[1] A. S. Christensen, A. Møller, and M. I. Schwartzbach.
Precise analysis of string expressions. In Proceedings of the
10th International Static Analysis Symposium, SAS ’03,
volume 2694 of LNCS, pages 1–18. Springer-Verlag, June
2003. Available from http://www.brics.dk/JSA/.
[2] S. Christey. Vulnerability type distributions in CVE, Oct.
2006. http:
//cwe.mitre.org/documents/vuln-trends.html.
[3] R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and
F. K. Zadeck. Efficiently computing static single assignment
form and the control dependence graph. Transactions on
Programming Languages and Systems, 13(4):451–490, Oct
1991.
[4] J. Foster, M. Fähndrich, and A. Aiken. A theory of type
qualifiers. In Proceedings of the ACM SIGPLAN Conference
on Programming Language Design and Implementation
(PLDI), pages 192–203, Atlanta, Georgia, May 1–4, 1999.
[5] J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type
qualifiers. In PLDI ’02: Proceedings of the ACM SIGPLAN
2002 Conference on Programming language design and
implementation, pages 1–12, New York, NY, USA, 2002.
ACM Press.
[6] C. Gould, Z. Su, and P. Devanbu. Static checking of
dynamically generated queries in database applications. In
Proceedings of the 25th International Conference on
Software Engineering (ICSE), pages 645–654, May 2004.
[7] O. Hallaraker and G. Vigna. Detecting malicious JavaScript
code in Mozilla. In ICECCS ’05: Proceedings of the 10th
IEEE International Conference on Engineering of Complex
Computer Systems (ICECCS’05), pages 85–94, Washington,
DC, USA, 2005. IEEE Computer Society.
[8] K. J. Higgins. Cross-site scripting: Attackers’ new favorite
flaw, September 2006. http://www.darkreading.com/
document.asp?doc_id=103774&WT.svl=news1_1.
[9] J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction
to Automata Theory, Languages and Computability.
Addison-Wesley, Boston, MA, 2000.
[10] H. Hosoya and B. C. Pierce. Xduce: A typed xml processing
language (preliminary report). In Selected papers from the
Third International Workshop WebDB 2000 on The World
Wide Web and Databases, pages 226–244, London, UK,
2001. Springer-Verlag.
[11] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and
S.-Y. Kuo. Securing web application code by static analysis
and runtime protection. In WWW ’04: Proceedings of the
13th international conference on World Wide Web, pages
40–52, New York, NY, USA, 2004. ACM Press.
[12] T. Jim, N. Swamy, and M. Hicks. Defeating scripting attacks
with browser-enforced embedded policies. In WWW ’07:
Proceedings of the 16th international conference on World
Wide Web, pages 601–610, New York, NY, USA, 2007.
ACM.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static
analysis tool for detecting web application vulnerabilities
(short paper). In 2006 IEEE Symposium on Security and
Privacy, Oakland, CA, May 2006.
[14] N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis
for syntactic detection of web application vulnerabilities. In
ACM SIGPLAN Workshop on Programming Languages and
Analysis for Security, Ottowa, Canada, June 2006.
[15] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A
client-side solution for mitigating cross site scripting attacks.
In SAC ’06: Proceedings of the 2006 ACM symposium on
Applied computing, pages 330–337, New York, NY, USA,
2006. ACM.
[16] M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin,
D. Avots, M. Carbin, and C. Unkel. Context-sensitive
program analysis as database queries. In Proceedings of the
Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium
on Principles of Database Systems. ACM, June 2005.
[17] V. B. Livshits and M. S. Lam. Finding security errors in Java
programs with static analysis. In Proceedings of the 14th
Usenix Security Symposium, pages 271–286, Aug. 2005.
[18] Y. Minamide. Static Approximation of Dynamically
Generated Web Pages. In WWW’05: Proceedings of the 14th
International Conference on the World Wide Web, pages
432–441, 2005.
[19] M. Mohri and M. Nederhof. Regular approximation of
context-free grammars through transformation. Robustness
in Language and Speech Technology, pages 153–163, 2001.
