Databases Reference
In-Depth Information
Cat.Net Merlin Total
Benchmark
P
G
F time
Alias Management Tool
2.64
4.59
2.63
9.86
Chat Application
4.61
.81
2.67
8.09
Bicycle Club App
2.81
.53
2.72
6.06
Software Catalog
3.94
1.02
2.73
7.69
Sporting Field Management Tool
5.97
2.22
2.69
10.88
Commitment Management Tool
6.41
18.84
2.91
28.16
New Hire Tool
7.84
2.98
3.44
14.27
Expense Report Approval Tool
7.27
3.59
3.05
13.91
Relationship Management
55.38
87.63
66.45
209.45
Customer Support Portal
89.75
29.75
31.55
151.05
FIGURE 11.19: Static analysis and specification inference running time, in
seconds.
11.7 Related Work
Related work falls into the broad categories of securing Web applications
and specification mining.
11.7.1 Securing Web Applications
There has been much interest in static and runtime protection techniques
to improve the security of Web applications. Static analysis allows the devel-
oper to avoid issues such as cross-site scripting before the application goes
into operation. Runtime analysis allows exploit prevention and recovery dur-
ing the operation of an application. The WebSSARI project pioneered this line
of research [8] by combining static and dynamic analysis for PHP programs.
Several projects that came after WebSSARI improve on the quality of static
analysis for PHP [9, 33].
The Grin project proposes scalable and precise static and runtime an-
alysis techniques for finding security vulnerabilities in large Java applica-
tions [15, 18]. Several other runtime systems for taint tracking have been pro-
posed as well, including Haldar et al. [6] and Chandra and Franz [1] for Java,
Pietraszek and Berghe [25], and Nguyen-Tuong et al. for PHP [23]. Several
commercial tools have been built to detect information flow vulnerabilities in
programs [4, 24]. All these tools without exception require a specification of
information flow. Our work infers such specifications.
Search WWH ::
Custom Search