SlideShare una empresa de Scribd logo

CRAXweb: Automatic Exploit Generation for Web Applications

Aung Thu Rha Hein
Aung Thu Rha Hein

This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other research methods of this research can be found at reference sections.

TecnologíaEducación
1 de 36
Descargar para leer sin conexión
Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008

Recomendados

STAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSTAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash Reproduction
Sung Kim
 
Software Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSoftware Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled Datasets
Sung Kim
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
Sung Kim
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Sung Kim
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Prediction
Sung Kim
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
Sung Kim
 
A Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesA Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution Techniques
Sung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017
XavierDevroey
 

Recomendados

STAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSTAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash Reproduction
Sung Kim
 
Software Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSoftware Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled Datasets
Sung Kim
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
Sung Kim
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Sung Kim
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Prediction
Sung Kim
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
Sung Kim
 
A Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesA Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution Techniques
Sung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017
XavierDevroey
 
Dissertation Defense
Dissertation DefenseDissertation Defense
Dissertation Defense
Sung Kim
 
MTV15
MTV15MTV15
MTV15
Rico Angell
 
Transfer defect learning
Transfer defect learningTransfer defect learning
Transfer defect learning
Sung Kim
 
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
Iosif Itkin
 
Specifics of static analyzer development and testing
Specifics of static analyzer development and testingSpecifics of static analyzer development and testing
Specifics of static analyzer development and testing
Andrey Karpov
 
Search-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionSearch-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability Detection
Lionel Briand
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysis
lienhard
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
Iosif Itkin
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Lionel Briand
 
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
lifove
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Prediction
lifove
 
Asim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defenseAsim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defense
Asim Abdulkhaleq, Dr.rer.nat
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Sung Kim
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed Automata
Lionel Briand
 
An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security Education
Xiao Qin
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
Tao Xie
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)
Henry Muccini
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
OpenDaylight
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
Marcus Botacin
 
Open64 compiler
Open64 compilerOpen64 compiler
Open64 compiler
Maria Akther
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
Se
SeSe
Se
shirish dubey
 

Más contenido relacionado

La actualidad más candente

TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
Iosif Itkin
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysis
lienhard
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Lionel Briand
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Sung Kim
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed Automata
Lionel Briand
 

La actualidad más candente (14)

Dissertation Defense
Dissertation DefenseDissertation Defense
Dissertation Defense
 
MTV15
MTV15MTV15
MTV15
 
Transfer defect learning
Transfer defect learningTransfer defect learning
Transfer defect learning
 
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
 
Specifics of static analyzer development and testing
Specifics of static analyzer development and testingSpecifics of static analyzer development and testing
Specifics of static analyzer development and testing
 
Search-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionSearch-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability Detection
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysis
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...
 
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Prediction
 
Asim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defenseAsim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defense
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed Automata
 

Similar a CRAXweb: Automatic Exploit Generation for Web Applications

An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security Education
Xiao Qin
 
iFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature ImplementationsiFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature Implementations
ICSM 2010
 
Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
Jorge Cardoso
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing Platform
Bo-Chun Peng
 
Priyanka Singh_testing_resume
Priyanka Singh_testing_resumePriyanka Singh_testing_resume
Priyanka Singh_testing_resume
Priyanka Singh
 

Similar a CRAXweb: Automatic Exploit Generation for Web Applications (20)

An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security Education
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
 
Open64 compiler
Open64 compilerOpen64 compiler
Open64 compiler
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Se
SeSe
Se
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
 
iFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature ImplementationsiFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature Implementations
 
01_Introduction.ppt
01_Introduction.ppt01_Introduction.ppt
01_Introduction.ppt
 
An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...
 
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
 
Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
 
Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...
 
DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing Platform
 
Priyanka Singh_testing_resume
Priyanka Singh_testing_resumePriyanka Singh_testing_resume
Priyanka Singh_testing_resume
 
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
 

Más de Aung Thu Rha Hein

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessment
Aung Thu Rha Hein
 

Más de Aung Thu Rha Hein (19)

Writing with ease
Writing with easeWriting with ease
Writing with ease
 
Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists
 
Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Network switching
Network switchingNetwork switching
Network switching
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
 
Partitioned Based Regression Verification
Partitioned Based Regression VerificationPartitioned Based Regression Verification
Partitioned Based Regression Verification
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Session initiation protocol
Session initiation protocolSession initiation protocol
Session initiation protocol
 
TPC-H in MongoDB
TPC-H in MongoDBTPC-H in MongoDB
TPC-H in MongoDB
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Can the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaughtCan the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaught
 
Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessment
 
Link state routing protocol
Link state routing protocolLink state routing protocol
Link state routing protocol
 
Chat bot analysis
Chat bot analysisChat bot analysis
Chat bot analysis
 
Data mining & column stores
Data mining & column storesData mining & column stores
Data mining & column stores
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

CRAXweb: Automatic Exploit Generation for Web Applications

  • 1. Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
  • 2. Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
  • 3. Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
  • 4. Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
  • 5. Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
  • 6. Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
  • 7. Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
  • 8. Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
  • 9. Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
  • 10. Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
  • 11. Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
  • 12. Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
  • 13. Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
  • 14. Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
  • 15. Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
  • 16. Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
  • 17. Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
  • 18. Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
  • 19. Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
  • 20. Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
  • 21. Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
  • 22. Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
  • 23. Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
  • 24. Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
  • 25. Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
  • 26. Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
  • 27. Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
  • 28. Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
  • 29. Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
  • 30. Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  • 31. Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  • 32. Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
  • 33. Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
  • 34. Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
  • 35. Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
  • 36. Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008