JSEFuzz: Java Web应用程序漏洞检测方法

2018 3rd International Conference on System Reliability and Safety (ICSRS) Pub Date : 2018-11-01 DOI:10.1109/ICSRS.2018.8688844

Hongpeng Man, Jing An, Wei Huang, Wenqing Fan

{"title":"JSEFuzz: Java Web应用程序漏洞检测方法","authors":"Hongpeng Man, Jing An, Wei Huang, Wenqing Fan","doi":"10.1109/ICSRS.2018.8688844","DOIUrl":null,"url":null,"abstract":"Modularity is an important feature of Java Web applications nowadays, which challenges traditional program analytical techniques. Symbolic execution and Fuzzing, as two promising methods, both have some defects. On one hand, fuzzing is difficult to detect the branch with harsh path conditions; on the other hand, symbolic execution makes it difficult to symbolize complex inputs in a modular context. To improve these defects, we have designed JSEFuzz, a vulnerability detection method for Java Web applications. JSEFuzz combines the methods of fuzzing and symbolic execution: using fuzzing to find module-level vulnerability triggering conditions and corresponding input data, using symbolic execution to transform module-level input data, and verifying vulnerability triggerability at the program level, which is proved feasibility through experiments.","PeriodicalId":166131,"journal":{"name":"2018 3rd International Conference on System Reliability and Safety (ICSRS)","volume":"62 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"JSEFuzz: Vulnerability Detection Method for Java Web Application\",\"authors\":\"Hongpeng Man, Jing An, Wei Huang, Wenqing Fan\",\"doi\":\"10.1109/ICSRS.2018.8688844\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Modularity is an important feature of Java Web applications nowadays, which challenges traditional program analytical techniques. Symbolic execution and Fuzzing, as two promising methods, both have some defects. On one hand, fuzzing is difficult to detect the branch with harsh path conditions; on the other hand, symbolic execution makes it difficult to symbolize complex inputs in a modular context. To improve these defects, we have designed JSEFuzz, a vulnerability detection method for Java Web applications. JSEFuzz combines the methods of fuzzing and symbolic execution: using fuzzing to find module-level vulnerability triggering conditions and corresponding input data, using symbolic execution to transform module-level input data, and verifying vulnerability triggerability at the program level, which is proved feasibility through experiments.\",\"PeriodicalId\":166131,\"journal\":{\"name\":\"2018 3rd International Conference on System Reliability and Safety (ICSRS)\",\"volume\":\"62 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 3rd International Conference on System Reliability and Safety (ICSRS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSRS.2018.8688844\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 3rd International Conference on System Reliability and Safety (ICSRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSRS.2018.8688844","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

摘要

模块化是当今Java Web应用程序的一个重要特性，它挑战了传统的程序分析技术。符号执行和模糊测试作为两种很有前途的方法，都存在一定的缺陷。一方面，模糊算法难以检测路径条件恶劣的分支;另一方面，符号执行使得在模块化上下文中对复杂输入进行符号化变得困难。为了改进这些缺陷，我们设计了JSEFuzz，一种针对Java Web应用程序的漏洞检测方法。JSEFuzz结合了模糊测试和符号执行的方法，利用模糊测试找到模块级漏洞触发条件和相应的输入数据，利用符号执行对模块级输入数据进行转换，并在程序级验证漏洞触发能力，通过实验证明了该方法的可行性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

JSEFuzz: Vulnerability Detection Method for Java Web Application

Modularity is an important feature of Java Web applications nowadays, which challenges traditional program analytical techniques. Symbolic execution and Fuzzing, as two promising methods, both have some defects. On one hand, fuzzing is difficult to detect the branch with harsh path conditions; on the other hand, symbolic execution makes it difficult to symbolize complex inputs in a modular context. To improve these defects, we have designed JSEFuzz, a vulnerability detection method for Java Web applications. JSEFuzz combines the methods of fuzzing and symbolic execution: using fuzzing to find module-level vulnerability triggering conditions and corresponding input data, using symbolic execution to transform module-level input data, and verifying vulnerability triggerability at the program level, which is proved feasibility through experiments.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 3rd International Conference on System Reliability and Safety (ICSRS)

自引率

0.00%

发文量