Wednesday 24 October 2012

References
[1] AMMONS, G., BOD´I K, R., AND LARUS, J. Mining specifications.
In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium
on Principles of programming languages (2002), ACM,
pp. 4–16.
[2] ANAND, S., PASAREANU, C., AND VISSER, W. JPF-SE: A
Symbolic Execution Extension to Java PathFinder. In Proceedings
of the International Conference on Tools and Algorithms
for the Construction and Analysis of Systems (TACAS) (2007),
Springer.
[3] ANLEY, C. Advanced SQL Injection in SQL Server Applications.
Tech. rep., Next Generation Security Software, Ltd, 2002.
[4] BALIGA, A., GANAPATHY, V., AND IFTODE, L. Automatic Inference
and Enforcement of Kernel Data Structure Invariants. In
Computer Security Applications Conference, 2008. ACSAC 2008.
Annual (2008), pp. 77–86.
[5] BALZAROTTI, D., COVA, M., FELMETSGER, V., AND VIGNA,
G. Multi-module Vulnerability Analysis of Web-based Applications.
In Proceedings of the ACM conference on Computer and
Communications Security (CCS) (2007), pp. 25–35.
[6] BOND, M., SRIVASTAVA, V., MCKINLEY, K., AND
SHMATIKOV, V. Efficient, Context-Sensitive Detection of Semantic
Attacks. Tech. Rep. TR-09-14, UT Austin Computer Sciences,
2009.
[7] COVA, M., BALZAROTTI, D., FELMETSGER, V., AND VIGNA,
G. Swaddler: An Approach for the Anomaly-based Detection of
State Violations inWeb Applications. In Proceedings of the International
Symposium on Recent Advances in Intrusion Detection
(RAID) (2007), pp. 63–86.
[8] CSALLNER, C., SMARAGDAKIS, Y., AND XIE, T. Article 8 (37
pages)-DSD-Crasher: A Hybrid Analysis Tool for Bug Finding.
In ACM Transactions on Software Engineering and Methodology
(TOSEM) (April 2008).
[9] The Daikon invariant detector. http://groups.csail.
mit.edu/pag/daikon/.
[10] ENGLER, D., CHEN, D., HALLEM, S., CHOU, A., AND CHELF,
B. Bugs as deviant behavior: a general approach to inferring
errors in systems code. ACM SIGOPS Operating Systems Review
35, 5 (2001), 57–72.
[11] ERNST, M., PERKINS, J., GUO, P., MCCAMANT, S.,
PACHECO, C., TSCHANTZ, M., AND XIAO, C. The Daikon
System for Dynamic Detection of Likely Invariants. Science of
Computer Programming 69, 1–3 (Dec. 2007), 35–45.
[12] FOSSI, M. Symantec Global Internet Security Threat Report.
Tech. rep., Symantec, April 2009. Volume XIV.
[13] FOUNDATION, T. A. S. Apache Tomcat. http://tomcat.
apache.org/.
[14] GROSSMAN, J. Seven Business Logic Flaws That Put Your
Website at Risk. http://www.whitehatsec.com/home/
assets/WP bizlogic092407.pdf, September 2007.
[15] GUHA, A., KRISHNAMURTHI, S., AND JIM, T. Using static
analysis for Ajax intrusion detection. In Proceedings of the 18th
international conference on World wide web (2009), ACM New
York, NY, USA, pp. 561–570.
[16] HALFOND, W., AND ORSO, A. AMNESIA: Analysis and Monitoring
for NEutralizing SQL-Injection Attacks. In Proceedings of
the International Conference on Automated Software Engineering
(ASE) (November 2005), pp. 174–183.
[17] HUANG, Y.-W., YU, F., HANG, C., TSAI, C.-H., LEE, D.,
AND KUO, S.-Y. Securing Web Application Code by Static
Analysis and Runtime Protection. In Proceedings of the International
World Wide Web Conference (WWW) (May 2004), pp. 40–
52.
[18] JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Pixy: A Static
Analysis Tool for Detecting Web Application Vulnerabilities. In
Proceedings of the IEEE Symposium on Security and Privacy
(May 2006).
[19] Java pathfinder. http://javapathfinder.
sourceforge.net/.
[20] KLEIN, A. Cross Site Scripting Explained. Tech. rep., Sanctum
Inc., June 2002.
[21] KREMENEK, T., TWOHEY, P., BACK, G., NG, A., AND ENGLER,
D. From Uncertainty to Belief: Inferring the Specification
Within. In Proceedings of the Symposium on Operating Systems
Design and Implementation (OSDI) (November 2006), pp. 161–
176.
[22] LIVSHITS, V., AND LAM, M. Finding Security Vulnerabilities
in Java Applications with Static Analysis. In Proceedings of the
USENIX Security Symposium (August 2005), pp. 271–286.
[23] MARTIN, M., AND LAM, M. Automatic Generation of XSS
and SQL Injection Attacks with Goal-Directed Model Checking.
In Proceedings of the USENIX Security Symposium (July 2008),
pp. 31–43.
[24] MICROSYSTEMS, S. Java Servlet Specification Version
2.4. http://java.sun.com/products/servlet/
reference/api/index.html, 2003.

[25] MIDDLEWARE, O. W. O. S. ASM. http://asm.
objectweb.org/.
[26] NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., AND
EVANS, D. Automatically Hardening Web Applications Using
Precise Tainting. In Proceedings of the International Information
Security Conference (SEC) (May 2005), pp. 372–382.
[27] NIMMER, J., AND ERNST, M. Static verification of dynamically
detected program invariants: Integrating Daikon and ESC/Java.
In Proceedings of RV’01, First Workshop on Runtime Verification
(2001).
[28] OPEN SOURCE SOFTWARE. SourceForge. http://
sourceforge.net.
[29] PALEARI, R., MARRONE, D., BRUSCHI, D., AND MONGA, M.
On race vulnerabilities in web applications. In Proceedings of the
Conference on Detection of Intrusions and Malware & Vulnerability
Assessment (DIMVA) (July 2008).
[30] PIETRASZEK, T., AND BERGHE, C. V. Defending against Injection
Attacks through Context-Sensitive String Evaluation. In
Proceedings of the International Symposium on Recent Advances
in Intrusion Detections (RAID) (2005), pp. 372–382.
[31] SELENIUM DEVELOPMENT TEAM. Selenium: Web Application
Testing System. http://seleniumhq.org.
[32] SPETT, K. Blind SQL Injection. Tech. rep., SPI Dynamics, 2003.
[33] SU, Z., AND WASSERMANN, G. The Essence of Command
Injection Attacks in Web Applications. In Proceedings of the
Annual Symposium on Principles of Programming Languages
(POPL) (2006), pp. 372–382.
[34] TAN, L., ZHANG, X., MA, X., XIONG, W., AND ZHOU, Y.
AutoISES: Automatically Inferring Security Specifications and
Detecting Violations. In Proceedings of the USENIX Security
Symposium (July 2008), pp. 379–394.
[35] VISSER, W., HAVELUND, K., BRAT, G., PARK, S., AND
LERDA, F. Model Checking Programs. Automated Software Engineering
Journal 10, 2 (Apr. 2003).
[36] XIE, Y., AND AIKEN, A. Static Detection of Security Vulnerabilities
in Scripting Languages. In Proceedings

No comments:

Post a Comment