Please enable JavaScript.
Coggle requires JavaScript to display documents.
Business Logic Vulnreabilities, Automatic program verification, Bug…
Business Logic Vulnreabilities
BLV Detection
Assume that we already have available BL model
Detecting Application Logic Vulnerabilities via Finding Incompatibility between Application Design and Implementation.--> Assume the AD is available, check the CFG is consistent with it,
link to the summary
Towards Automated Security Design Flaw Detection. --> assume we have a customized DFD to check against the catalog of common security flaws,
link to the summary
Automating the Early Detection of Security Design Flaws,
link to the summary
Assume that we do not have any BL model, Hence the question is "How to model /formulate the BL"? What properties of BL can be specified by this model/formula?
White Box
(having source code) :
Categorize papers based On Vulnerability-Type
Missing security-check
2011.Rolecast: finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
2013.Chucky: Exposing missing checks in source code for vulnerability discovery. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Check it again: Detecting lacking-recheck bugs in os kernels.
link to the summary
Vanguard: Detecting missing checks for prognosing potential vulnerabilities. In Proceedings of the Tenth Asia-Pacific Symposium on Internetware
Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences,
link to summary
2019.Automatically Identifying Security Checks for Detecting Kernel Semantic Bugs..
link to the summary
Automatic Detection and Repair Recommendation for Missing Checks. Journal of Computer Science and Technology
Access Control vulnerabilities
Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS
Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX Security Symposium
2016.Toward exploiting access control vulnerabilities within mongodb backend web applications." In 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC)
Authscope: Towards automatic discovery of vulnerable authorizations in online services. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
NOT WHITEBOX--2014, Automated black-box detection of access control vulnerabilities in web applications.4th ACM conference on Data and application security and privacy
Concurrency
Detecting bugs of concurrent programs with program invariants. IEEE Transactions on Reliability
Tain-style vulnerabilities
Inferring Patterns for Taint-Style Vulnerabilities With Security Patches. IEEE Access,
Saluki: finding taint-style vulnerabilities with static property checking. In Proceedings of the NDSS Workshop on Binary Analysis Research.
2017, Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing. In WOOT.
2015, Automatic inference of search patterns for taint-style vulnerabilities. In 2015 IEEE Symposium on Security and Privacy (pp. 797-812). IEEE.
workflow violation
2016, Chainsaw: Chained automated workflow-based exploit generation. CCS
Cerberus: Automated synthesis of enforcement mechanisms for security-sensitive business processes." In International Conference on Tools and Algorithms for the Construction and Analysis of Systems
Parameter Tampering
2010, NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In Proceedings of the 17th ACM conference on Computer and communications security
Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. International Journal of Information Security
2013.Tamperproof: a server-agnostic defense for parameter tampering attacks on web applications, in: Proceedings of the Third ACM Conference on Data and Application Security and Privacy
2012- Viewpoints: differential string analysis for discovering client-and server-side input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis
undefined behaviour
A differential approach to undefined behavior detection. ACM Transactions on Computer Systems (TOCS)
Categorize papers based on approach
anomaly detection
Swaddler: an approach for the anomaly-based detection of state violations in web applications,
link to summary
model with FSM
2013, LogicScope: automatic discovery of logic vulnerabilities within web applications. --> Model BL as Finite State Machine,
link to summary
2017 Lom: Discovering logic flaws within MongoDB-based web applications. International Journal of Automation and Computing --> it is a blackBox approach
model with CFG
2015, Cross-checking semantic correctness: The case of finding file system bugs.--> the BL is specified as a high-level symbolized CFG,
link to summary
inconsistency checking
Mobile application web api reconnaissance: Web-to-mobile inconsistencies & vulnerabilities. In 2018 IEEE Symposium on Security and Privacy (SP)
link to the summary
2012- Viewpoints: differential string analysis for discovering client-and server-side input validation inconsistencies. In Proceedings of the 2012 International Symposium on Software Testing and Analysis
derive Logic from Dynamic Invariants
2010,
Waler.
