l  Givenastringmanipulatingprogram,stringanalysisdeterminesallpossiblevaluesthatastringexpressioncantakeduringanyprogramexecution

l  Usingstringanalysiswecanverifypropertiesofstringmanipulatingprogramsl  Forexample,wecanidentifyallpossibleinputvaluesof

sensitivefunctionsinawebapplicationandthencheckwhetherinputsofsensitivefunctionscancontainattackstrings

¡  Configurations/Transitionsarerepresentedusingwordequations

¡  Wordequationsarerepresented/approximatedusing(aligned)multi-trackDFAswhichareclosedunderintersection,union,complementandprojection

¡  Operationsrequiredforreachabilityanalysis(suchasequivalencechecking)arecomputedonDFAs

¡  LetX(thefirsttrack),Y(thesecondtrack),betwostringvariables

¡  λ:apaddingsymbolthatappearsonlyonthetailofeachtrack(aligned)

¡  Amulti-trackautomatonthatencodesX=Y.txt

(a,a), (b,b) …

(t, λ) (x, λ) (t, λ)

¡  Computethepost-conditionsofstatementsGivenamulti-trackautomataMandanassignmentstatement:X:=sexpPost(M,X:=sexp)denotesthepost-conditionofX:=sexpwithrespecttoM

Post(M,X:=sexp)=(∃X,M∩CONSTRUCT(X’=sexp,+))[X/X’]

¡  Weimplementasymbolicforwardreachabilitycomputationusingthepost-conditionoperations

¡  Theforwardfixpointcomputationisnotguaranteedtoconvergeinthepresenceofloopsandrecursion

¡  Weuseanautomatabasedwideningoperationtoover-approximatethefixpoint§  Wideningoperationover-approximatestheunionoperationsandacceleratestheconvergenceofthefixpointcomputation

¡  Thealphabetofann-trackautomatonisΣn

§  Thesizeofmulti-trackautomatacouldbehugeduringcomputations

§  Ontheotherhand,wemaycarrymoreinformationthanweneedtoverifytheproperty

¡  MoreAbstractions:§  WeproposealphabetabstractiontoreduceΣ§  Weproposerelationabstractiontoreducen

¡  Selectasubsetofalphabetcharacters(Σ’)toanalyzedistinctlyandmergetheremainingalphabetcharactersintoaspecialsymbol(u)

¡  Forexample:LetΣ={<,a,b,c}andΣ’={<},L(M)=a<b+,

wehave:αΣ,Σ’(M)=Mα

andγΣ,Σ’(Mα)=Mγ,whereL(Mα)=u<u+,andL(Mγ)=(a|b|c)<(a|b|c)+

¡  WeuseanalphabettransducerMΣ,Σ’toconstructabstractautomata§  αdenotesanycharacterinΣ’§  βdenotesanycharacterinΣ\Σ’

(β,u)

(α,α)

(λ,λ)

(λ,λ)

b a b <

(a,u), (b,u), (c,u)

(<,<)

(λ,λ)

(λ,λ)

(b,*) (a,*) (b,*) (<,*)

u u u <

(b,u) (a,u) (b,u) (<,<)

α

M Mα

MΣ,Σ’

a,b,c a,b,c a,b,c <

(a,u), (b,u), (c,u)

(<,<)

(λ,λ)

(λ,λ)

(a,u), (b,u), (c,u) (<,<)

u u u <

(*,u) (*,u) (*,u) (*,<)

MγMα

MΣ,Σ’

(a,u), (b,u), (c,u)

(a,u), (b,u), (c,u)

γ

1:<?php 2: $www = $_GET[”www”]; 3: $l_otherinfo = ”URL”; 4: $www = str_replace(<,””,$www); 5: echo ”<td>” . $l_otherinfo . ”: ” . $www . ”</td>”;

6:?>

¡  Considertheaboveexample,choosingΣ’={<,s}(insteadofallASCIIcharacters)issufficienttoconcludethattheechostringdoesnotcontainanysubstringthatmatches“<script”

¡  Considerthefollowingabstraction:Wemapallthesymbolsinthealphabettoasinglesymbol

¡  Theautomatonwegeneratewiththisabstractionwillbeaunaryautomaton(anautomatonwithaunaryalphabet)

¡  Theonlyinformationthatthisautomatonwillgiveuswillbethelengthofthestrings

¡  Soalphabetabstractioncorrespondstolengthabstraction

¡  Selectsetsofstringvariablestoanalyzerelationally(usingmulti-trackautomata),andanalyzetherestindependently(usingsingle-trackautomata)

Forexample,considerthreestringvariablesn1,n2,n3.¡  Letχ={{n1,n2},n3}andχ’={{n1},{n2},{n3}}¡  LetM={M1,2,M3}thatconsistsofa2-trackautomaton

forn1andn2andasingletrackautomatonforn3¡  Wehave αχ,χ’(M)=Mα

γχ,χ’(Mα)=Mγ,where

¡  Mα={M1,M2,M3}suchthatM1andM2areconstructedbytheprojectionofM1,2tothefirsttrackandthesecondtrackrespectively

¡  MΥ={M’1,2,M3}suchthatM’1,2isconstructedbytheintersectionofM1,*andM*,2,where§  M1,*isthetwo-trackautomatonextendedfromM1witharbitraryvaluesinthesecondtrack

§  M*,2isthetwo-trackautomatonextendedfromM2witharbitraryvaluesinthefirsttrack

(a,a)

(b,b) (c,c)

a

b

c

(a,*)

(b,*) (c,*)

(*,a)

(*,b) (*,c)

(a,a)

(b,b) (c,c)

(b,a)

(a,b)

M1,2 M1,M2

M1,*

M*,2

M’1,2

α

γ

1:<?php 2: $usr = $_GET[“usr”]; 3: $passwd = $_GET[“passwd”]; 4: $key = $usr.$passwd; 5: if($key = “admin1234”) 6: echo $usr; 7:?>

¡  Considertheaboveexample,choosingχ’={{$usr,$key},{$passwd}}issufficienttoidentifytheechostringisaprefixof“admin1234”anddoesnotcontainanysubstringthatmatches“<script”

¡  Bothalphabetandrelationabstractionsformabstractionlattices,whichallowdifferentlevelsofabstractions

¡  Combiningtheseabstractionsleadsaproductlattice,whereeachpointisanabstractionclassthatcorrespondstoaparticularalphabetabstractionandarelationabstraction§  Thetopisanonrelationalanalysisusingunaryalphabet§  Thebottomisacompleterelationalanalysisusingfullalphabet

( ȤŎ , ıŎ )

( ȤŎ , ıŏ )( Ȥŏ , ıŎ )

( Ȥŏ , ıŏ )

size analysis

relationalsize analysis

string analysis

relationalstring analysis

. . .

Someabstractionfromtheabstractionlatticeandthecorrespondinganalyses

¡  Selectanabstractionclass§  Ideally,thechoiceshouldbeasabstractaspossiblewhileremainingpreciseenoughtoprovethepropertyinquestion

¡  Heuristics§  Letthepropertyguidethechoice§  Collectconstantsandrelationsfromassertionsandtheirdependencygraphs▪  Itformsthelowerboundoftheabstractionclass▪  Selectaninitialabstractionclass,e.g.,charactersandrelationsappearinginassertions

▪  Refinetheabstractionclasstowardthelowerbound