Report 2012-1
Static command-injection-attack detection based on abstract
parsing
by Kyung-Goo Doh, Hyunha Kim, and David A. Schmidt
Abstract:
We formulate a static analysis that validates when a document-generating script
generates only syntactically well-formed documents that are protected from command-injection
attacks. The analysis is based upon abstract parsing, a technique that combines LR-parsing,
data-flow analysis, semantic-attribute processing and partial evaluation. We develop new techniques
for higher-order LALR-parse states, semantic-attributes processing, and string transducers,
to implement the analysis.