Automatic Discovery of API-Level Vulnerabilities
| dc.contributor.author | Ganapathy, Vinod | en_US |
| dc.contributor.author | Seshia, Sanjit A. | en_US |
| dc.contributor.author | Jha, Somesh | en_US |
| dc.contributor.author | Reps, Thomas W. | en_US |
| dc.contributor.author | Bryant, Randal E. | en_US |
| dc.date.accessioned | 2012-03-15T17:18:31Z | |
| dc.date.available | 2012-03-15T17:18:31Z | |
| dc.date.created | 2004 | en_US |
| dc.date.issued | 2004 | en_US |
| dc.description.abstract | A system is vulnerable to an API-level attack if its security can be compromised by invoking an allowed sequence of operations from its API. We present a formal framework to model and analyze APIs, and develop an automatic technique based upon bounded model checking to discover API-level vulnerabilities. If a vulnerability exists, our technique produces a trace of API operations demonstrating an attack. Two case studies show the efficacy of our technique. In the first study we present a novel way to analyze print f-family format-string attacks as MI-level attacks, and implement a tool to discover them automatically. In the second study, we model a subset of the IBM Common Cryptographic Architecture MI, a popular cryptographic key-management API, and automatically detect a previously known vulnerability. | en_US |
| dc.format.mimetype | application/pdf | en_US |
| dc.identifier.citation | TR1512 | en_US |
| dc.identifier.uri | http://digital.library.wisc.edu/1793/60412 | |
| dc.publisher | University of Wisconsin-Madison Department of Computer Sciences | en_US |
| dc.title | Automatic Discovery of API-Level Vulnerabilities | en_US |
| dc.type | Technical Report | en_US |
Files
Original bundle
1 - 1 of 1