Stranger: An Automata-Based String Analysis Tool for PHP

Yu, Fang; Alkhalaf, Muath; Bultan, Tevfik

doi:10.1007/978-3-642-12002-2_13

Cited by 117 publications

(109 citation statements)

References 8 publications

(15 reference statements)

Supporting

Mentioning

108

Contrasting

Unclassified

Order By: Relevance

“…DFA based symbolic string analysis has been used to verify the correctness of string sanitization operations in PHP programs [23], [22]. Recently, foundations of relational string analysis using multi-track automata (as opposed to single-track automata used in our analysis) were investigated in [24].…”

Section: Related Workmentioning

confidence: 99%

Verifying client-side input validation functions using string analysis

Alkhalaf¹,

Bultan²,

Gallegos³

2012

2012 34th International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Abstract-Client-side computation in web applications is becoming increasingly common due to the popularity of powerful client-side programming languages such as JavaScript. Clientside computation is commonly used to improve an application's responsiveness by validating user inputs before they are sent to the server. In this paper, we present an analysis technique for checking if a client-side input validation function conforms to a given policy. In our approach, input validation policies are expressed using two regular expressions, one specifying the maximum policy (the upper bound for the set of inputs that should be allowed) and the other specifying the minimum policy (the lower bound for the set of inputs that should be allowed). Using our analysis we can identify two types of errors 1) the input validation function accepts an input that is not permitted by the maximum policy, or 2) the input validation function rejects an input that is permitted by the minimum policy. We implemented our analysis using dynamic slicing to automatically extract the input validation functions from web applications and using automata-based string analysis to analyze the extracted functions. Our experiments demonstrate that our approach is effective in finding errors in input validation functions that we collected from real-world applications and from tutorials and books for teaching JavaScript.

show abstract

Section: Related Workmentioning

confidence: 99%

Verifying client-side input validation functions using string analysis

Alkhalaf¹,

Bultan²,

Gallegos³

2012

2012 34th International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…While there are some external string solvers [2,20,8,18,15,9] available, none of them meets our need to obtain a good balance between efficiency, accuracy, and comprehensiveness. Roughly, existing solvers can be divided into two categories: (1) bit-vector (BV) based methods, which model a string with a fixedlength bit-vector; and (2) automaton based methods, which model a string with an automaton.…”

Section: Introductionmentioning

confidence: 99%

“…The Rex tool [18] uses automaton and an SMT solver, and represents automaton transitions using logical predicates. Stranger [20] uses an automaton-based method to model string constraints and length bounds for abstract interpretation. A lazy solving technique [11] uses automaton with transitions annotated with integer ranges.…”

Section: Introductionmentioning

confidence: 99%

“…Automaton based model [16,21,18,20,11,9]. A string is modeled by an automaton which accepts all possible values of this string.…”

Section: Introductionmentioning

confidence: 99%

“…There are two kinds of automata: (1) bit automaton, where each transition is labeled 0 or 1, and a string value is represented by the bits from the start state to an accept state; (2) interval automaton, where each transition represents a character whose value is within an interval (or range) [lb, ub] for lower bound lb and upper bound ub. Since bit automata [21,20] assembles bit-vectors, here we investigate only interval automata. Note that a bit-automaton method may also require deriving and handling lengths constraints separately from value constraints [21].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

PASS: String Solving with Parameterized Array and Interval Automaton

Ghosh

2013

Hardware and Software: Verification and Testing

View full text Add to dashboard Cite

Abstract. The problem of solving string constraints together with numeric constraints has received increasing interest recently. Existing methods use either bit-vectors or automata (or their combination) to model strings, and reduce string constraints to bit-vector constraints or automaton operations, which are then solved in the respective domain. Unfortunately, they often fail to achieve a good balance between efficiency, accuracy, and comprehensiveness. In this paper we illustrate a new technique that uses parameterized arrays as the main data structure to model strings, and converts string constraints into quantified expressions that are solved through quantifier elimination. We present an efficient and sound quantifier elimination algorithm. In addition, we use an automaton model to handle regular expressions and reason about string values faster. Our method does not need to enumerate string lengths (as bit-vector based methods do), or concrete string values (as automaton based methods do). Hence, it can achieve much better accuracy and efficiency. In particular, it can identify unsatisfiable cases quickly. Our solver (named PASS) supports most of the popular string operations, including string comparisons, string-numeric conversions, and regular expressions. Experimental results demonstrate the advantages of our method.

show abstract

ZaligVinder: A generic test framework for string solvers

Kulczynski

Manea

Nowotka

et al. 2021

J Software Evolu Process

View full text Add to dashboard Cite

The increased interest in string solving in the recent years has made it very hard to identify the right tool to address a particular user's purpose. Firstly, there is a multitude of string solvers, each addressing essentially some subset of the general problem. Generally, the addressed fragments are relevant and well motivated, but the lack of comparisons between the existing tools on an equal set of benchmarks cannot go unnoticed, especially as a common framework to compare solvers seems to be missing. In this paper, we gather a set of relevant benchmarks and introduce our new benchmarking framework to address this purpose.

show abstract

Stranger: An Automata-Based String Analysis Tool for PHP

Cited by 117 publications

References 8 publications

Verifying client-side input validation functions using string analysis

Verifying client-side input validation functions using string analysis

PASS: String Solving with Parameterized Array and Interval Automaton

ZaligVinder: A generic test framework for string solvers

Contact Info

Product

Resources

About