Systems and Means of Informatics
2016, Volume 26, Issue 2, pp 43-62
LEXICAL ANALYSIS OF DYNAMICALLY GENERATED STRING EXPRESSIONS
- M. I. Polubelova
- S. V. Grigorev
Abstract
There is a class of applications which utilizes the idea of string embedding of one language into another. In this approach, a host program generates string representation of clauses in some external language, which are then passed to a dedicated runtime component for analysis and execution. Despite providing better expressiveness and flexibility, this technique makes the behavior of the system less predictable, complicates maintenance, and is a source of such vulnerabilities as SQL injections and cross-site scripting. Static analysis of strings is intended to minimize the drawbacks of the approach by checking well-formedness of a set of all dynamically-generated clauses at compile-time. Lexical analysis, or tokenization, is an important step of static analysis. The paper presents an automated approach to lexical analyzers construction which simplifies implementation of static analyzers of dynamically generated code.
[+] References (12)
- Christensen, A. S., A. M0ller, and M.I. Schwartzbach. 2003. Precise analysis of string expressions. 10th Conference (International) on Static Analysis Proceedings. Berlin-Heidelberg: Springer-Verlag. 1-18.
- Minamide, Y. 2005. Static approximation of dynamically generated web pages. 14th Conference (International) on World Wide Web Proceedings. New York, NY: ACM. 432-441.
- Jovanovic, N., C. Kruegel, and E. Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. Symposium on Security and Privacy Proceedings. Berkeley/Oakland, CA: IEEE. 263-269.
- Yu, F., M. Alkhalaf, and T. Bultan. 2010. Stranger: An automata-based string analysis tool for PHP. Tools and algorithms for the construction and analysis of systems. Eds. J. Esparza, and R. Mayumdar. Lecture notes in computer scievce ser. Berlin-Heidelberg: Springer. 6015:154-157.
- Dasgupta, A., V. Narasayya, and M. Syamala. 2007. A static analysis framework for database applications. Conference on Computer Software and Applications Proceedings. IEEE. 87-96.
- Fu, X., and K. Qian. 2008. Safeli: Sql injection scanner using symbolic execution. Workshop on Testing, Analysis, and Verification of Web Services and Applications Proceedings. New York, NY: ACM. 34-39.
- Annamaa, A., A. Breslav, J. Kabanov, and V. Vene. 2010. An interactive tool for analyzing embedded SQL queries. Programming languages and systems. Ed. K. Veda. Lecture notes in computer ser. Berlin-Heidelberg: Springer. 6461:131-138.
- Kirilenko, I., S. Grigorev, and D. Avdiukhin. 2013. Razrabotka sintaksicheskikh analizatorov v proektakh po avtomatizirovannomu reinzhiniringu informatsionnykh sistem [Syntax analyzers development in automated reengineering of informational systems]. Nauchno-tekhnicheskie vedomosti SPbGPU. Informatika. Telekommunikat- sii. Upravlenie [St. Petersburg State Polytechnical University J. Computer Science. Telecommunications and Control Systems] 3(174):94-98.
- Grigorev, S., E. Verbitskaia, A. Ivanov, M. Polubelova, and E. Mavchun. 2014. String embedded language support in integrated development environment. 10th Central and Eastern European Software Engineering Conference in Russia Proceedings. Moscow. 21:1-21:11.
- Yu, F., M. Alkhalaf, T. Bultan, and O. H. Ibarra. 2014. Automata-based symbolic string analysis for vulnerability detection. Form. Method. Syst. Des. 44(1):44-70.
- Hanneforth, T. 2008. Finite-state machines: Theory and applications. Unweighted finite-state automata. 99 p. http://tagh.de/tom/wp-content/uploads/fsm_ unweigtedautomata.pdf (accessed April 22, 2016).
- Hooimeijer, P., and M. Veanes. 2011. An evaluation of automata algorithms for string analysis. 12th Conference (International) on Verification, Model Checking, and Abstract Interpretation Proceedings. Berlin-Heidelberg: Springer-Verlag. 248-262.
[+] About this article
Title
LEXICAL ANALYSIS OF DYNAMICALLY GENERATED STRING EXPRESSIONS
Journal
Systems and Means of Informatics
Volume 26, Issue 2, pp 43-62
Cover Date
2016-05-30
DOI
10.14357/08696527160203
Print ISSN
0869-6527
Publisher
Institute of Informatics Problems, Russian Academy of Sciences
Additional Links
Key words
string analysis; lexing; string-embedded language; lexer generator
Authors
M. I. Polubelova  and S. V. Grigorev
Author Affiliations
Saint Petersburg State University, 7/9 Universitetskaya Nab., St. Petersburg 199034, Russian Federation
|