Advertisement

Hunting Application-Level Logical Errors

  • George Stergiopoulos
  • Bill Tsoumas
  • Dimitris Gritzalis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7159)

Abstract

Business applications are complex artefacts implementing custom business logic. While much research effort has been put in the identification of technical vulnerabilities (such as buffer overflows and SQL injections), application-level logic vulnerabilities have drawn relatively limited attention, thus putting the application’s mission at risk. In this paper, we design, implement, and evaluate a novel heuristic application-independent framework, which combines static and dynamic analysis, input vector, and information extraction analysis, along with a fuzzy logic system, so as to detect and assert the criticality of application-level logic vulnerabilities in Java stand-alone GUI applications.

Keywords

Error Detection Vulnerability Application Logic GUI 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static Detection of Vulnerabilities in x86 Executables. In: Proc. of the 22nd Annual Computer Security Applications Conference (ACSAC 2006), USA, pp. 269–278 (December 2006)Google Scholar
  2. 2.
    Halfond, W., Choudhary, S., Orso, A.: Penetration Testing with Improved Input Vector Identification. In: Proc. of the 2009 International Conference on Software Testing Verification and Validation (ICST 2009), pp. 346–355. IEEE Computer Society, USA (2009)CrossRefGoogle Scholar
  3. 3.
    Zhou, J., Vigna, G.: Detecting Attacks That Exploit Application-Logic Errors Through Application-Level Auditing. In: Proc. of the 20th Annual Computer Security Applications Conference (ACSAC 2004), USA, pp. 168-178 (December 2004)Google Scholar
  4. 4.
    Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis and Signature Generation of Exploits on Commodity Software. In: Proc. of the Network and Distributed System Security Conference (NDSS 2005), USA (February 2005)Google Scholar
  5. 5.
    Tevis, J., Hamilton, A.: Static Analysis of Anomalies and Security Vulnerabilities in Executable Files. In: Proc. of the 44th Annual Southeast Regional Conference, USA (2006)Google Scholar
  6. 6.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: Proc. of IEEE Symposium on Security and Privacy (S&P 2006), USA, pp. 258–263 (2006)Google Scholar
  7. 7.
    Stergiopoulos G.: Development of a methodology for identifying logical vulnerabilities in application penetration testing, M.Sc. Thesis, Athens University of Economics & Business (AUEB), Greece (2011) (in Greek) Google Scholar
  8. 8.
    Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon Invariant Detector User Manual. MIT, USA (2007)zbMATHGoogle Scholar
  9. 9.
    Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward Automated Detection of Logic Vulnerabilities in Web Applications. In: Proc. of the 19th USENIX Security Symposium, USA (2010)Google Scholar
  10. 10.
    Charpentier, F.: Common Criteria Web Application Security Scoring (CCWAPSS) (November 2007), http://www.xmco.fr/whitepapers/ccwapss_1.1.pdf
  11. 11.
    Mehlitz, P., et al.: Java PathFinder. Ames Research Center, NASA, USA, http://babelfish.arc.nasa.gov/trac/jpf/wiki
  12. 12.
    Livshits, S., Lam, F.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proc. of the 14th USENIX Security Symposium, USA (2005)Google Scholar
  13. 13.
    Cingolani, P.: Open Source Fuzzy Logic library and FCL language implementation, http://jfuzzylogic.sourceforge.net/html/index.html
  14. 14.
    Fuger, S., et al.: ebXML Registry Information Model, ver. 3.0 (2005) Google Scholar
  15. 15.
    OWL 2 Web Ontology Language Document Overview, W3C Recommendation (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • George Stergiopoulos
    • 1
  • Bill Tsoumas
    • 1
  • Dimitris Gritzalis
    • 1
  1. 1.Information Security and Critical Infrastructure Protection Research Laboratory, Dept. of InformaticsAthens University of Economics and Business (AUEB)AthensGreece

Personalised recommendations