当前位置:
X-MOL 学术
›
arXiv.cs.LO
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
String Constraints with Concatenation and Transducers Solved Efficiently (Technical Report)
arXiv - CS - Logic in Computer Science Pub Date : 2020-10-29 , DOI: arxiv-2010.15975 Lukas Holik, Petr Janku, Anthony W. Lin, Philipp R\"ummer, Tomas Vojnar
arXiv - CS - Logic in Computer Science Pub Date : 2020-10-29 , DOI: arxiv-2010.15975 Lukas Holik, Petr Janku, Anthony W. Lin, Philipp R\"ummer, Tomas Vojnar
String analysis is the problem of reasoning about how strings are manipulated
by a program. It has numerous applications including automatic detection of
cross-site scripting (XSS). A popular string analysis technique includes
symbolic executions, which at their core use string (constraint) solvers. Such
solvers typically reason about constraints expressed in theories over strings
with the concatenation operator as an atomic constraint. In recent years,
researchers started to recognise the importance of incorporating the
replace-all operator and finite transductions in the theories of strings with
concatenation. Such string operations are typically crucial for reasoning about
XSS vulnerabilities in web applications, especially for modelling sanitisation
functions and implicit browser transductions (e.g. innerHTML). In this paper, we provide the first string solver that can reason about
constraints involving both concatenation and finite transductions. Moreover, it
has a completeness and termination guarantee for several important fragments
(e.g. straight-line fragment). The main challenge addressed in the paper is the
prohibitive worst-case complexity of the theory. To this end, we propose a
method that exploits succinct alternating finite automata as concise symbolic
representations of string constraints. Alternation offers not only exponential
savings in space when representing Boolean combinations of transducers, but
also a possibility of succinct representation of otherwise costly combinations
of transducers and concatenation. Reasoning about the emptiness of the AFA
language requires a state-space exploration in an exponential-sized graph, for
which we use model checking algorithms (e.g. IC3). We have implemented our
algorithm and demonstrated its efficacy on benchmarks that are derived from XSS
and other examples in the literature.
中文翻译:
串联和转换器的字符串约束得到有效解决(技术报告)
字符串分析是推理程序如何操作字符串的问题。它有许多应用程序,包括跨站点脚本(XSS)的自动检测。一种流行的字符串分析技术包括符号执行,其核心使用字符串(约束)求解器。这样的求解器通常对字符串的理论中表达的约束进行推理,并将连接运算符作为原子约束。近年来,研究人员开始认识到将替换所有算子和有限转导纳入带串联的字符串理论的重要性。此类字符串操作通常对于推理 Web 应用程序中的 XSS 漏洞至关重要,尤其是对于建模清理功能和隐式浏览器转换(例如,innerHTML)。在本文中,我们提供了第一个可以推理涉及串联和有限转换的约束的字符串求解器。此外,它对几个重要的片段(例如直线片段)具有完整性和终止性保证。论文中解决的主要挑战是该理论在最坏情况下的复杂性令人望而却步。为此,我们提出了一种利用简洁交替有限自动机作为字符串约束的简洁符号表示的方法。当表示换能器的布尔组合时,交替不仅提供了空间的指数节省,而且还提供了简洁表示换能器和串联的其他昂贵组合的可能性。推理 AFA 语言的空性需要在指数大小的图中进行状态空间探索,为此,我们使用模型检查算法(例如 IC3)。我们已经实现了我们的算法并证明了它在源自 XSS 和文献中其他示例的基准测试中的有效性。
更新日期:2020-11-02
中文翻译:
串联和转换器的字符串约束得到有效解决(技术报告)
字符串分析是推理程序如何操作字符串的问题。它有许多应用程序,包括跨站点脚本(XSS)的自动检测。一种流行的字符串分析技术包括符号执行,其核心使用字符串(约束)求解器。这样的求解器通常对字符串的理论中表达的约束进行推理,并将连接运算符作为原子约束。近年来,研究人员开始认识到将替换所有算子和有限转导纳入带串联的字符串理论的重要性。此类字符串操作通常对于推理 Web 应用程序中的 XSS 漏洞至关重要,尤其是对于建模清理功能和隐式浏览器转换(例如,innerHTML)。在本文中,我们提供了第一个可以推理涉及串联和有限转换的约束的字符串求解器。此外,它对几个重要的片段(例如直线片段)具有完整性和终止性保证。论文中解决的主要挑战是该理论在最坏情况下的复杂性令人望而却步。为此,我们提出了一种利用简洁交替有限自动机作为字符串约束的简洁符号表示的方法。当表示换能器的布尔组合时,交替不仅提供了空间的指数节省,而且还提供了简洁表示换能器和串联的其他昂贵组合的可能性。推理 AFA 语言的空性需要在指数大小的图中进行状态空间探索,为此,我们使用模型检查算法(例如 IC3)。我们已经实现了我们的算法并证明了它在源自 XSS 和文献中其他示例的基准测试中的有效性。
京公网安备 11010802027423号