CS 595 Spring 2008 home page

CS 595C - Dependable Web Applications via String Analysis - Spring 2009

Description:

Most web applications contain bugs and vulnerabilities that are due to incorrect manipulation of strings. In this seminar we will discuss techniques for analyzing Web applications to find bugs and vulnerabilities related to strings. Each student will be asked to present a paper and read the papers that are presented.

Instructor: Tevfik Bultan
Meeting time: Tuesdays 4:00pm-5:00pm
Location: Computer Science Meeting Room (HFH 1152)
Enrollement Code: 75929

Presentations

April 14th: Fang Yu will present papers 1 and 2.
April 21st: Chris Coakley will present paper 3.
April 28th: Muath Alkhalaf will present paper 4.
May 5th: Jaideep Nijjar will present paper 8.
May 12th: Jeff Browne will present paper 6.
May 19th: Krithika Ananthakrishnan will present paper 5.
May 26th: Yiming Li will present paper 7.
June 2nd: Marcus Jang will present paper 9.

Papers

Fang Yu, Tevfik Bultan, Marco Cova, Oscar H. Ibarra: Symbolic String Verification: An Automata-Based Approach. SPIN 2008: 306-324
Fang Yu, Tevfik Bultan, Oscar H. Ibarra: Symbolic String Verification: Combining String Analysis and Size Analysis. TACAS 2009: 322-336
Nikolaj Bjørner, Nikolai Tillmann, Andrei Voronkov: Path Feasibility Analysis for String-Manipulating Programs. TACAS 2009: 307-321
Adam Kiezun, Vijay Ganesh, Philip Guo, Pieter Hooimeijer, Michael D. Ernst: HAMPI: A solver for string constraints. MIT technical report.
Michael Emmi, Rupak Majumdar, Koushik Sen: Dynamic test input generation for database applications. ISSTA 2007: 151-162
Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, Zhendong Su: Dynamic test input generation for web applications. ISSTA 2008: 249-260
Gary Wassermann, Zhendong Su: Static detection of cross-site scripting vulnerabilities. ICSE 2008: 171-180
William G. J. Halfond, Alessandro Orso: Improving test case generation for web applications using automated interface discovery. ESEC/SIGSOFT FSE 2007: 145-154
William G. J. Halfond, Alessandro Orso: Automated identification of parameter mismatches in web applications. SIGSOFT FSE 2008: 181-191
W. Halfond, S. Anand, and A. Orso: Precise Interface Identification to Improve Testing and Analysis of Web Applications International Symposium on Testing and Analysis (ISSTA 2009) - To Appear.
S. Artzi, A. Kieżun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst: Finding bugs in dynamic web applications In ISSTA 2008, Proceedings of the 2008 International Symposium on Software Testing and Analysis, (Seattle, WA, USA), July 22-24, 2008, pp. 261-272.
A. Kieżun, P. J. Guo, K. Jayaraman, and M. D. Ernst: Automatic creation of SQL injection and cross-site scripting attacks In ICSE'09, Proceedings of the 30th International Conference on Software Engineering, (Vancouver, BC, Canada), May 20-22, 2009.