Taint analysis, a form of information-flow establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. analysis can detect many common vulnerabilities in Web applications, so has attracted much attention both the research community industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, tool must scale to large industrial model essential Web-application code...

JavaScript is the most popular client-side scripting language for Web applications. Exploitable code exposes end users to integrity and confidentiality violations. Client-side vulnerabilities can cost an enterprise money reputation, cause serious damage innocent of application. In spite all this, recent research in area information-flow security has focused more on other languages that are suitable server-side programming, such as Java.

This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern applications utilize one or more frameworks, which provide useful abstractions common functionality. Due to extensive use reflective language constructs in framework implementations, existing static analyses are often ineffective when applied While previous work has included ad hoc support certain constructs, adding large number frameworks this manner...

A main aspect of the Android platform is Inter-Application Communication (IAC), which enables reuse functionality across apps and app components via message passing. While a powerful feature, IAC also constitutes serious attack surface. malicious can embed payload into an message, thereby driving recipient potentially vulnerable behavior if processed without its fields first being sanitized or validated. We present what to our knowledge comprehensive testing algorithm for vulnerabilities....

Taint analysis, a form of information-flow establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. analysis can detect many common vulnerabilities in Web applications, so has attracted much attention both the research community industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, tool must scale to large industrial model essential Web-application code...

The scale and complexity of modern software systems complicate manual security auditing. Automated analysis tools are gradually becoming a necessity. Specifically, static analyses carry the promise efficiently verifying large code bases. Yet, critical usability barrier, hindering adoption by developers, is excess false reports. Current do not offer user any direct means customizing or cleansing report. thus left to review hundreds, if thousands, potential warnings, classify them as either...

Large language models (LLMs) have shown impressive effectiveness in various software engineering tasks, including automated program repair (APR). In this study, we take a deep dive into bug localization and utilizing LLMs. contrast to many learning-based APR methods that assume known locations, rely on line-level tools, or address prediction fixing one step, our approach uniquely employs LLMs predict location at the token level subsequently utilizes them for fixing. This methodological...

We propose a novel technique for statically verifying the strings generated by program. The verification is conducted encoding program in Monadic Second-order Logic (M2L). use M2L to describe constraints among variables and abstract built-in string operations. Once we encode M2L, theorem prover such as MONA, can automatically check if satisfies given specification, not, exhibit counterexample. With this approach, naturally relationships strings, accounting also cases which manipulates using...

Writing efficient synchronization for multithreaded programs is notoriously hard. The resulting code often contains subtle concurrency bugs. Even worse, many bug fixes introduce new A classic example, seen widely in practice, deadlocks from fixing of an atomicity violation. These complexities have motivated the development automated techniques. Current techniques generate that are typically conservative, giving up on available parallelism. Moreover, some cannot guarantee correctness a fix,...

We introduce QualityFlow, a dynamic agentic workflow for program synthesis. Given the English description of programming problem and set unit tests, model's goal is to synthesize correct that solves passes tests. QualityFlow consists multiple large language model (LLM) agents resemble software development team, including code generation, testing, self-debugging. Existing synthesis methods face three major limitations: assumption visible test conformity, bottleneck synthesized quality,...

Static analyses are generally parametrized by an abstraction which is chosen from a family of abstractions. We interested in flexible families abstractions with many parameters, as these can allow one to increase precision ways tailored the client without sacrificing scalability. For example, we consider k-limited points-to where each call site and allocation program have different k value. then ask natural question this paper: What minimal (coarsest) given able prove set queries? In...

This paper addresses the problem of detecting JavaScript security vulnerabilities in client side Web applications. Such are becoming a source growing concern due to rapid migration server-side business logic side, combined with new JavaScript-backed technologies, such as AJAX and HTML5. Detection client-side is challenging given dynamic event-driven nature JavaScript. We present hybrid form analysis, which augments static analysis (semi-)concrete information by applying partial evaluation...

Black-box security testing of web applications is a hard problem. The main complication lies in the black-box assumption: tool has limited insight into workings server-side defenses. This traditionally led commercial as well research vulnerability scanners toward heuristic approaches, such each input point (e.g. HTTP parameter) with short, predefined list effective test payloads to balance between coverage and performance.

Static analyses are generally parametrized by an abstraction which is chosen from a family of abstractions. We interested in flexible families abstractions with many parameters, as these can allow one to increase precision ways tailored the client without sacrificing scalability. For example, we consider k-limited points-to where each call site and allocation program have different k value. then ask natural question this paper: What minimal (coarsest) given able prove set queries? In...

We propose a novel technique for statically verifying the strings generated by program. The verification is conducted encoding program in Monadic Second-Order Logic (M2L). use M2L to describe constraints among variables and abstract built-in string operations. Once we encode M2L, theorem prover such as MONA, can automatically check if satisfies given specification, not, exhibit counterexample. With this approach, naturally relationships strings, accounting also cases which manipulates using...

The quality of a static analysis heap-manipulating programs is largely determined by its heap abstraction. Object allocation sites are commonly-used abstraction, but too coarse for some clients. goal this paper to investigate how various refinements can improve precision. In particular, we consider abstractions that use call stack, object recency, and connectivity information. We measure the precision these dynamically four different clients motivated concurrency on nine Java chosen from...

Reproducing concurrency bugs is a prominent challenge. Existing techniques either rely on recording very fine grained execution information and hence have high runtime overhead, or strive to log as little possible but provide no guarantee in reproducing bug. We present Light, technique that features much lower overhead compared based recording, guarantees reproduce concurrent bugs. leverage formally prove flow dependences the necessary sufficient condition The dependences, together with...

Predictive analysis, recently proposed for race detection, guarantees to report no false positives and achieves good coverage. analysis starts with the trace of an execution mutates schedule order ``predict'' executions that expose hidden races. Ideally, predictive should allow mutation change memory location accessed by field access, which helps meet ``same location'' requirement data race. However, existing approaches, including causality-preserving approaches symbolic lack this...