Toward automated detection of logic vulnerabilities in web applications==> The BL is specified as the set of likely invariants,
link to summary
2011,
BLOCK
: a black-box approach for detection of state violation attacks towards web applications--> The BL is specified as the form of input invariants, input/output invariants, input/output sequence invariant,
link to the summary
2016,Combining Invariant Violation with Execution Path Classification for Detecting Multiple Types of Logical Errors===> its journal version was published in 2017 as
paper
and
the summary
Computing homomorphic program invariants.--> Phd Thesis,
highlighted notes
and
the summary
--> usecase are algorithmitc complexity vulerability, but it might be useful for other logical vulnerabilities by little modification
2014, Automated detection of logical errors in programs. In International Conference on Risks and Security of Internet and Systems
Data Analytics or Mining Approaches such as specification mining
2018,Detecting Bugs by Discovering Expectations and Their Violations.
link to summary
2019
Devils in the guidance
predicting logic vulnerabilities in payment syndication services through automated documentation analysis
link to summary
TODO
: Other specification extraction methods might be suitable. Mining specifications from logs of execution traces has attracted much research effort in recent years since the mined specifications, such as program invariants, temporal rules, association patterns, or various behavioral models, may be used to improve program documentation, comprehension, and verification.
2017, Mining constraints for event-based monitoring in systems of systems. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)
others
ANOVUL: Detection of logic vulnerabilities in annotated programs via data and control flow analysis.--> Provide some annotations for the programmer to specify access control rules and authentication rules to check at every point at runtime.
link to the summary
Others:
Papers with a Focus on a Specific Environment
Ecommerce
Devils in the guidance: predicting logic vulnerabilities in payment syndication services through automated documentation analysis’. 28th USENIX Security Symp.
2014, Detecting Logic Vulnerabilities in E-commerce Applications. In NDSS.
Designing a framework method for secure business application logic integrity in e-commerce systems. International Journal of Network Security
Android
2016, Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework. In NDSS
A formal approach for detection of security flaws in the android permission system. Formal Aspects of Computing
2019, VDetector: Detecting Vulnerability Based on Inter-Component Data Flows in Android Applications
2020, Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps
Black Box
link to the summary
2014.Toward Black-Box Detection of Logic Flaws in Web Application, The model has specified as the Workflow and Dataflow in Navigation Graph,
link to the summary
2011, BLOCK: a black-box approach for detection of state violation attacks towards web applications--> The BL is specified as the form of input invariants, input/output invariants, input/output sequence invariant,
link to the summary
DetLogic: A black-box approach for detecting logic vulnerabilities in web applications
link to the summary
Finding semantic bugs in file systems with an extensible fuzzing framework.
link to summary
2017 Lom: Discovering logic flaws within MongoDB-based web applications. International Journal of Automation and Computing
Gray Box
A grey-box approach for detecting malicious user interactions in web applications. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats,
link to the summary
Mobile application web api reconnaissance: Web-to-mobile inconsistencies & vulnerabilities. In 2018 IEEE Symposium on Security and Privacy (SP) (pp. 756-769). IEEE.
link to the summary
BLV Prevention
Preventing BLV during development (requires some changes in the code)
ANOVUL: Detection of logic vulnerabilities in annotated programs via data and control flow analysis.--> Provide some annotations for the programmer to specify access control rules and authentication rules to check at every point at runtime.
