that can find
potential XSS vulnerabilities in Web applications, and propose a mechanism for
structural learning of attack vectors with the aim of generating mutated XSS
attacks in a fully automatic way. Mutated XSS attack generation depends on the
analysis of attack vectors and the structural learning mechanism. For the
kernel of the learning mechanism, we use a Hidden Markov model (HMM) as the
structure of the attack vector model to capture the implicit manner of the
attack vector, and this manner is benefited from the syntax meanings that are
labeled by the proposed tokenizing mechanism. Bayes theorem is used to
determine the number of hidden states in the model for generalizing the
structure model. The paper has the contributions as following: (1)
automatically learn the structure of attack vectors from practical data
analysis to modeling a structure model of attack vectors, (2) mimic the manners
and the elements of attack vectors to extend the ability of testing tool for
identifying XSS vulnerabilities, (3) be helpful to verify the flaws of
blacklist sanitization procedures of Web applications. We evaluated the
proposed mechanism by Burp Intruder with a dataset collected from public XSS
archives. The results show that mutated XSS attack generation can identify
potential vulnerabilities.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
Recommended from our members
Information flow analysis for a dynamically typed language with staged metaprogramming
Web applications written in JavaScript are regularly used for dealing with sensitive or personal data. Consequently, reasoning about their security properties has become an important problem, which is made very difficult by the highly dynamic nature of the language, particularly its support for runtime code generation via eval. In order to deal with this, we propose to investigate security analyses for languages with more principled forms of dynamic code generation. To this end, we present a static information flow analysis for a dynamically typed functional language with prototype-based inheritance and staged metaprogramming. We prove its soundness, implement it and test it on various examples designed to show its relevance to proving security properties, such as noninterference, in JavaScript. To demonstrate the applicability of the analysis, we also present a general method for transforming a program using eval into one using staged metaprogramming. To our knowledge, this is the first fully static information flow analysis for a language with staged metaprogramming, and the first formal soundness proof of a CFA-based information flow analysis for a functional programming language
Causality - Complexity - Consistency: Can Space-Time Be Based on Logic and Computation?
The difficulty of explaining non-local correlations in a fixed causal
structure sheds new light on the old debate on whether space and time are to be
seen as fundamental. Refraining from assuming space-time as given a priori has
a number of consequences. First, the usual definitions of randomness depend on
a causal structure and turn meaningless. So motivated, we propose an intrinsic,
physically motivated measure for the randomness of a string of bits: its length
minus its normalized work value, a quantity we closely relate to its Kolmogorov
complexity (the length of the shortest program making a universal Turing
machine output this string). We test this alternative concept of randomness for
the example of non-local correlations, and we end up with a reasoning that
leads to similar conclusions as in, but is conceptually more direct than, the
probabilistic view since only the outcomes of measurements that can actually
all be carried out together are put into relation to each other. In the same
context-free spirit, we connect the logical reversibility of an evolution to
the second law of thermodynamics and the arrow of time. Refining this, we end
up with a speculation on the emergence of a space-time structure on bit strings
in terms of data-compressibility relations. Finally, we show that logical
consistency, by which we replace the abandoned causality, it strictly weaker a
constraint than the latter in the multi-party case.Comment: 17 pages, 16 figures, small correction
Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers
In this paper, we present a black-box attack against API call based machine
learning malware classifiers, focusing on generating adversarial sequences
combining API calls and static features (e.g., printable strings) that will be
misclassified by the classifier without affecting the malware functionality. We
show that this attack is effective against many classifiers due to the
transferability principle between RNN variants, feed forward DNNs, and
traditional machine learning classifiers such as SVM. We also implement GADGET,
a software framework to convert any malware binary to a binary undetected by
malware classifiers, using the proposed attack, without access to the malware
source code.Comment: Accepted as a conference paper at RAID 201
Towards Efficient Maximum Likelihood Estimation of LPV-SS Models
How to efficiently identify multiple-input multiple-output (MIMO) linear
parameter-varying (LPV) discrete-time state-space (SS) models with affine
dependence on the scheduling variable still remains an open question, as
identification methods proposed in the literature suffer heavily from the curse
of dimensionality and/or depend on over-restrictive approximations of the
measured signal behaviors. However, obtaining an SS model of the targeted
system is crucial for many LPV control synthesis methods, as these synthesis
tools are almost exclusively formulated for the aforementioned representation
of the system dynamics. Therefore, in this paper, we tackle the problem by
combining state-of-the-art LPV input-output (IO) identification methods with an
LPV-IO to LPV-SS realization scheme and a maximum likelihood refinement step.
The resulting modular LPV-SS identification approach achieves statical
efficiency with a relatively low computational load. The method contains the
following three steps: 1) estimation of the Markov coefficient sequence of the
underlying system using correlation analysis or Bayesian impulse response
estimation, then 2) LPV-SS realization of the estimated coefficients by using a
basis reduced Ho-Kalman method, and 3) refinement of the LPV-SS model estimate
from a maximum-likelihood point of view by a gradient-based or an
expectation-maximization optimization methodology. The effectiveness of the
full identification scheme is demonstrated by a Monte Carlo study where our
proposed method is compared to existing schemes for identifying a MIMO LPV
system
- …