research-article

Z3-str: a z3-based string solver for web application analysis

Authors:

Vijay GaneshAuthors Info & Claims

ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering

Pages 114 - 124

https://doi.org/10.1145/2491411.2491456

Published: 18 August 2013 Publication History

Abstract

Analyzing web applications requires reasoning about strings and non-strings cohesively. Existing string solvers either ignore non-string program behavior or support limited set of string operations. In this paper, we develop a general purpose string solver, called Z3-str, as an extension of the Z3 SMT solver through its plug-in interface. Z3-str treats strings as a primitive type, thus avoiding the inherent limitations observed in many existing solvers that encode strings in terms of other primitives. The logic of the plug-in has three sorts, namely, bool, int and string. The string-sorted terms include string constants and variables of arbitrary length, with functions such as concatenation, sub-string, and replace. The int-sorted terms are standard, with the exception of the length function over string terms. The atomic formulas are equations over string terms, and (in)-equalities over integer terms. Not only does our solver have features that enable whole program symbolic, static and dynamic analysis, but also it performs better than other solvers in our experiments. The application of Z3-str in remote code execution detection shows that its support of a wide spectrum of string operations is key to reducing false positives.

References

[1]

M. Alkhalaf, S. Choudhary, M. Fazzini, T. Bultan, A. Orso and C. Kruegel. ViewPoints: Differential String Analysis for Discovering Client- and Server-Side Input Validation Inconsistencies. In ISSTA’12.

Digital Library

[2]

S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar and M. Ernst. Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking. In TSE, vol.36, no.4, pp.474-494, 2010.

Digital Library

[3]

F. Baader and T. Nipkow. Term rewriting and all that. Cambridge University Press, 1998.

Digital Library

[4]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz and V. Venkatakrishnan. NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS’10

Digital Library

[5]

N. Bjørner. Integrating decision procedures for temporal verification. Ph.D. thesis, Stanford University, 1999

[6]

N. Bjørner, V. Ganesh, R. Michel and M. Veanes. An SMT-LIB Format for Sequences and Regular Expressions. In SMT workshop 2012.

[7]

N. Bjørner, N. Tillmann and A. Voronkov. Path Feasibility Analysis for String-Manipulating Programs. In TACAS’09.

[8]

A. Christensen, A. Møller, and M. Schwartzbach. Precise analysis of string expressions. In SAS’03.

Digital Library

[9]

V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV’07.

Digital Library

[10]

V. Ganesh, M. Minnes, A. Solar-Lezama and M. Rinard. Word equations with length constraints: what’s decidable? In HVC’12.

[11]

C. Gutiérrez. Solving Equations in Strings: On Makanin’s Algorithm. In LATIN’98

[12]

P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In PLDI’09.

Digital Library

[13]

P. Hooimeijer and W. Weimer. Solving string constraints lazily. In ASE’10.

Digital Library

[14]

J. Jaffar. Minimal and complete word unification. In Journal of the ACM 37(1), 47-85, 1990.

Digital Library

[15]

Y. Khmelevskii. Equation in free semigroups. In Trudy Math. Inst. Steklov. 107 (1971); English Transl., Proc. Steklov Inst. Math. 107 (1971).

[16]

A. Kiezun, V. Ganesh, P. Guo, P. Hooimeijer and M. Ernst. HAMPI: a solver for string constraints. In ISSTA’09.

Digital Library

[17]

G. Makanin. The problem of solvability of equations in a free semigroup. In Mathematics of the USSR-Sbornik, 1977, 32, 129.

[18]

L. Moura and N. Bjørner. Z3: An Eﬃcient SMT Solver. In TACAS’08.

[19]

W. Plandowski. An eﬃcient algorithm for solving word equations. In STOC’06.

Digital Library

[20]

G. Redelinghuys, W. Visser and J. Geldenhuys. Symbolic execution of programs with strings. In SAICSIT’12.

Digital Library

[21]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant and D. Song. A Symbolic Execution Framework for JavaScript. In SP’10.

Digital Library

[22]

K. Schulz. Word unification and transformation of generalized equations. In J. Autom. Reason. 11(2):149-184, 1993.

Digital Library

[23]

D. Shannon, I. Ghosh, S. Rajan and S. Khurshid. Eﬃcient symbolic execution of strings for validating web applications In DEFECTS’09.

Digital Library

[24]

F. Sun, L. Xu and Z. Su. Static detection of access control vulnerabilities in web applications. In USENIX Security’11.

Digital Library

[25]

T. Tateishi, M. Pistoia and O. Tripp. Path- and indexsensitive string analysis based on monadic second-order logic. In ISSTA’11.

