The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Reflection, which is widely used in practice and abused by many security exploits, poses a significant obstacle to program analysis. Reflective calls can be analyzed statically or dynamically. Static analysis is more sound but also more imprecise (by introducing many false reflective targets and thus affecting its scalability). Dynamic analysis can be precise but often miss many true reflective targets...
Searching for vulnerabilities in Android apps through approaches based on the app's dex bytecode has been applied to a lot of researches. This approach, called late detection, is applied to apps already released, and usually doesn't identify vulnerabilities before users have been exposed. This article presents a method based on static analysis with matching patterns for identifying these vulnerabilities...
Database management systems (DBMSs) are one of the most important components in modern large-scale systems. Thus, it is important for developers to write code that can access DBMS correctly and efficiently. Since the behaviour of database access code can sometimes be a blackbox for developers, writing good test cases to capture problems in database access code can be very difficult. In addition to...
Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose...
In this paper, we have tested several open source web applications against common security vulnerabilities. These vulnerabilities spans from unnecessary data member declaration to leaving gaps for SQL injection. The static security vulnerabilities testing was done in three categories (1) Dodgy code vulnerabilities (2) Malicious code vulnerabilities (3) Security code vulnerabilities on seven (7) different...
Security issues arise permanently in different software products. Making software secure is a challenging endeavour. Static analysis of the source code can help eliminate various security bugs. The better a scanner is, the more bugs can be found and eliminated. The quality of security scanners can be determined by letting them scan code with known vulnerabilities. Thus, it is easy to see how much...
The security manager in Java 2 is a runtime access control mechanism. Whenever an access permission to critical resources is requested, the security manager inspects a call stack to examine whether the program has appropriate access permissions or not. This run-time permission check called stack inspection enforces access-control policies that associate access rights with the class that initiates...
Implicit or indirect control flow is a transfer of control between procedures using some mechanism other than an explicit procedure call. Implicit control flow is a staple design pattern that adds flexibility to system design. However, it is challenging for a static analysis to compute or verify properties about a system that uses implicit control flow. This paper presents static analyses for two...
Most common approach to detect security vulnerabilities is to scan code using vulnerability scanning software. This is either static analysis or dynamic analysis. Both approaches, when performed independently, have their own pros and cons. In order to protect software from attackers, vulnerabilities should be removed as early as possible. Detection of vulnerabilities in an application before its deployment...
Security has been always treated as an add-on feature in the software development lifecycle, and addressed by security professionals using firewalls, proxies, intrusion prevention systems, antivirus and platform security. Software is at the root of all common computer security problems, and hence hackers don't create security holes, but rather exploit them. Security holes in software applications...
Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then...
Android is a modern and popular software platform for smart phones. To manage information and features on smart phones, Android employs intent-based mechanism for inter-application or intra-application communication and provides a permission-based security model that requires each application to explicitly request permissions in its manifest file. However, misconfiguration defined in manifest files...
Using static analysis tools can detect software vulnerabilities, which is important for improving the security of software. Static analysis technology has developed rapidly, but the comparison and evaluation of static analysis techniques and tools are not much. This paper focuses on software vulnerability static analysis techniques and tools. First we discuss the commonly-used static analysis techniques...
In this paper we apply Machine Learning (ML) techniques on static features that are extracted from Android's application files for the classification of the files. Features are extracted from Android's Java byte-code (i.e.,.dex files) and other file types such as XML-files. Our evaluation focused on classifying two types of Android applications: tools and games. Successful differentiation between...
In this paper we propose a hardware assisted software protection scheme that relies on the use of a resource-limited secure token (e.g. a smart card). The protection consists in externalizing the execution of the sensitive pieces of code of the application to be protected to the token block by block, while the unsensitive code is still executed inside the untrusted computer. We define a generic process:...
Conventional data-flow analysis technology has many disadvantages when applied to OOPL for the polymorphism, generic, and other special features. This paper analyzes these disadvantages, and based on which, a new dataflow analysis framework for OOPL is developed. It develops a unified abstract syntax tree (UAST) of all object-oriented programming languages. Key algorithms of global data-flow analysis...
Since Java web applications are used widely in Internet today, the security of it becomes an outstanding problem. The attacks, including SQL injection attack, XSS attack, and etc, are great challenges for the Java application. This paper presents the vulnerability analysis framework to detect the security hole in the Java web applications. The framework combines the techniques of the static points-to...
Static analysis works well at checking defects that clearly map to source code constructs. Model checking can find defects of deadlocks and routing loops that are not easily detected by static analysis, but faces the problem of state explosion. This paper proposes a hybrid approach to detecting security defects in programs. Fuzzy inference system is used to infer selection among the two detection...
Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs no access to a clock. In the context of client-side web application security, we present JavaScript-based...
Our research objective is to facilitate the identification of true input manipulation vulnerabilities via the combination of static analysis, runtime detection, and automatic testing. We propose an approach for SQL injection vulnerability detection, automated by a prototype tool SQLInjectionGen. We performed case studies on two small Web applications for the evaluation of our approach compared to...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.