買這商品的人也買了...
-
Hacking Exposed 7: Network Security Secrets & Solutions, 7/e (Paperback)$2,290$2,176 -
Android Apps Security (Paperback)$1,760$1,672
相關主題
商品描述
This book discusses automated string-analysis techniques, focusing particularly on automata-based static string analysis. It covers the following topics: automata-bases string analysis, computing pre and post-conditions of basic string operations using automata, symbolic representation of automata, forward and backward string analysis using symbolic automata representation, constraint-based string analysis, string constraint solvers, relational string analysis, vulnerability detection using string analysis, string abstractions, differential string analysis, and automated sanitization synthesis using string analysis.
String manipulation is a crucial part of modern software systems; for example, it is used extensively in input validation and sanitization and in dynamic code and query generation. The goal of string-analysis techniques and this book is to determine the set of values that string expressions can take during program execution. String analysis can be used to solve many problems in modern software systems that relate to string manipulation, such as: (1) Identifying security vulnerabilities by checking if a security sensitive function can receive an input string that contains an exploit; (2) Identifying possible behaviors of a program by identifying possible values for dynamically generated code; (3) Identifying html generation errors by computing the html code generated by web applications; (4) Identifying the set of queries that are sent to back-end database by analyzing the code that generates the SQL queries; (5) Patching input validation and sanitization functions by automatically synthesizing repairs illustrated in this book.
Like many other program-analysis problems, it is not possible to solve the string analysis problem precisely (i.e., it is not possible to precisely determine the set of string values that can reach a program point). However, one can compute over- or under-approximations of possible string values. If the approximations are precise enough, they can enable developers to demonstrate existence or absence of bugs in string manipulating code. String analysis has been an active research area in the last decade, resulting in a wide variety of string-analysis techniques.
This book will primarily target researchers and professionals working in computer security, software verification, formal methods, software engineering and program analysis. Advanced level students or instructors teaching or studying courses in computer security, software verification or program analysis will find this book useful as a secondary text.
商品描述(中文翻譯)
這本書討論自動化字串分析技術,特別專注於基於自動機的靜態字串分析。內容涵蓋以下主題:基於自動機的字串分析、使用自動機計算基本字串操作的前置和後置條件、自動機的符號表示、使用符號自動機表示的前向和後向字串分析、基於約束的字串分析、字串約束求解器、關聯字串分析、使用字串分析進行漏洞檢測、字串抽象、差異字串分析,以及使用字串分析進行自動化清理合成。
字串操作是現代軟體系統中至關重要的一部分;例如,它在輸入驗證和清理以及動態代碼和查詢生成中被廣泛使用。字串分析技術及本書的目標是確定字串表達式在程式執行期間可以取的值集。字串分析可以用來解決許多與字串操作相關的現代軟體系統問題,例如:(1) 通過檢查安全敏感函數是否可以接收包含漏洞的輸入字串來識別安全漏洞;(2) 通過識別動態生成代碼的可能值來識別程式的可能行為;(3) 通過計算網頁應用程式生成的 HTML 代碼來識別 HTML 生成錯誤;(4) 通過分析生成 SQL 查詢的代碼來識別發送到後端資料庫的查詢集;(5) 通過自動合成本書中所示的修補來修補輸入驗證和清理函數。
與許多其他程式分析問題一樣,無法精確解決字串分析問題(即,無法精確確定可以到達程式點的字串值集)。然而,可以計算可能字串值的上界或下界近似值。如果這些近似值足夠精確,則可以幫助開發人員證明字串操作代碼中是否存在錯誤。字串分析在過去十年中一直是活躍的研究領域,產生了各種各樣的字串分析技術。
本書主要針對從事計算機安全、軟體驗證、形式方法、軟體工程和程式分析的研究人員和專業人士。高級學生或教授計算機安全、軟體驗證或程式分析課程的教師將會發現本書作為輔助教材非常有用。
