dc.contributor.author | Near, Joseph Paul | |
dc.contributor.author | Jackson, Daniel | |
dc.date.accessioned | 2015-12-18T15:59:27Z | |
dc.date.available | 2015-12-18T15:59:27Z | |
dc.date.issued | 2014-09 | |
dc.identifier.isbn | 9781450330138 | |
dc.identifier.uri | http://hdl.handle.net/1721.1/100435 | |
dc.description.abstract | Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application's security policy. The tool then highlights exposures missing security checks, which tend to be security bugs.
We have tested Derailer's scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers. | en_US |
dc.description.sponsorship | National Science Foundation (U.S.) (Grant 0707612) | en_US |
dc.language.iso | en_US | |
dc.publisher | Association for Computing Machinery (ACM) | en_US |
dc.relation.isversionof | http://dx.doi.org/10.1145/2642937.2643012 | en_US |
dc.rights | Creative Commons Attribution-Noncommercial-Share Alike | en_US |
dc.rights.uri | http://creativecommons.org/licenses/by-nc-sa/4.0/ | en_US |
dc.source | MIT web domain | en_US |
dc.title | Derailer: interactive security analysis for web applications | en_US |
dc.type | Article | en_US |
dc.identifier.citation | Joseph P. Near and Daniel Jackson. 2014. Derailer: interactive security analysis for web applications. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14). ACM, New York, NY, USA, 587-598. | en_US |
dc.contributor.department | Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory | en_US |
dc.contributor.department | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science | en_US |
dc.contributor.mitauthor | Near, Joseph Paul | en_US |
dc.contributor.mitauthor | Jackson, Daniel | en_US |
dc.relation.journal | Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE '14) | en_US |
dc.eprint.version | Author's final manuscript | en_US |
dc.type.uri | http://purl.org/eprint/type/ConferencePaper | en_US |
eprint.status | http://purl.org/eprint/status/NonPeerReviewed | en_US |
dspace.orderedauthors | Near, Joseph P.; Jackson, Daniel | en_US |
dc.identifier.orcid | https://orcid.org/0000-0003-4864-078X | |
dspace.mitauthor.error | true | |
mit.license | OPEN_ACCESS_POLICY | en_US |
mit.metadata.status | Complete | |