[20] M. Mohri and R. Sproat. An efficient compiler for weighted
rewrite rules. In Meeting of the Association for
Computational Linguistics, pages 231–238, 1996.
[21] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and
S. Esmeir. Browsershield: Vulnerability-driven filtering of
dynamic html. In OSDI ’06: Proceedings of the 7th
symposium on Operating systems design and
implementation, pages 61–74, Berkeley, CA, USA, 2006.
USENIX Association.
[22] T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural
dataflow analysis via graph reachability. In POPL ’95:
Proceedings of the 22nd ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, pages
49–61, New York, NY, USA, 1995. ACM.
[23] N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression
types for strings in a text processing language (extended
abstract). In Proceedings of TIP’02 Workshop on Types in
Programming, pages 1–18, July 2002.
[24] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel,
and G. Vigna. Cross site scripting prevention with dynamic
data tainting and static analysis. In Proceeding of the
Network and Distributed System Security Symposium
(NDSS), San Diego, CA, February 2007.
[25] G. Wassermann and Z. Su. Sound and Precise Analysis of
Web Applications for Injection Vulnerabilities. In
Proceedings of the ACM SIGPLAN 2007 Conference on
Programming Language Design and Implementation, San
Diego, CA, June 2007. ACM Press New York, NY, USA.
[26] J. Whaley and M. S. Lam. Cloning-based context-sensitive
pointer alias analysis using binary decision diagrams. In
PLDI ’04: Proceedings of the ACM SIGPLAN 2004
conference on Programming language design and
implementation, pages 131–144, New York, NY, USA, 2004.
ACM Press.
[27] Y. Xie and A. Aiken. Static detection of security
vulnerabilities in scripting languages. In Proceedings of the
15th USENIX Security Symposium, pages 179–192, July
2006.
[28] D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript
instrumentation for browser security. In POPL ’07:
Proceedings of the 34th annual ACM SIGPLAN-SIGACT
symposium on Principles of programming languages,
Precise analysis of string expressions. In Proceedings of the
10th International Static Analysis Symposium, SAS ’03,
volume 2694 of LNCS, pages 1–18. Springer-Verlag, June
2003. Available from http://www.brics.dk/JSA/.
[2] S. Christey. Vulnerability type distributions in CVE, Oct.
2006. http:
//cwe.mitre.org/documents/vuln-trends.html.
[3] R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and
F. K. Zadeck. Efficiently computing static single assignment
form and the control dependence graph. Transactions on
Programming Languages and Systems, 13(4):451–490, Oct
1991.
[4] J. Foster, M. Fähndrich, and A. Aiken. A theory of type
qualifiers. In Proceedings of the ACM SIGPLAN Conference
on Programming Language Design and Implementation
(PLDI), pages 192–203, Atlanta, Georgia, May 1–4, 1999.
[5] J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type
qualifiers. In PLDI ’02: Proceedings of the ACM SIGPLAN
2002 Conference on Programming language design and
implementation, pages 1–12, New York, NY, USA, 2002.
ACM Press.
[6] C. Gould, Z. Su, and P. Devanbu. Static checking of
dynamically generated queries in database applications. In
Proceedings of the 25th International Conference on
Software Engineering (ICSE), pages 645–654, May 2004.
[7] O. Hallaraker and G. Vigna. Detecting malicious JavaScript
code in Mozilla. In ICECCS ’05: Proceedings of the 10th
IEEE International Conference on Engineering of Complex
Computer Systems (ICECCS’05), pages 85–94, Washington,
DC, USA, 2005. IEEE Computer Society.
[8] K. J. Higgins. Cross-site scripting: Attackers’ new favorite
flaw, September 2006. http://www.darkreading.com/
document.asp?doc_id=103774&WT.svl=news1_1.
[9] J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction
to Automata Theory, Languages and Computability.
Addison-Wesley, Boston, MA, 2000.
