Abstract
|
The state of web security remains troublin … The state of web security remains troubling as web applications continue to be favorite targets of hackers. Static analysis tools are important mechanisms for programmers to deal with this problem as they search for vulnerabilities automatically in the application source code, allowing programmers to remove them. However, developing these tools requires explicitly coding knowledge about how to discover each kind of vulnerability. This paper presents a new approach in which static analysis tools learn to detect vulnerabilities automatically using machine learning. The approach uses a sequence model to learn to characterize vulnerabilities based on a set of annotated source code slices. This model takes into consideration the order in which the code elements appear and are executed in the slices. The model created can then be used as a static analysis tool to discover and identify vulnerabilities in source code. The approach was implemented in the DEKANT tool and evaluated experimentally with a set of open source PHP applications and WordPress plugins, finding 16 zero-day vulnerabilities. ugins, finding 16 zero-day vulnerabilities.
|
Author
|
Ibéria Medeiros +
, Nuno Ferreira Neves +
, Miguel Correia +
|
Booktitle
|
Proceedings of the International Symposium on Software Testing and Analysis (ISSTA) +
|
Document
|
Document for Publication-ISSTA 2016.pdf +
|
Key
|
ISSTA 2016 +
|
Month
|
jul +
|
NumPubDate
|
2,016.07 +
|
Project
|
Project:SEGRID +
|
ResearchLine
|
Fault and Intrusion Tolerance in Open Distributed Systems (FIT) +
|
Title
|
DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities +
|
Type
|
inproceedings +
|
Year
|
2016 +
|
Has improper value forThis property is a special property in this wiki.
|
Url +
|
Categories |
Publication +
|
Modification dateThis property is a special property in this wiki.
|
13 November 2016 22:15:08 +
|