University of Minnesota
Program Analysis for Security
index.php

Web applications

Gary Wassermann and Zhendong Su. “Sound and precise analysis of web applications for injection vulnerabilities”. In Programming Language Design and Implementation (PLDI), pages 32–41, San Diego, CA, USA, June 2007.
[ACM]

Shay Artzi, Adam Kiezun, Julian Dolby, Frank Tip, Danny Dig, Amit M. Paradkar, and Michael D. Ernst. “Finding bugs in dynamic web applications”. In International Symposium on Software Testing and Analysis (ISSTA), pages 261–272, Seattle, WA, USA, July 2008.
[ACM]

Adam Chlipala. “Static checking of dynamically-varying security policies in database-backed applications”. In Operating Systems Design and Implementation (OSDI), pages 105–118, Vancouver, BC, Canada, October 2010.
[USENIX]

Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. “ADsafety: Type-based verification of JavaScript sandboxing”. In USENIX Security Symposium, San Francisco, CA, USA, August 2011.
[USENIX]

Question: TBD

Optional

Mike Samuel, Prateek Saxena, and Dawn Song. “Context-sensitive auto-sanitization in web templating languages using type qualifiers”. In ACM Conference on Computer and Communications Security (CCS), pages 587–600, Chicago, IL, USA, October 2011.
[ACM]

There are several challenges to the correct use of sanitizers to prevent cross-site-scripting is that different transformations are appropriate in different contexts within a web page (e.g., HTML versus JavaScript). This paper address this problem by taking advantage of a tightly structured template language.

Adam Barth, Juan Caballero, and Dawn Song. “Secure content sniffing for web browsers, or how to stop papers from reviewing themselves”. In IEEE Symposium on Security and Privacy “Oakland”, pages 360–371, Oakland, CA, USA, May 2009.
[IEEE]

An obscure corner of web browser behavior opens a hole for eye-catching attacks, like the one alluded to in the alternate title. The solution is mostly more conservative design, but binary analysis and string constraint solving can help in generating attacks or verifying their absence.