Abstract
Unrestricted file upload vulnerabilities enable attackers to upload and execute malicious scripts in web servers. We have built a system, namely UChecker, to effectively and automatically detect such vulnerabilities in PHP server-side web applications. Towards this end, UChecker first interprets abstract syntax trees (AST) of program source code to perform symbolic execution. It then models vulnerabilities using SMT constraints and further leverages an SMT solver to verify the satisfiability of these constraints. UChecker features a novel vulnerability-oriented locality analysis algorithm to reduce the workload of symbolic execution, an AST-driven symbolic execution engine with compact data structures, and rules to translate PHP-based constraints into SMT-based constraints by mitigating their semantic gaps. Experiments based on real-world examples have demonstrated that UChecker has accomplished a high detection accuracy. In addition, it detected three vulnerable PHP scripts that are previously unknown.
Original language | English |
---|---|
Title of host publication | 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) |
Publisher | IEEE |
Pages | 581-592 |
Number of pages | 12 |
ISBN (Electronic) | 978-1-7281-0057-9, 978-1-7281-0056-2 |
ISBN (Print) | 978-1-7281-0058-6 |
DOIs | |
State | Published - Aug 22 2019 |
Event | 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 - Portland, United States Duration: Jun 24 2019 → Jun 27 2019 |
Conference
Conference | 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 |
---|---|
Country/Territory | United States |
City | Portland |
Period | 6/24/19 → 6/27/19 |
ASJC Scopus Subject Areas
- Computer Networks and Communications
- Safety, Risk, Reliability and Quality
- Hardware and Architecture
Keywords
- detection
- program analysis
- symbolic execution
- vulnerability
- web security
- Servers
- Arrays
- Syntactics
- Semantics
- Indexes
- Analytical models
- Web Application
Disciplines
- Computer Sciences
- Engineering