String Analysis via Automata Manipulation with Logic Circuit Representation

  • Hung-En Wang
  • Tzung-Lin Tsai
  • Chun-Han Lin
  • Fang Yu
  • Jie-Hong R. JiangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9779)


Many severe security vulnerabilities in web applications can be attributed to string manipulation mistakes, which can often be avoided through formal string analysis. String analysis tools are indispensable and under active development. Prior string analysis methods are primarily automata-based or satisfiability-based. The two approaches exhibit distinct strengths and weaknesses. Specifically, existing automata-based methods have difficulty in generating counterexamples at system inputs to witness vulnerability, whereas satisfiability-based methods are inadequate to produce filters amenable for firmware or hardware implementation for real-time screening of malicious inputs to a system under protection. In this paper, we propose a new string analysis method based on a scalable logic circuit representation for (nondeterministic) finite automata to support various string and automata manipulation operations. It enables both counterexample generation and filter synthesis in string constraint solving. By using the new data structure, automata with large state spaces and/or alphabet sizes can be efficiently represented. Empirical studies on a large set of open source web applications and well-known attack patterns demonstrate the unique benefits of our method compared to prior string analysis tools.


Sink Node Dependency Graph Finite Automaton String Constraint Satisfiability Modulo Theory Solver 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported in part by the Ministry of Science and Technology of Taiwan under grants MOST 104-2628-E-002-013-MY3, 104-2218-E-001-002, and 103-2221-E-004-006-MY3.


  1. 1.
    Abdulla, P.A., Atig, M.F., Chen, Y.-F., Holík, L., Rezine, A., Rümmer, P., Stenman, J.: Norn: an SMT solver for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 462–469. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  2. 2.
    Aydin, A., Bang, L., Bultan, T.: Automata-based model counting for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 255–272. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  3. 3.
    Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanović, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Brayton, R., Mishchenko, A.: ABC: an academic industrial-strength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    BRICS: The MONA project.
  8. 8.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 modulo theories via implicit predicate abstraction. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014 (ETAPS). LNCS, vol. 8413, pp. 46–61. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  10. 10.
    D’Antoni, L., Veanes, M.: Extended symbolic finite automata and transducers. Formal Meth. Syst. Des. 47(1), 93–119 (2015)CrossRefzbMATHGoogle Scholar
  11. 11.
    Een, N., Mishchenko, A., Brayton, R.: Efficient implementation of property directed reachability. In: FMCAD, pp. 125–134 (2011)Google Scholar
  12. 12.
    Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: ICSE, pp. 645–654 (2004)Google Scholar
  13. 13.
    Hooimeijer, P., Weimer, W.: StrSolve: solving string constraints lazily. Autom. Softw. Eng. 19(4), 531–559 (2012)CrossRefGoogle Scholar
  14. 14.
    Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: WWW, pp. 40–52 (2004)Google Scholar
  15. 15.
    Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the eval that men do. In: ISSTA, pp. 34–44 (2012)Google Scholar
  16. 16.
    Jiang, J.H.R., Brayton, R.K.: On the verification of sequential equivalence. IEEE Trans. Comp. Aid. Des. Int. Circ. Syst. 22(6), 686–697 (2003)CrossRefGoogle Scholar
  17. 17.
    Jovanovic, N., Krügel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: S&P, pp. 258–263 (2006)Google Scholar
  18. 18.
    Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: a solver for string constraints. In: ISSTA, pp. 105–116 (2009)Google Scholar
  19. 19.
    Li, G., Ghosh, I.: PASS: string solving with parameterized array and interval automaton. In: Bertacco, V., Legay, A. (eds.) HVC 2013. LNCS, vol. 8244, pp. 15–31. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Minamide, Y.: Static approximation of dynamically generated web pages. In: WWW, pp. 432–441 (2005)Google Scholar
  21. 21.
    Mishchenko, A., Chatterjee, S., Jiang, J.H.R., Brayton, R.: FRAIGs: a unifying representation for logic synthesis and verification. In: ERL Technical report, UC Berkeley (2005)Google Scholar
  22. 22.
    de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: S&P, pp. 513–528 (2010)Google Scholar
  24. 24.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL, pp. 372–382 (2006)Google Scholar
  25. 25.
    Veanes, M.: Applications of symbolic finite automata. In: Konstantinidis, S. (ed.) CIAA 2013. LNCS, vol. 7982, pp. 16–23. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  26. 26.
    Veanes, M., de Halleux, P., Tillmann, N.: Rex: symbolic regular expression explorer. In: ICST, pp. 498–507 (2010)Google Scholar
  27. 27.
    Veanes, M., Hooimeijer, P., Livshits, B., Molnar, D., Bjørner, N.: Symbolic finite state transducers: algorithms and applications. In: POPL, pp. 137–150 (2012)Google Scholar
  28. 28.
    Veanes, M., Mytkowicz, T., Molnar, D., Livshits, B.: Data-parallel string-manipulating programs. In: POPL, pp. 139–152 (2015)Google Scholar
  29. 29.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41 (2007)Google Scholar
  30. 30.
    Yu, F., Alkhalaf, M., Bultan, T.: Stranger: an automata-based string analysis tool for PHP. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 154–157. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Yu, F., Alkhalaf, M., Bultan, T.: Patching vulnerabilities with sanitization synthesis. In: ICSE, pp. 251–260 (2011)Google Scholar
  32. 32.
    Yu, F., Alkhalaf, M., Bultan, T., Ibarra, O.H.: Automata-based symbolic string analysis for vulnerability detection. Formal Meth. Syst. Des. 44(1), 44–70 (2014)CrossRefzbMATHGoogle Scholar
  33. 33.
    Yu, F., Bultan, T., Ibarra, O.H.: Symbolic string verification: combining string analysis and size analysis. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 322–336. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  34. 34.
    Zheng, Y., Ganesh, V., Subramanian, S., Tripp, O., Dolby, J., Zhang, X.: Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 235–254. Springer, Heidelberg (2015)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Hung-En Wang
    • 1
  • Tzung-Lin Tsai
    • 1
  • Chun-Han Lin
    • 2
  • Fang Yu
    • 2
  • Jie-Hong R. Jiang
    • 1
    Email author
  1. 1.Graduate Institute of Electronics EngineeringNational Taiwan UniversityTaipeiTaiwan
  2. 2.Department of Management Information SystemsNational Chengchi UniversityTaipeiTaiwan

Personalised recommendations