Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach

Sophie Lathouwers; Maarten  Everts; Marieke  Huisman

doi:10.5220/0009371207840795

Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach

Sophie Lathouwers
, Maarten Everts
, Marieke Huisman

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

253 Downloads (Pure)

Abstract

String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer’s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple
of minutes without any adjustments to the existing sanitizers.

Original language	English
Title of host publication	Proceedings of the 6th International Conference on Information Systems Security and Privacy
Subtitle of host publication	Volume 1: ForSE
Editors	Steven Furnell, Paolo Mori, Edgar Weippl, Olivier Camp
Publisher	SCITEPRESS
Pages	784-795
Number of pages	12
ISBN (Print)	978-989-758-399-5
DOIs	https://doi.org/10.5220/0009371207840795
Publication status	Published - 2020

Keywords

Automata learning
Sanitizers
Symbolic finite transducers
Injection attacks
Software verification

Access to Document

10.5220/0009371207840795Licence: CC BY-NC-ND

Lathouwers2020verifyingFinal published version, 465 KBLicence: CC BY-NC-ND

Cite this

Lathouwers, S., Everts, M., & Huisman, M. (2020). Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach. In S. Furnell, P. Mori, E. Weippl, & O. Camp (Eds.), Proceedings of the 6th International Conference on Information Systems Security and Privacy: Volume 1: ForSE (pp. 784-795). SCITEPRESS. https://doi.org/10.5220/0009371207840795

@inproceedings{96fcbbf3e78e48148ffadd5a2b9b12fb,

title = "Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach",

abstract = "String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer{\textquoteright}s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers.",

keywords = "Automata learning, Sanitizers, Symbolic finite transducers, Injection attacks, Software verification",

author = "Sophie Lathouwers and Maarten Everts and Marieke Huisman",

year = "2020",

doi = "10.5220/0009371207840795",

language = "English",

isbn = "978-989-758-399-5",

pages = "784--795",

editor = "Steven Furnell and Paolo Mori and Edgar Weippl and Olivier Camp",

booktitle = "Proceedings of the 6th International Conference on Information Systems Security and Privacy",

publisher = "SCITEPRESS",

}

Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach. / Lathouwers, Sophie; Everts, Maarten ; Huisman, Marieke .
Proceedings of the 6th International Conference on Information Systems Security and Privacy: Volume 1: ForSE. ed. / Steven Furnell; Paolo Mori; Edgar Weippl; Olivier Camp. SCITEPRESS, 2020. p. 784-795.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Verifying Sanitizer Correctness through Black-Box Learning

T2 - A Symbolic Finite Transducer Approach

AU - Lathouwers, Sophie

AU - Everts, Maarten

AU - Huisman, Marieke

PY - 2020

Y1 - 2020

N2 - String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer’s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers.

AB - String sanitizers are widely used functions for preventing injection attacks such as SQL injections and cross-site scripting (XSS). It is therefore crucial that the implementations of such string sanitizers are correct. We present a novel approach to reason about a sanitizer’s correctness by automatically generating a model of the implementation and comparing it to a model of the expected behaviour. To automatically derive a model of the implementation of the sanitizer, this paper introduces a black-box learning algorithm that derives a Symbolic Finite Transducer (SFT). This black-box algorithm uses membership and equivalence oracles to derive such a model. In contrast to earlier research, SFTs not only describe the input or output language of a sanitizer but also how a sanitizer transforms the input into the output. As a result, we can reason about the transformations from input into output that are performed by the sanitizer. We have implemented this algorithm in an open-source tool of which we show that it can reason about the correctness of non-trivial sanitizers within a couple of minutes without any adjustments to the existing sanitizers.

KW - Automata learning

KW - Sanitizers

KW - Symbolic finite transducers

KW - Injection attacks

KW - Software verification

U2 - 10.5220/0009371207840795

DO - 10.5220/0009371207840795

M3 - Conference contribution

SN - 978-989-758-399-5

SP - 784

EP - 795

BT - Proceedings of the 6th International Conference on Information Systems Security and Privacy

A2 - Furnell, Steven

A2 - Mori, Paolo

A2 - Weippl, Edgar

A2 - Camp, Olivier

PB - SCITEPRESS

ER -

Verifying Sanitizer Correctness through Black-Box Learning: A Symbolic Finite Transducer Approach

Abstract

Keywords

Access to Document

Fingerprint

Cite this