Topic
Improper input validation
About: Improper input validation is a research topic. Over the lifetime, 19 publications have been published within this topic receiving 153 citations. The topic is also known as: Improper Input Validation.
Papers
20 Mar 2018
TL;DR: A translation-based, description-embodied knowledge representation learning method to embed both software weaknesses and their relations in the knowledge graph into a semantic vector space, which outperforms other description- and/or structure-based representation learning methods.
Abstract: Common software weaknesses, such as improper input validation, integer overflow, can harm system security directly or indirectly, causing adverse effects such as denial-of-service, execution of unauthorized code. Common Weakness Enumeration (CWE) maintains a standard list and classification of common software weakness. Although CWE contains rich information about software weaknesses, including textual descriptions, common sequences and relations between software weaknesses, the current data representation, i.e., hyperlined documents, does not support advanced reasoning tasks on software weaknesses, such as prediction of missing relations and common consequences of CWEs. Such reasoning tasks become critical to managing and analyzing large numbers of common software weaknesses and their relations. In this paper, we propose to represent common software weaknesses and their relations as a knowledge graph, and develop a translation-based, description-embodied knowledge representation learning method to embed both software weaknesses and their relations in the knowledge graph into a semantic vector space. The vector representations (i.e., embeddings) of software weaknesses and their relations can be exploited for knowledge acquisition and inference. We conduct extensive experiments to evaluate the performance of software weakness and relation embeddings in three reasoning tasks, including CWE link prediction, CWE triple classification, and common consequence prediction. Our knowledge graph embedding approach outperforms other description- and/or structure-based representation learning methods.
69 citations
1 Sep 2013
TL;DR: The primary focus of the research was to develop a reliable black-box vulnerability scanner for detecting SQLI vulnerability - SQLIVDT (SQL Injection Vulnerability Detection Tool).
Abstract: Web applications vulnerabilities allow attackers to perform malicious actions that range from gaining unauthorized account access to obtaining sensitive data. The number of web application vulnerabilities in last decade is growing constantly. Improper input validation and sanitization are reasons for most of them. The most important of these vulnerabilities based on improper input validation and sanitization is SQL injection (SQLI) vulnerability. The primary focus of our research was to develop a reliable black-box vulnerability scanner for detecting SQLI vulnerability - SQLIVDT (SQL Injection Vulnerability Detection Tool). The black-box approach is based on simulation of SQLI attacks against web applications. Thus, the scope of analysis is limited to HTTP responses and HTML pages received from the application server. In order to achieve efficient SQLI vulnerability detection, an efficient algorithm for HTML page similarity detection is used. The proposed tool showed promising results as compared to six well-known web application scanners.
52 citations
1 Sep 2015
TL;DR: This paper investigates the buoyancy of DNP3 towards attacks as passive Network reconnaissance, Base line response replay, Rogue interloper, Event buffer flooding and TCP veto, and concludes by comments on new set of Improper input validation vulnerability.
Abstract: Industrial control system (ICS) is a critical component in realizing Cyber physical system (CPS). ICS designed with traditional SCADA platforms have a small percentage or no native security, since they were never designed to be operated remotely and over the Internet. Security of these critical systems relies heavily on communication protocols. DNP3 is one of the most widely used protocols by SCADA system to communicate between the master and slave station. IEEE 1815-2012 is the current standard for DNP3 having goal to provide cyber security based on IEC/TS 62351-15. This paper investigates the buoyancy of DNP3 towards attacks as passive Network reconnaissance, Base line response replay, Rogue interloper, Event buffer flooding and TCP veto. Paper concludes by comments on new set of Improper input validation vulnerability.
22 citations
Journal Article•
TL;DR: Incomplete or improper input validation is one of the major sources of security bugs in programs as discussed by the authors, which is why traditional approaches often focus on detecting string related buffer overflow vulnerabilities, while our approach focuses on detecting potential integer misuse, such as integer overflows in C programs.
Abstract: Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications.
21 citations
13 Jul 2006
TL;DR: This work presents an approach to automatically detect potential integer misuse, such as integer overflows in C programs, based on CQual, a static analysis tool using type theory.
Abstract: Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications
21 citations
Related Topics (5)
Performance Metrics
| Year | Papers |
|---|---|
| 2021 | 4 |
| 2019 | 2 |
| 2018 | 2 |
| 2017 | 1 |
| 2016 | 2 |
| 2015 | 2 |