Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Sat 11 Jul 2020 16:08 - 16:20 at Baekje - A28-Android and Web Testing Chair(s): Reyhaneh Jabbarvand

Code injection attacks, like the one used in the high-profile 2017 Equifax breach, have become increasingly common, now ranking #1 on OWASP’s list of critical web application vulnerabilities. Static analyses for detecting these vulnerabilities can overwhelm developers with false positive reports. Meanwhile, most dynamic analyses rely on detecting vulnerabilities as they occur in the field, which can introduce a high performance overhead in production code. This paper describes a new approach for detecting injection vulnerabilities in applications by harnessing the combined power of both human developers test suites and automated dynamic analysis. Our new approach, RIVULET, monitors the execution of developer-written functional tests in order to detect information flows that may be vulnerable to attack. Then, RIVULET uses a white-box test generation technique to repurpose those functional tests to check if any vulnerable flow could be exploited. When applied to the version of Apache Struts exploited in the 2017 Equifax attack, RIVULET quickly identifies the vulnerability, leveraging only the tests that existed in Struts at that time. We compared RIVULET to the state-of-the-art static vulnerability detector Julia on benchmarks, finding that RIVULET outperformed Julia in both false positives and false negatives. We also use RIVULET to detect previously unknown vulnerabilities.

Sat 11 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

16:05 - 17:05
A28-Android and Web TestingTechnical Papers / Demonstrations at Baekje
Chair(s): Reyhaneh Jabbarvand University of Illinois Urbana-Champaign
16:05
3m
Talk
AppTestMigrator: A Tool for Automated Test Migration for Android AppsDemo
Demonstrations
Farnaz Behrang Georgia Tech, Alessandro Orso Georgia Tech
16:08
12m
Talk
Revealing Injection Vulnerabilities by Leveraging Existing TestsArtifact ReusableTechnicalArtifact Available
Technical Papers
Katherine Hough George Mason University, Gebrehiwet Biyane Welearegai University of Potsdam, Germany, Christian Hammer University of Potsdam, A: Jonathan Bell Northeastern University
16:20
12m
Talk
Accessibility Issues in Android Apps: State of Affairs, Sentiments, and Ways ForwardTechnical
Technical Papers
Abdulaziz Alshayban University of California, Irvine, Iftekhar Ahmed University of California at Irvine, USA, Sam Malek University of California, Irvine
16:32
3m
Talk
WasmView: Visual Testing for WebAssembly ApplicationsDemo
Demonstrations
Alan Romano University at Buffalo, SUNY, Weihang Wang University at Buffalo, SUNY
16:35
12m
Talk
Extracting Taint Specifications for JavaScript LibrariesTechnical
Technical Papers
Cristian-Alexandru Staicu TU Darmstadt, Martin Toldam Torp Aarhus University, Max Schaefer GitHub, Inc., Anders Møller Aarhus University, Michael Pradel University of Stuttgart
Pre-print Media Attached
16:47
12m
Talk
Finding Client-side Business Flow Tampering VulnerabilitiesTechnical
Technical Papers
I Luk Kim Purdue University, Yunhui Zheng IBM Research, Hogun Park Purdue University, Weihang Wang University at Buffalo, SUNY, Wei You Renmin University of China, Yousra Aafer Purdue University, Xiangyu Zhang Purdue University