AbstractsComputer Science

Security Analysis of Java Web Applications Using String Constraint Analysis

by Louis Li

Institution: Harvard University
Degree: AB
Year: 2015
Keywords: Computer Science
Record ID: 2058195
Full text PDF: http://nrs.harvard.edu/urn-3:HUL.InstRepos:14398534


Web applications are exposed to myriad security vulnerabilities related to malicious user string input. In order to detect such vulnerabilities in Java web applications, this project employs string constraint analysis, which approximates the values that a string variable in a program can take on. In string constraint analysis, program analysis generates string constraints  – assertions about the relationships between string variables. We design and implement a dataflow analysis for Java programs that generates string constraints and passes those constraints to the CVC4 SMT solver to find a satisfying assignment of string variables. Using example programs, we illustrate the feasibility of the system in detecting certain types of web application vulnerabilities, such as SQL injection and cross-site scripting.