This invention relates generally to static analysis of software programs, and, more specifically, relates to static analysis of validator routines.
Web applications are highly exposed to security attacks, as they are accessible by a large audience, and oftentimes accept a wide range of inputs as part of their functionality. The challenge of providing good service to benign users, while—at the same time—denying illegal requests is addressed by validator routines. These routines normally take an input coming from the user as their argument, and return a Boolean value indicating whether the value satisfies certain constraints. Note that this is not only important from a security perspective, but also to verify the integrity of the user-provided data. For example, the value of a parameter that is expected to represent a credit-card number needs to be verified, as the user may have used the wrong format.
The challenge of detecting validator routines in a sound, automated and accurate manner has received little attention so far. Instead, security algorithms, as well as commercial tools, tend to rely on a user-provided specification. The user classifies relevant methods as validators, and the ensuing analysis simply “believes” the specification to be correct, and treats values verified by a validator routine as safe and valid.