Digital Library

[26]

M. Veanes, P. Halleux and N. Tillmann. Rex: Symbolic Regular Expression Explorer. In ICST’10.

Digital Library

[27]

M. Veanes, N. Bjørner and L. Moura. Symbolic automata constraint solving. In LPAR-17.

Digital Library

[28]

M. Veanes and N. Bjørner. Symbolic Automata: The Toolkit. In TACAS’12.

Digital Library

[29]

F. Yu, T. Bultan and O. Ibarra. Symbolic String Verification: Combining String Analysis and Size Analysis In TACAS’09.

Digital Library

[30]

F. Yu, M. Alkhalaf and T. Bultan. Stranger: An Automata-based String Analysis Tool for PHP. In TACAS’10.

Digital Library

[31]

Y. Zheng and X. Zhang. Static Detection of Resource Contention Problems in Server-Side Scripts. In ICSE’12.

Digital Library

[32]

Y. Zheng and X. Zhang. Path Sensitive Static Analysis of Web Applications for Remote Code Execution Vulnerability Detection. In ICSE’13.

Digital Library

Cited By

Stjerna ARümmer P(2024)A Constraint Solving Approach to Parikh Images of Regular LanguagesProceedings of the ACM on Programming Languages10.1145/36498558:OOPSLA1(1235-1263)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649855
Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Wu HChen YWu ZXia BZhan N(2024)A decision procedure for string constraints with string/integer conversion and flat regular constraintsActa Informatica10.1007/s00236-023-00446-461:1(23-52)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s00236-023-00446-4
Show More Cited By

Index Terms

Z3-str: a z3-based string solver for web application analysis

Recommendations

S3: A Symbolic String Solver for Vulnerability Detection in Web Applications
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Motivated by the vulnerability analysis of web programs which work on string inputs, we present S3, a new symbolic string solver. Our solver employs a new algorithm for a constraint language that is expressive enough for widespread applicability. ...
Z3str2: an efficient solver for strings, regular expressions, and length constraints

In recent years, string solvers have become an essential component in many formal verification, security analysis, and bug-finding tools. Such solvers typically support a theory of string equations, the length function, and the regular-expression ...
Z3-Noodler: An Automata-based String Solver
Tools and Algorithms for the Construction and Analysis of Systems
Abstract
Z3-Noodler is a fork of Z3 that replaces its string theory solver with a custom solver implementing the recently introduced stabilization-based algorithm for solving word equations with regular constraints. An extensive experimental evaluation ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering

August 2013

738 pages

ISBN:9781450322379

DOI:10.1145/2491411

General Chair:
Bertrand Meyer
ETH Zurich, Switzerland
,
Program Chairs:
Luciano Baresi
Politecnico di Milano, Italy
,
Mira Mezini
TU Darmstadt, Germany

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 August 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'13

Sponsor:

SIGSOFT

ESEC/FSE'13: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

August 18 - 26, 2013

Saint Petersburg, Russia

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

150
Total Citations
View Citations
857
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)12

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Stjerna ARümmer P(2024)A Constraint Solving Approach to Parikh Images of Regular LanguagesProceedings of the ACM on Programming Languages10.1145/36498558:OOPSLA1(1235-1263)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649855
Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Wu HChen YWu ZXia BZhan N(2024)A decision procedure for string constraints with string/integer conversion and flat regular constraintsActa Informatica10.1007/s00236-023-00446-461:1(23-52)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s00236-023-00446-4
Negrini LArceri VCortesi AFerrara P(2024) Tarsis : An effective automata‐based abstract domain for string analysis Journal of Software: Evolution and Process10.1002/smr.2647Online publication date: 14-Feb-2024
https://doi.org/10.1002/smr.2647
Chen YChocholatý DHavlena VHolík LLengál OSíč J(2023)Solving String Constraints with Lengths by StabilizationProceedings of the ACM on Programming Languages10.1145/36228727:OOPSLA2(2112-2141)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622872
Sun CFu AJia JLi MHan J(2023)Improving Conformance of Web Services: A Constraint-based Model-driven ApproachACM Transactions on the Web10.1145/358051517:2(1-36)Online publication date: 27-Mar-2023
https://dl.acm.org/doi/10.1145/3580515
Eriksson BStjerna ADe Masellis RRüemmer PSabelfeld AMeng WJensen CCremers CKirda E(2023)Black Ostrich: Web Application Scanning with String SolversProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616582(549-563)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616582
Dong ZWang ZYi CXu XZhang JLi JChen H(2023)Database Deadlock Diagnosis for Large-Scale ORM-Based Web Applications2023 IEEE 39th International Conference on Data Engineering (ICDE)10.1109/ICDE55515.2023.00219(2864-2877)Online publication date: Apr-2023
https://doi.org/10.1109/ICDE55515.2023.00219
Hu DWu Z(2023)String Constraints with Regex-Counting and String-Length Solved More EfficientlyDependable Software Engineering. Theories, Tools, and Applications10.1007/978-981-99-8664-4_1(1-20)Online publication date: 27-Nov-2023
https://dl.acm.org/doi/10.1007/978-981-99-8664-4_1
Blahoudek FChen YChocholatý DHavlena VHolík LLengál OSíč J(2023)Word Equations in Synergy with Regular ConstraintsFormal Methods10.1007/978-3-031-27481-7_23(403-423)Online publication date: 3-Mar-2023
https://doi.org/10.1007/978-3-031-27481-7_23
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents