Links und Funktionen
Sprachumschaltung

Navigationspfad
Sie sind hier: Startseite / Lehre / WS 2010/11 / Oberseminar / Robert Grabowski: Type-based Prevention of Code Injection Attacks


Inhaltsbereich

Robert Grabowski: Type-based Prevention of Code Injection Attacks

TCS Oberseminar, 03.12.2010 14:15
Wann 14:15 15:15 03.12.2010
von bis
Wo L109
Termin übernehmen vCal
iCal

Robert Grabowski: Type-based Prevention of Code Injection Attacks

Code injection and cross-site scripting belong to the most common security vulnerabilities in modern software, usually caused by incorrect string processing. These exploits are often addressed by formulating programming guidelines or "best practices".

In this talk, we formalize a guideline for the handling of untrusted, potentially executable strings that are embedded in the program output. To verify adherence to the guideline, we present a type system for a Java-like language that is extended with refined string types, output effects, and polymorphic method types. The practical suitability of the system is demonstrated by an implementation of a corresponding string type verifier and context-sensitive inference for real Java programs.

In the end, we outline how the precision of the type system can be increased by detailed points-to information: We annotate class types with sets of regions that are inferred by highly optimized pointer analysis algorithms, building on earlier work on type-based verification of such algorithms.

(joint work with Martin Hofmann and Keqin Li)

Artikelaktionen

abgelegt unter:

Funktionsleiste