Abstract
While considerable research effort has been put in the identification of technical vulnerabilities, such as buffer overflows or SQL injections, business logic vulnerabilities have drawn limited attention. Logic vulnerabilities are an important class of defects that are the result of faulty application logic. Business logic refers to requirements implemented in algorithms that reflect the intended functionality of an application, e.g. in an online shop application, a logic rule could be that each cart must register only one discount coupon per product. In our paper, we extend a novel heuristic and automated method for the detection of logic vulnerabilitieswhich we presented in a previous publication. This method detects logic vulnerabilities and asserts their criticality in Java GUI applications using dynamic analysis and static together with a fuzzy logic system in order to compare and rank its findings, in an effort to minimize false positives and negatives. An extensive analysis of the code ranking system is given along with empirical results in order to demonstrate its potential.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Peng, W., Wallace, D.: Software Error Analysis, National Institute of Standards and Technology, NIST SP 500-209 (December 1993)
Kimura, M.: Software vulnerability: Definition, modeling, and practical evaluation for e-mail transfer software. International Journal of Pressure Vessels and Piping (2006)
Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: Hunting application-level logical errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 135–142. Springer, Heidelberg (2012)
Theoharidou, M., Gritzalis, D.: A Common Body of Knowledge for Information Security. IEEE Security & Privacy 5(2), 64–67 (2007)
Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward automated detection of logic vulnerabilities in web applications. In: Proc. of the19th USENIX Symposium, USA (2010)
Huth, M., Ryan, M.: Logic in Computer Science: Modeling and Reasoning about Systems. Cambridge University Press (2004)
Mehlitz, P., et al.: Java PathFinder, Ames Research Center, NASA, USA
Freiberger, P., Swaine, M.: Encyclopedia Britannica, Analytical Engine section
Burns, A., Burns, R.: Basic Marketing Research, p. 245. Pearson Education
Haldar, V., Chandra, D., Franz, M.: Dynamic Taint Propagation for Java. In: Proc. of the 21st Annual Computer Security Applications Conference, pp. 303–311 (2005)
NIST SP 800-30, Risk Management Guide for Information Technology Systems
Leekwijck, W., Kerre, E.: Defuzzification: Criteria and classification. Fuzzy Sets and Systems 108, 159–178 (1999)
Foundations of Fuzzy Logic, Fuzzy Operators, Mathworks, http://www.mathworks.com/help/toolbox/fuzzy/bp78l6_-1.html
Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)
RTCA/DO-178B Software Considerations in Airborne Systems and Equipment Certification (December 1, 1992)
Pehrson, E.: CleanSheets Office Suite (2009), http://sourceforge.net/projects/csheets/
OWASP, Common Types of Software Vulnerabilities, https://www.owasp.org/index.php/Category:Vulnerability
Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation, http://jfuzzylogic.sourceforge.net/html/index.html
Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005)
OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)
Doupe, A., Boe, B., Vigna, G.: Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities. In: Proc. of the 18th ACM Conference on Computer and Communications Security (2011)
Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proc. of the 14th ACM Conference on Computer and Communications Security (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stergiopoulos, G., Tsoumas, B., Gritzalis, D. (2013). On Business Logic Vulnerabilities Hunting: The APP_LogGIC Framework. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)