link to the summary
2013, Tamperproof: a server-agnostic defense against parameter tampering attacks on web applications,--> add a unique ID to every request (like CSRF protection mechanism) to check the validity of BL,
link to the summary
2009, Improving application security with data flow assertions---> add the ability to define security policies in the code, via language runtime,
link to the summary
2009, Ripley: automatically securing web 2.0 applications through replicated execution, ---> check Logic consistency between client and server,
link to the summary
guidelines for Secure Design
Requirements for preventing logic flaws in the authentication procedure of web applications. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing
guidelines for Secure Configuration
self-protecting systems
Self-Protection Against Business Logic Vulnerabilities. In Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems
Self-Verifying Execution (Position Paper). In 2016 IEEE Cybersecurity Development
Commercial Tools
:
suitable tools
: ShiftLeft Ocular, related paper
2014.Modeling and discovering vulnerabilities with code property graphs
web page
link
and
my note
non suitable tools:
Hdiv extension for Burp Suite :
link
and
my note
Acunetix Business Logic Recorder
link
and
my note
BLV Patching
Patching logic vulnerabilities for web applications using logicpatcher. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
Avatar: Fixing semantic bugs with fix patterns of static analysis violations. In 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering
Automatic program verification
automatic invariants generation --> 2018. Learning Program Invariants from Proof Corpora
highlighted important notes
: This thesis provides old but good categorization for program verification
Abstract Interpretation
counterexample guided abstraction refinement
interpolation
, abductive inference
machine-learning based
2018, May. Inferring and asserting distributed system invariants. In Proceedings of the 40th International Conference on Software Engineering
2020, June. Polynomial invariant generation for non-deterministic recursive programs. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation
2017, October. Automatic loop-invariant generation anc refinement through selective sampling. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)
2017, October. Symlnfer: Inferring program invariants using symbolic states. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)
Bug Detection
by invariant detection
Program analysis with risk-based classification of dynamic invariants for logical error detection. Computers & Security
paper
and
the summary
Bug detection for concurrent programs
Detecting bugs of concurrent programs with program invariants. IEEE Transactions on Reliability
2017, IPA: Error propagation analysis of multi-threaded programs using likely invariants. In 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)
BOOK
. 2018. Fault Tolerance through Invariant Checks in Applications Using Linear Algebraic Methods. The University of Wisconsin-Madison.
Bugs as deviant behavior: A general approach to inferring errors in systems code.; This paper summerize some of methods for error detection: type systems, specification and model checking, high-level compilation,dynamic invariant inference. Also it provides the methodology which had been used for Daikon Tool. The highlighted parts is accesible from
here
2002, Tracking down software bugs using automatic anomaly detection; This paper introduce DEDUCE, a tools which could detect anomal behaviour of the code through invariant detection. The highlighted note is accesible from
here
Detecting bugs by discovering expectations and their violations. IEEE Transactions on Software Engineering,
2018, NAR-miner: discovering negative association rules from code for bug detection. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Fault Localization
by invariant detection
Invariant based fault localization by analyzing error propagation.
link to the summary
:**
2016, A learning-to-rank based fault localization approach using likely invariants. International Symposium on Software Testing and Analysis
Fault localization using disparities of dynamic invariants. Journal of Systems and Software
2013, March. Using likely invariants for automated software fault localization. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
2013, June. Fault detection and localization in distributed systems using invariant relationships
Understanding, Detecting and Localizing Partial Failures in Large System Software. In 17th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI}
Software Anomaly Detection
by invariant detection
2017, Effective online software anomaly detection. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis
2019, . A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems. In NDSS.
2014, . Using invariants for anomaly detection: the case study of a SaaS application. In 2014 IEEE International Symposium on Software Reliability Engineering Workshops
2010, Using dynamic execution traces and program invariants to enhance behavioral model inference. In 2010 ACM/IEEE 32nd International Conference on Software Engineering
Swaddler: an approach for the anomaly-based detection of state violations in web applications,
Model-Based Testing
Aichernig, B.K., Mostowski, W., Mousavi, M.R., Tappler, M. and Taromirad, M., 2018. Model learning and model-based testing. In Machine Learning for Dynamic Software Analysis: Potentials and Limits (pp. 74-100). Springer, Cham.
Utting, M., Legeard, B., Bouquet, F., Fourneret, E., Peureux, F. and Vernotte, A., 2016. Recent advances in model-based testing. In Advances in computers (Vol. 101, pp. 53-120). Elsevier.