@InProceedings{1994:pldi:austin, author = "Todd M. Austin and Scott E. Breach and Gurindar S. Sohi", title = "Efficient Detection of All Pointer and Array Access Errors", booktitle = "Proceedings of the {ACM} {SIGPLAN}~'94 Conference on Programming Language Design and Implementation", year = "1994", pages = "290--301", URL = "http://www.acm.org/pubs/articles/proceedings/pldi/178243/p290-austin/p290-austin.pdf", genterms = "EXPERIMENTATION, LANGUAGES, PERFORMANCE", categories = "D.3.4 Software, PROGRAMMING LANGUAGES, Processors, Optimization. F.3.3 Theory of Computation, LOGICS AND MEANINGS OF PROGRAMS, Studies of Program Constructs. D.3.2 Software, PROGRAMMING LANGUAGES, Language Classifications, C. D.3.3 Software, PROGRAMMING LANGUAGES, Language Constructs and Features.", abstract = "We present a pointer and array access checking technique that provides complete error coverage through a simple set of program transformations. Our technique, based on an extended safe pointer representation, has a number of novel aspects. Foremost, it is the first technique that detects all spatial and temporal access errors. Its use is not limited by the expressiveness of the language; that is, it can be applied successfully to compiled or interpreted languages with subscripted and mutable pointers, local references, and explicit and typeless dynamic storage management, e.g., C. Because it is a source level transformation, it is amenable to both compile- and run-time optimization. Finally, its performance, even without compile-time optimization, is quite good. We implemented a prototype translator for the C language and analyzed the checking overheads of six non-trivial, pointer intensive programs. Execution overheads range from 130 to 540; with text and data size overheads typically below 100." } @InProceedings{CoWaPuBeWa2000, author = "Crispin Cowan and Perry Wagle and Calton Pu and Steve Beattie and Jonathan Walpole", title = "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade", URL = "http://www.immunix.org/StackGuard/discex00.pdf", added-by = "Ahmad Sadeghi", added-at = "Mon Dec 16 15:57:23 2002", abstract = "Buffer overflows have been the most common form of security vulnerability for the last ten years. More over, buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities, including our own StackGuard method. We then consider which combinations of techniques can eliminate the problem of buffer overflow vulnerabilities, while preserving the functionality and performance of existing systems.", booktitle = "Proceedings of the {DARPA} Information Survivability Conference and Exposition ({DISCEX} 2000)", month = jan, publisher = "{IEEE} Computer Society Press", year = "2000", annote = "Overview of sources and attack strategies of buffer overflow as well as known techniques to mitigate the risk.", } @InProceedings{CheWag2002, author = "Hao Chen and David Wagner", title = "{MOPS}: an infrastructure for examining security properties of software", URL = "http://doi.acm.org/10.1145/586110.586142", added-by = "msteiner", added-at = "Sun Nov 16 19:25:43 2003", abstract = "We describe a formal approach for finding bugs in security-relevant software and verifying their absence. The idea is as follows: we identify rules of safe programming practice, encode them as safety properties, and verify whether these properties are obeyed. Because manual verification is too expensive, we have built a program analysis tool to automate this process. Our program analysis models the program to be verified as a pushdown automaton, represents the security property as a finite state automaton, and uses model checking techniques to identify whether any state violating the desired security goal is reachable in the program. The major advantages of this approach are that it is sound in verifying the absence of certain classes of vulnerabilities, that it is fully interprocedural, and that it is efficient and scalable. Experience suggests that this approach will be useful in finding a wide range of security vulnerabilities in large programs efficiently.", pages = "235--244", booktitle = "Proceedings of the 9th {ACM} Conference on Computer and Communications Security", month = nov, editor = "Ravi Sandhu", address = "Washington, DC, USA", publisher = "ACM Press", year = "2002", } @InProceedings{HiAhMc2006, author = "Boniface Hicks and Kiyan