Static command-injection-attack detection based on abstract
by Kyung-Goo Doh, Hyunha Kim, and David A. Schmidt
Abstract: We formulate a static analysis that validates when a document-generating script generates only syntactically well-formed documents that are protected from command-injection attacks. The analysis is based upon abstract parsing, a technique that combines LR-parsing, data-flow analysis, semantic-attribute processing and partial evaluation. We develop new techniques for higher-order LALR-parse states, semantic-attributes processing, and string transducers, to implement the analysis.