Title
Verifying sanitizer correctness through black-box learning: A symbolic finite transducer approach
Author
Lathouwers, S.
Everts, M.H.
Huisman, M.
Publication year
2020
Abstract
String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer's correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers. © Copyright 2020 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved.
Subject
Automata learning
Injection attacks
Sanitizers
Software verification
Symbolic finite transducers
Information systems
Information use
Network security
Transducers
Black box algorithms
Black boxes
Cross-site scripting
Finite transducers
Non-trivial
Open source tools
SQL injection
Learning algorithms
To reference this document use:
http://resolver.tudelft.nl/uuid:bbc2201f-deaa-4831-9498-05f2933fb4ff
TNO identifier
875756
Publisher
SciTePress
ISBN
9789897583995
Source
ICISSP 2020 - Proceedings of the 6th International Conference on Information Systems Security and Privacy, 6th International Conference on Information Systems Security and Privacy, ICISSP 2020, 25 February 2020 through 27 February 2020, 784-795
Bibliographical note
Sponsor: Institute for Systems and Technologies of Information, Control and Communication (INSTICC)
Document type
conference paper