Ahmadizadeh and Patrick {McDaniel}", title = "Understanding Practical Application Development in Security-typed Languages", URL = "http://www.acsac.org/2006/papers/101.pdf", added-by = "msteiner", added-at = "Mon Jan 8 08:32:37 2007", abstract = "Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple ``toy'' programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email system written in the Java language variant Jif. Real-world policies are mapped onto the information flows controlled by the language primitives, and we consider the process and tractability of broadly enforcing security policy in commodity applications. We find that while the language provided the rudimentary tools to achieve low-level security goals, additional tools, services, and language extensions were necessary to formulate and enforce application policy. We detail the design and use of these tools. We also show how the strong guarantees of Jif in conjunction with our policy tools can be used to evaluate security. This work serves as a starting point--we have demonstrated that it is possible to implement real-world systems and policy using security-typed languages. However, further investigation of the developer tools and supporting policy infrastructure is necessary before they can fulfill their considerable promise of enabling more secure systems.", booktitle = "22nd Annual Computer Security Applications Conference", month = dec, organization = "ACM", year = "2006", annote = "Explore building real-world application (email) with JIF and encounter a number of issues regarding development (incremental, debugging) but also policy-wise (e.g., higher-level trust specification). A number of issues are corrected in JIF 3.0? See also \cite{ChViMy2007} and \cite{AskSab2005}.", } @InProceedings{conf/popl/SuW06, title = "The essence of command injection attacks in web applications", author = "Zhendong Su and Gary Wassermann", bibdate = "2006-02-21", bibsource = "DBLP, http://dblp.uni-trier.de/db/conf/popl/popl2006.html#SuW06", booktitle = "Proceedings of the 33rd {ACM} {SIGPLAN}-{SIGACT} Symposium on Principles of Programming Languages, {POPL} 2006, Charleston, South Carolina, {USA}, January 11-13, 2006", publisher = "ACM", year = "2006", editor = "J. Gregory Morrisett and Simon L. Peyton Jones", ISBN = "1-59593-027-2", pages = "372--382", URL = "http://doi.acm.org/10.1145/1111037.1111070", } @InProceedings{Shankar:2001:DFS, author = "Umesh Shankar and Kunal Talwar and Jeffrey S. Foster and David Wagner", title = "Detecting Format String Vulnerabilities with Type Qualifiers", editor = "{USENIX}", booktitle = "Proceedings of the Tenth {USENIX} Security Symposium, August 13--17, 2001, Washington, {DC}, {USA}", publisher = "USENIX", address = "pub-USENIX:adr", ISBN = "1-880446-18-9, 1-880446-07-3", pages = "??--??", year = "2001", bibdate = "Tue Oct 15 16:52:27 2002", URL = "http://www.usenix.org/publications/library/proceedings/sec01/shankar.html", acknowledgement = "Nelson H. F. Beebe, University of Utah, Department of Mathematics, 110 LCB, 155 S 1400 E RM 233, Salt Lake City, UT 84112-0090, USA, Tel: +1 801 581 5254, FAX: +1 801 581 4148, e-mail: \path|beebe@math.utah.edu|, \path|beebe@acm.org|, \path|beebe@computer.org| (Internet), URL: \path|http://www.math.utah.edu/~beebe/|", } @InProceedings{Larochelle:2001:SDL, author = "David Larochelle and David Evans", title = "Statically Detecting Likely Buffer Overflow Vulnerabilities", editor = "{USENIX}", booktitle = "Proceedings of the Tenth {USENIX} Security Symposium, August 13--17, 2001, Washington, {DC}, {USA}", publisher = "USENIX", address = "pub-USENIX:adr", ISBN = "1-880446-18-9, 1-880446-07-3", pages = "??--??", year = "2001", bibdate = "Tue Oct 15 16:52:27 2002", URL = "http://www.usenix.org/publications/library/proceedings/sec01/larochelle.html", acknowledgement = "Nelson H. F. Beebe, University of Utah, Department of Mathematics, 110 LCB, 155 S 1400 E RM 233, Salt Lake City, UT 84112-0090, USA, Tel: +1 801 581 5254, FAX: +1 801 581 4148, e-mail: \path|beebe@math.utah.edu|, \path|beebe@acm.org|, \path|beebe@computer.org| (Internet), URL: \path|http://www.math.utah.edu/~beebe/|", } @InProceedings{conf/sigsoft/HalfondOM06, title = "Using positive tainting and syntax-aware evaluation to counter {SQL} injection attacks", author = "William G. J. Halfond and Alessandro Orso and Panagiotis