Startseite // SnT // Distinguishe... // String Analysis for Vulnerability Detection and Repair - July 21, 2016

String Analysis for Vulnerability Detection and Repair - July 21, 2016

It is our pleasure to host this distinguished lecture by Prof. Tevfik Bultan from University of California, Santa Barbara. The lecture will be followed by a reception. Please feel free to forward this invitation.

Date: July 21, 2016
Time: 15:00
Venue: Weicker Building -Room B001 Ground floor, 4 rue Alphonse Weicker, L-2721 Luxembourg

Watch the distinguished lecture on youtube

Abstract: String manipulation errors in input validation and sanitization code is a common source for security vulnerabilities in web applications. In this talk, I will discuss the string analysis techniques we developed that can automatically identify and repair such vulnerabilities. Our approach (1) extracts client- and server-side input validation and sanitization functions, (2) models them as deterministic finite automata (DFAs) using symbolic fixpoint computations, and (3) identifies errors in input validation and sanitization code by either checking them with respect to manually specified attack patterns, or by identifying inconsistencies in input validation and sanitization operations at the client and server-side. Furthermore, we developed automated repair techniques that strengthen the input validation and sanitization checks in order to eliminate identified vulnerabilities. We implemented these techniques in two tools: Stranger (STRing AutomatoN GEneratoR) and SemRep (SEMantic differential REPair), which are available here. Our evaluation demonstrates that these techniques are very promising: when applied to a set of real-world web applications, our techniques are able to automatically identify a large number of security vulnerabilities and repair them.

Tevfik Bultan is a Professor in the Department of Computer Science at the University of California, Santa Barbara (UCSB). His current research interests are in automated testing, analysis, verification and repair of software, string analysis, constraint solvers, model checking, computer security, service oriented computing and software engineering. He co-chaired the program committees of the 9th International Symposium on Automated Technology for Verification and Analysis (ATVA 2011), the 20th International Symposium on the Foundations of Software Engineering (FSE 2012), and the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE 2013). He has served as the vice chair of the Department of Computer Science at UCSB from 2005 to 2009.  He received a NATO Science Fellowship from the Scientific and Technical Research Council of Turkey (TUBITAK) in 1993, a Regents' Junior Faculty Fellowship from the University of California, Santa Barbara in 1999, a Faculty Early Career Development (CAREER) Award from the National Science Foundation in 2000, the ACM SIGSOFT Distinguished Paper Award in 2005 and 2014, the Best Paper Award at the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE 2005), and the UCSB Academic Senate Outstanding Graduate Mentor Award in 2016.