[10] H. Hosoya and B. C. Pierce. Xduce: A typed xml processing
language (preliminary report). In Selected papers from the
Third International Workshop WebDB 2000 on The World
Wide Web and Databases, pages 226–244, London, UK,
2001. Springer-Verlag.
[11] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and
S.-Y. Kuo. Securing web application code by static analysis
and runtime protection. In WWW ’04: Proceedings of the
13th international conference on World Wide Web, pages
40–52, New York, NY, USA, 2004. ACM Press.
[12] T. Jim, N. Swamy, and M. Hicks. Defeating scripting attacks
with browser-enforced embedded policies. In WWW ’07:
Proceedings of the 16th international conference on World
Wide Web, pages 601–610, New York, NY, USA, 2007.
ACM.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static
analysis tool for detecting web application vulnerabilities
(short paper). In 2006 IEEE Symposium on Security and
Privacy, Oakland, CA, May 2006.
[14] N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis
for syntactic detection of web application vulnerabilities. In
ACM SIGPLAN Workshop on Programming Languages and
Analysis for Security, Ottowa, Canada, June 2006.
[15] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A
client-side solution for mitigating cross site scripting attacks.
In SAC ’06: Proceedings of the 2006 ACM symposium on
Applied computing, pages 330–337, New York, NY, USA,
2006. ACM.
[16] M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin,
D. Avots, M. Carbin, and C. Unkel. Context-sensitive
program analysis as database queries. In Proceedings of the
Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium
on Principles of Database Systems. ACM, June 2005.
[17] V. B. Livshits and M. S. Lam. Finding security errors in Java
programs with static analysis. In Proceedings of the 14th
Usenix Security Symposium, pages 271–286, Aug. 2005.
[18] Y. Minamide. Static Approximation of Dynamically
Generated Web Pages. In WWW’05: Proceedings of the 14th
International Conference on the World Wide Web, pages
432–441, 2005.
[19] M. Mohri and M. Nederhof. Regular approximation of
context-free grammars through transformation. Robustness
in Language and Speech Technology, pages 153–163, 2001.
[20] M. Mohri and R. Sproat. An efficient compiler for weighted
rewrite rules. In Meeting of the Association for
Computational Linguistics, pages 231–238, 1996.
[21] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and
S. Esmeir. Browsershield: Vulnerability-driven filtering of
dynamic html. In OSDI ’06: Proceedings of the 7th
symposium on Operating systems design and
implementation, pages 61–74, Berkeley, CA, USA, 2006.
USENIX Association.
[22] T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural
dataflow analysis via graph reachability. In POPL ’95:
Proceedings of the 22nd ACM SIGPLAN-SIGACT
symposium on Principles of programming languages, pages
49–61, New York, NY, USA, 1995. ACM.
[23] N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression
types for strings in a text processing language (extended
abstract). In Proceedings of TIP’02 Workshop on Types in
Programming, pages 1–18, July 2002.
[24] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel,
and G. Vigna. Cross site scripting prevention with dynamic
data tainting and static analysis. In Proceeding of the
Network and Distributed System Security Symposium
(NDSS), San Diego, CA, February 2007.
[25] G. Wassermann and Z. Su. Sound and Precise Analysis of
Web Applications for Injection Vulnerabilities. In
Proceedings of the ACM SIGPLAN 2007 Conference on
Programming Language Design and Implementation, San
Diego, CA, June 2007. ACM Press New York, NY, USA.
[26] J. Whaley and M. S. Lam. Cloning-based context-sensitive
pointer alias analysis using binary decision diagrams. In
PLDI ’04: Proceedings of the ACM SIGPLAN 2004
conference on Programming language design and
implementation, pages 131–144, New York, NY, USA, 2004.
ACM Press.
[27] Y. Xie and A. Aiken. Static detection of security
vulnerabilities in scripting languages. In Proceedings of the
15th USENIX Security Symposium, pages 179–192, July
2006.
[28] D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript
instrumentation for browser security. In POPL ’07:
Proceedings of the 34th annual ACM SIGPLAN-SIGACT
symposium on Principles of programming languages,
No comments:
Post a Comment