Manolios", bibdate = "2007-01-26", bibsource = "DBLP, http://dblp.uni-trier.de/db/conf/sigsoft/fse2006.html#HalfondOM06", booktitle = "Proceedings of the 14th {ACM} {SIGSOFT} International Symposium on Foundations of Software Engineering, {FSE} 2005, Portland, Oregon, {USA}, November 5-11, 2006", publisher = "ACM", year = "2006", editor = "Michal Young and Premkumar T. Devanbu", ISBN = "1-59593-468-5", pages = "175--185", URL = "http://doi.acm.org/10.1145/1181775.1181797", } @InProceedings{HaChFr2005, author = "Vivek Haldar and Deepak Chandra and Michael Franz", title = "Dynamic Taint Propagation for Java", URL = "http://www.acsac.org/2005/papers/45.pdf, http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.21", added-by = "msteiner", added-at = "Wed Apr 4 12:54:28 2007", abstract = "Improperly validated user input is the underlying root cause for a wide variety of attacks on web-based applications. Static approaches for detecting this problem help at the time of development, but require source code and report a number of false positives. Hence, they are of little use for securing fully deployed and rapidly evolving applications. We propose a dynamic solution that tags and tracks user input at runtime and prevents its improper use to maliciously afSect the execution of the program. Our implementation can be transparently applied to Java class files, and does not require source code. Benchmarks show that the overhead of this runtime enforcement is negligible and can prevent a number of attacks.", pages = "274--282", booktitle = "21st Annual Computer Security Applications Conference", month = dec, organization = "ACM", year = "2005", } @InProceedings{conf/sec/Nguyen-TuongGGSE05, title = "Automatically Hardening Web Applications Using Precise Tainting", author = "Anh Nguyen-Tuong and Salvatore Guarnieri and Doug Greene and Jeff Shirley and David Evans", bibdate = "2006-05-31", bibsource = "DBLP, http://dblp.uni-trier.de/db/conf/sec/sec2005.html#Nguyen-TuongGGSE05", booktitle = "Security and Privacy in the Age of Ubiquitous Computing, {IFIP} {TC11} 20th International Conference on Information Security ({SEC} 2005), May 30 - June 1, 2005, Chiba, Japan", publisher = "Springer", year = "2005", editor = "Ry{\^o}ichi Sasaki and Sihan Qing and Eiji Okamoto and Hiroshi Yoshiura", ISBN = "0-387-25658-X", pages = "295--308", } @InProceedings{VNJKKV2007, author = "Philipp Vogt and Florian Nentwich and Nenad Jovanovic and Christopher Kruegel and Engin Kirda and Giovanni Vigna", title = "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis", URL = "http://www.infosys.tuwien.ac.at/staff/ek/papers/xss_prevention.pdf", added-by = "msteiner", added-at = "Fri Jan 26 13:34:27 2007", abstract = "Cross-site scripting (XSS) is an attack against web applications in which scripting code is injected into the output of an application that is then sent to a user's web browser. In the browser, this scripting code is executed and used to transfer sensitive data to a third party (i.e., the attacker). Currently, most approaches attempt to prevent XSS on the server side by inspecting and modifying the data that is exchanged between the web application and the user. Unfortunately, it is often the case that vulnerable applications are not fixed for a considerable amount of time, leaving the users vulnerable to attacks. The solution presented in this paper stops XSS attacks on the client side by tracking the flow of sensitive information inside the web browser. If sensitive information is about to be transferred to a third party, the user can decide if this should be permitted or not. As a result, the user has an additional protection layer when surfing the web, without solely depending on the security of the web application.", booktitle = "Proceedings of the Symposium on Network and Distributed Systems Security ({NDSS} 2007)", month = feb, address = "San Diego, CA", year = "2007", organization = "Internet Society", annote = "Hybrid static/dynamic taint-analysis in Browser via client-side modification. Used to detect XSS attacks in terms of info-flow to 3rd-parties (in which case user is asked). Implemented in Firefox. See also \url{http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript/advtopic.htm} for taint-support in JavaScript/Netscape 3 including the list of initial source of taint values also used in this document. See