Publication
SPLASH 2011
Conference paper

Automatically fixing security vulnerabilities in Java code

View publication

Abstract

Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as "quick fixes" in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.

Date

22 Nov 2011

Publication

SPLASH 2011

Authors

Topics

Share