CS 595C - Static String Analysis - Spring 2008


In this seminar we will discuss static string analysis techniques. Each student will be asked to present a paper and read the papers that are presented.

Instructor: Tevfik Bultan
Meeting time: Thursday 3:00PM.
Location: HFH 1152.
Enrollement Code: 76125



  1. "Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications." Davide Balzarotti, Marco Cova, Viktoria Felmetsger, Nenad Jovanovic, Christopher Kruegel, Engin Kirda, Giovanni Vigna. SSP08.
    Presenter: Marco Cova
  2. "A Static Analysis Framework For Detecting SQL Injection Vulnerabilities" Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, Kai Qian, Lixin Tao. COMPSAC 2007, pages 87-96.
    Presenter: Tevfik Bultan
  3. "Abstracting Symbolic Execution with String Analysis" Daryl Shannon, Sukant Hajra, Alison Lee, Daiqian Zhan and Sarfraz Khurshid. Testing: Academic and Industrial Conference Practice and Research Techniques 2007.
    Presenter: Christo Wilson
  4. "Sound and precise analysis of web applications for injection vulnerabilities." Gary Wassermann and Zhendong Su. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, pages 32-41, 2007.
    Presenter: Chris Coakley
  5. "A Practical String Analyzer by the Widening Approach" Tae-Hyoung Choi, Oukseh Lee, Hyunha Kim and Kyung-Goo Doh APLAS 2006: Asian Symposium on Programming Languages and Systems.
  6. "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities" Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. SSP06.
    Presenter: Muath Alkhalaf
  7. "AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks." W. Halfond and A. Orso. ASE 2005.
    Presenter: Chris Ferguson
  8. "Static Checking of Dynamically Generated Queries in Database Applications." Carl Gould, Zhengdong Su, and Premkumar Devanbu. ICSE04.
    Presenter: Giovanni Vigna
  9. "Precise analysis of string expressions." Aske Simon Christensen, Anders Moller, and Michael I. Schwartzbach. In Proc. 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pages 1-18. Springer-Verlag, June 2003.
    Presenter: Fang Yu
  10. "CSSV: towards a realistic tool for statically detecting all buffer overflows in C." Nurit Dor, Michael Rodeh, Shmuel Sagiv. PLDI 2003: 155-167.
  11. "Cleanness Checking of String Manipulations in C Programs via Integer Analysis." Nurit Dor, Michael Rodeh, Shmuel Sagiv. SAS 2001: 194-212.
    Presenter: Chris Kruegel
  12. "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities." David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. NDSS 2000.