also their earlier related work~\cite{KiKrViJo2006}.", } @InProceedings{Livshits05a, author = "V. Benjamin Livshits and Monica S. Lam", title = "Finding Security Vulnerabilities in Java Applications Using Static Analysis", booktitle = "Proceedings of the 14th USENIX Security Symposium", month = aug, year = "2005", keywords = "software reliability, static \& dynamic analyses,", } @InProceedings{conf/sp/JovanovicKK06, title = "Pixy: {A} Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)", author = "Nenad Jovanovic and Christopher Kr{\"u}gel and Engin Kirda", publisher = "IEEE Computer Society", year = "2006", bibdate = "2006-09-06", bibsource = "DBLP, http://dblp.uni-trier.de/db/conf/sp/sp2006.html#JovanovicKK06", booktitle = "IEEE Symposium on Security and Privacy", ISBN = "0-7695-2574-1", pages = "258--263", URL = "http://doi.ieeecomputersociety.org/10.1109/SP.2006.29", } @InProceedings{necula96:safe, author = "George C. Necula and Peter Lee", title = "Safe Kernel Extensions Without Run-Time Checking", booktitle = "Proceedings of the Second Symposium on Operating System Design and Implementation", year = "1996", address = "Seattle, WA, USA", month = oct, URL = "http://www.cs.cmu.edu/~necula/osdi96.ps.gz", abstract = "This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks. \par The main practical difficulty of is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated binaries for them using a special prototype assembler. The binaries can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.", } @InProceedings{NeculaMcPWei02, author = "George C. Necula and Scott McPeak and Westley Weimer", title = "{CC}ured: Type-Safe Retrofitting of Legacy Code", booktitle = "Conference Record of {POPL}'02: The 29th {ACM} {SIGPLAN}-{SIGACT} Symposium on Principles of Programming Languages", address = "Portland, Oregon", month = jan # " 16--18,", year = "2002", pages = "128--139", } @InProceedings{conf/ndss/NewsomeS05, title = "Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software", author = "James Newsome and Dawn Xiaodong Song", publisher = "The Internet Society", year = "2005", bibdate = "2006-02-23", bibsource = "DBLP, http://dblp.uni-trier.de/db/conf/ndss/ndss2005.html#NewsomeS05", booktitle = "NDSS", ISBN = "1-891562-20-7; 1-891562-19-3", URL = "http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/taintcheck.pdf", } @TechReport{MSR-TR-2005-135, author = "Galen Hunt and James R. Larus and Martin Abadi and Mark Aiken and Paul Barham and Manuel Fahndrich and Chris Hawblitzel and Orion Hodson and Steven Levi and Nick Murphy and Bjarne Steensgaard and David Tarditi and Ted Wobber and Brian D. Zill", title = "An Overview of the Singularity Project", institution = "Microsoft Research (MSR)", number = "MSR-TR-2005-135", year = "2005", month = oct, URL = "ftp://ftp.research.microsoft.com/pub/tr/TR-2005-135.pdf", keywords = "OS, microkernel, programming language, C#, Spec#, Sing#, message passing, specification, verification.", abstract = "Singularity is a research project in Microsoft Research that started with the question: what would a software platform look like if it was designed from scratch with the primary goal of dependability? Singularity is working to answer this question by building on advances in programming languages and tools to develop a new system architecture and operating system (named Singularity), with the aim of producing a more robust and dependable software platform. Singularity demonstrates the practicality of new technologies and architectural decisions, which should lead to the construction of more robust and dependable systems.", } @InProceedings{PieVan2005, author = "Tadeusz Pietraszek and Chris Vanden Berghe", title = "Defending against Injection Attacks through Context-Sensitive String Evaluation?", URL = "http://chris.vandenberghe.org/publications/csse_raid2005.pdf, http://tadek.pietraszek.org/publications/pietraszek05_defending-raid-slides.pdf (slides)", added-by = "msteiner", added-at = "Tue Jul 18 22:44:00 2006", pages = "124--145", booktitle = "Recent Advances in Intrusion Detection --- Proceedings of the 8th International Symposium ({RAID} 2005)", volume = "3858", month = sep, series = "Lecture Notes in Computer Science", publisher = "Springer-Verlag, Berlin Germany", year = "2006", annote = "See also \url{http://tadek.pietraszek.org/projects/CSSE/index.html}", }