Automatically fixing security vulnerabilities in Java code

Aharon Abadi; Ran Ettinger; Yishai A. Feldman; Mati Shomrat

doi:10.1145/2048147.2048149

Automatically fixing security vulnerabilities in Java code

Aharon Abadi, Ran Ettinger, Yishai A. Feldman, Mati Shomrat

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as "quick fixes" in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.

Original language	English
Title of host publication	SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion
Pages	3-4
Number of pages	2
DOIs	https://doi.org/10.1145/2048147.2048149
State	Published - 22 Nov 2011
Externally published	Yes
Event	ACM International Conference on Systems, Programming, Languages, and Applications: Software for Humanity, SPLASH'11 - Portland, OR, United States Duration: 22 Oct 2011 → 27 Oct 2011

Publication series

Name	SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion

Conference

Conference	ACM International Conference on Systems, Programming, Languages, and Applications: Software for Humanity, SPLASH'11
Country/Territory	United States
City	Portland, OR
Period	22/10/11 → 27/10/11

Keywords

Quick fix
Security

ASJC Scopus subject areas

Computer Science Applications
Software

Access to Document

10.1145/2048147.2048149

Cite this

Abadi, A., Ettinger, R., Feldman, Y. A., & Shomrat, M. (2011). Automatically fixing security vulnerabilities in Java code. In SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion (pp. 3-4). (SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion). https://doi.org/10.1145/2048147.2048149

@inproceedings{d2f55b756671456b88a58d2dda8f9e00,

title = "Automatically fixing security vulnerabilities in Java code",

abstract = "Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as {"}quick fixes{"} in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.",

keywords = "Quick fix, Security",

author = "Aharon Abadi and Ran Ettinger and Feldman, {Yishai A.} and Mati Shomrat",

year = "2011",

month = nov,

day = "22",

doi = "10.1145/2048147.2048149",

language = "English",

isbn = "9781450309424",

series = "SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion",

pages = "3--4",

booktitle = "SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion",

note = "ACM International Conference on Systems, Programming, Languages, and Applications: Software for Humanity, SPLASH'11 ; Conference date: 22-10-2011 Through 27-10-2011",

}

Abadi, A, Ettinger, R, Feldman, YA & Shomrat, M 2011, Automatically fixing security vulnerabilities in Java code. in SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion. SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion, pp. 3-4, ACM International Conference on Systems, Programming, Languages, and Applications: Software for Humanity, SPLASH'11, Portland, OR, United States, 22/10/11. https://doi.org/10.1145/2048147.2048149

Automatically fixing security vulnerabilities in Java code. / Abadi, Aharon; Ettinger, Ran; Feldman, Yishai A. et al.
SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion. 2011. p. 3-4 (SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automatically fixing security vulnerabilities in Java code

AU - Abadi, Aharon

AU - Ettinger, Ran

AU - Feldman, Yishai A.

AU - Shomrat, Mati

PY - 2011/11/22

Y1 - 2011/11/22

N2 - Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as "quick fixes" in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.

AB - Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as "quick fixes" in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.

KW - Quick fix

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=81355139731&partnerID=8YFLogxK

U2 - 10.1145/2048147.2048149

DO - 10.1145/2048147.2048149

M3 - Conference contribution

AN - SCOPUS:81355139731

SN - 9781450309424

T3 - SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion

SP - 3

EP - 4

BT - SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion

T2 - ACM International Conference on Systems, Programming, Languages, and Applications: Software for Humanity, SPLASH'11

Y2 - 22 October 2011 through 27 October 2011

ER -

Automatically fixing security vulnerabilities in Java code

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this