References
[1] A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: principles,
techniques, and tools. Addison-Wesley Longman Publishing
Co., Inc., Boston, MA, USA, 1986.
[2] K. Ashcraft and D. Engler. Using programmer-written compiler
extensions to catch security holes. In IEEE Symposium
on Security and Privacy, 2002.
[3] BugTraq. BugTraq Mailing List Archive.
http://www.securityfocus.com/archive/1, 2005.
[4] CERT. CERT Advisory CA-2000-02: Malicious
HTML Tags Embedded in Client Web Requests.
http://www.cert.org/advisories/CA-2000-02.html, 2005.
[5] CUP. CUP: LALR Parser Generator in Java.
http://www2.cs.tum.edu/projects/cup/, 2005.
[6] D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system
rules using system-speci c, programmer-written compiler
extensions. In OSDI 2000, 2000.
[7] D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf.
Bugs as deviant behavior: a general approach to inferring errors
in systems code. In SOSP '01: Proceedings of the 18th
ACM Symposium on Operating Systems Principles, 2001.
[8] J. S. Foster, M. Faehndrich, and A. Aiken. A theory of type
quali ers. In PLDI '99: Proceedings of the ACM SIGPLAN
1999 Conference on Programming Language Design and
Implementation, 1999.
[9] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web
application security assessment by fault injection and behavior
monitoring. In WWW '03: Proceedings of the 12th International
Conference on World Wide Web, 2003.
[10] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and
S.-Y. Kuo. Securing web application code by static analysis
and runtime protection. In WWW '04: Proceedings of the
13th International Conference on World Wide Web, 2004.
[11] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and
S.-Y. Kuo. Verifying web applications using bounded model
checking. In DSN, 2004.
[12] JFlex. JFlex: The Fast Scanner Generator for Java.
http://j ex.de, 2005.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A
static analysis tool for detecting XSS vulnerabilities.
http://www.seclab.tuwien.ac.at/projects/pixy/, 2006.
[14] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:
A client-side solution for mitigating cross-site scripting attacks.
In The 21st ACM Symposium on Applied Computing
(SAC 2006).
[15] V. B. Livshits and M. S. Lam. Finding security errors in
Java programs with static analysis. In Proceedings of the
14th Usenix Security Symposium, Aug. 2005.
[16] Y. Minamide. Static approximation of dynamically generated
web pages. In WWW '05: Proceedings of the 14th International
Conference on World Wide Web, 2005.
[17] S. S. Muchnick. Advanced Compiler Design and Implementation.
Morgan Kaufmann, 1997.
[18] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans. Automatically hardening web applications using
precise tainting. In IFIP Security 2005, 2005.
[19] F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program
Analysis. Springer-Verlag New York, Inc., 1999.
[20] PHP. PHP: Hypertext Preprocessor. http://www.php.net,
2005.
[21] T. Pietraszek and C. V. Berghe. Defending against injection
attacks through context-sensitive string evaluation. In
Recent Advances in Intrusion Detection 2005 (RAID), 2005.
[22] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting
format string vulnerabilities with type quali ers. In
Proceedings of the 10th USENIX Security Symposium, 2001.
[23] Stephen Shankland. Andreessen: PHP succeeding where
Java isn't. http://www.zdnet.com.au, 2005.
[24] J. Whaley and M. S. Lam. Cloning-based context-sensitive
pointer alias analysis using binary decision diagrams. In
PLDI '04: Proceedings of the ACM SIGPLAN 2004 Conference
on Programming Language Design and Implementation,
2004.
[25] Y. Xie and A. Aiken. Static Detection of Security
Vulnerabilities in Scripting Languages.
http://glide.stanford.edu/yichen/research/sec.ps, 2006.
[1] A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: principles,
techniques, and tools. Addison-Wesley Longman Publishing
Co., Inc., Boston, MA, USA, 1986.
[2] K. Ashcraft and D. Engler. Using programmer-written compiler
extensions to catch security holes. In IEEE Symposium
on Security and Privacy, 2002.
[3] BugTraq. BugTraq Mailing List Archive.
http://www.securityfocus.com/archive/1, 2005.
[4] CERT. CERT Advisory CA-2000-02: Malicious
HTML Tags Embedded in Client Web Requests.
http://www.cert.org/advisories/CA-2000-02.html, 2005.
[5] CUP. CUP: LALR Parser Generator in Java.
http://www2.cs.tum.edu/projects/cup/, 2005.
[6] D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system
rules using system-speci c, programmer-written compiler
extensions. In OSDI 2000, 2000.
[7] D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf.
Bugs as deviant behavior: a general approach to inferring errors
in systems code. In SOSP '01: Proceedings of the 18th
ACM Symposium on Operating Systems Principles, 2001.
[8] J. S. Foster, M. Faehndrich, and A. Aiken. A theory of type
quali ers. In PLDI '99: Proceedings of the ACM SIGPLAN
1999 Conference on Programming Language Design and
Implementation, 1999.
[9] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web
application security assessment by fault injection and behavior
monitoring. In WWW '03: Proceedings of the 12th International
Conference on World Wide Web, 2003.
[10] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and
S.-Y. Kuo. Securing web application code by static analysis
and runtime protection. In WWW '04: Proceedings of the
13th International Conference on World Wide Web, 2004.
[11] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and
S.-Y. Kuo. Verifying web applications using bounded model
checking. In DSN, 2004.
[12] JFlex. JFlex: The Fast Scanner Generator for Java.
http://j ex.de, 2005.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A
static analysis tool for detecting XSS vulnerabilities.
http://www.seclab.tuwien.ac.at/projects/pixy/, 2006.
[14] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:
A client-side solution for mitigating cross-site scripting attacks.
In The 21st ACM Symposium on Applied Computing
(SAC 2006).
[15] V. B. Livshits and M. S. Lam. Finding security errors in
Java programs with static analysis. In Proceedings of the
14th Usenix Security Symposium, Aug. 2005.
[16] Y. Minamide. Static approximation of dynamically generated
web pages. In WWW '05: Proceedings of the 14th International
Conference on World Wide Web, 2005.
[17] S. S. Muchnick. Advanced Compiler Design and Implementation.
Morgan Kaufmann, 1997.
[18] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans. Automatically hardening web applications using
precise tainting. In IFIP Security 2005, 2005.
[19] F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program
Analysis. Springer-Verlag New York, Inc., 1999.
[20] PHP. PHP: Hypertext Preprocessor. http://www.php.net,
2005.
[21] T. Pietraszek and C. V. Berghe. Defending against injection
attacks through context-sensitive string evaluation. In
Recent Advances in Intrusion Detection 2005 (RAID), 2005.
[22] U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting
format string vulnerabilities with type quali ers. In
Proceedings of the 10th USENIX Security Symposium, 2001.
[23] Stephen Shankland. Andreessen: PHP succeeding where
Java isn't. http://www.zdnet.com.au, 2005.
[24] J. Whaley and M. S. Lam. Cloning-based context-sensitive
pointer alias analysis using binary decision diagrams. In
PLDI '04: Proceedings of the ACM SIGPLAN 2004 Conference
on Programming Language Design and Implementation,
2004.
[25] Y. Xie and A. Aiken. Static Detection of Security
Vulnerabilities in Scripting Languages.
http://glide.stanford.edu/yichen/research/sec.ps, 2006.
No comments:
Post a Comment