Conference item
String solving with word equations and transducers: towards a logic for analysing mutation XSS
- Abstract:
- We study the fundamental issue of decidability of satisfiability over string logics with concatenations and finite-state transducers as atomic operations. Although restricting to one type of operations yields decidability, little is known about the decidability of their combined theory, which is especially relevant when analysing security vulnerabilities of dynamic web pages in a more realistic browser model. On the one hand, word equations (string logic with concatenations) cannot precisely capture sanitisation functions (e.g. htmlescape) and implicit browser transductions (e.g. innerHTML mutations). On the other hand, transducers suffer from the reverse problem of being able to model sanitisation functions and browser transductions, but not string concatenations. Naively combining word equations and transducers easily leads to an undecidable logic. Our main contribution is to show that the "straight-line fragment" of the logic is decidable (complexity ranges from PSPACE to EXPSPACE). The fragment can express the program logics of straight-line string-manipulating programs with concatenations and transductions as atomic operations, which arise when performing bounded model checking or dynamic symbolic executions. We demonstrate that the logic can naturally express constraints required for analysing mutation XSS in web applications. Finally, the logic remains decidable in the presence of length, letter-counting, regular, indexOf, and disequality constraints.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Accepted manuscript, pdf, 180.2KB, Terms of use)
-
- Publisher copy:
- 10.1145/2914770.2837641
Authors
- Publisher:
- Association for Computing Machinery
- Host title:
- 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
- Journal:
- 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages More from this journal
- Volume:
- 51
- Issue:
- 1
- Pages:
- 123-136
- Publication date:
- 2016-01-11
- DOI:
- ISSN:
-
0362-1340
- ISBN:
- 9781450335492
- Keywords:
- Pubs id:
-
pubs:694268
- UUID:
-
uuid:0fd0b793-bdf5-4fa3-8e36-4e9144e4025e
- Local pid:
-
pubs:694268
- Source identifiers:
-
694268
- Deposit date:
-
2017-05-13
Terms of use
- Copyright holder:
- Lin and Barceló
- Copyright date:
- 2016
- Notes:
- Copyright is held by the owner/author(s). Publication rights licensed to ACM. This is the Accepted Manuscript version of the article. The final version is available online from Association for Computing Machinery at: https://doi.org/10.1145/2914770.2837641
If you are the owner of this record, you can report an update to it here: Report update to this record