Abstract Parsing: Static analysis of dynamically generated string output

摘要解析：动态生成字符串输出的静态分析

基本信息

批准号：
0939431
负责人：
David Schmidt
金额：
$ 29.93万
依托单位：
Kansas State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2009
资助国家：
美国
起止时间：
2009-08-01 至 2012-07-31
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=0939431&HistoricalAwards=false
关键词：
Abstract Parsing Static analysis dynamically

项目摘要

This project provides an automated, formal-methods-based methodology and toolthat analyzes and validates, in advance of its execution,PHP, Perl, or Javascript programs that dynamically generateHMTL, XML, and SQL documents.Such document-generator programs are common to the World Wide Web and arenotorious for generating ill-structured, faulty, and dangerousdocuments that cause subsequent server errors or security breaches.The methodology integrates techniques fromLR(k)-parsing, data-flow analysis, and program securityto synthesize the program-analysis.Given the program (e.g., a PHP script) that generates documents and given thecontext-free reference grammar for the document language(e.g., a grammar for HTML),the analysis tool generates an LR(k) parser for the reference grammarand applies a data-flow analysis to analyze the program andpredict the context-free grammatical structure of thedocuments to be generated by the program.The tool computes abstract parse stacks, a novel and innovative structurethat encodes a generated document's context-free structure.Next, the tool applies formal semantics techniques to compute froman abstract parse stack its context-sensitive semantics, that is, themeaning of the dynamically generated document.Dynamically generated documents are often assembledwith user-supplied input, which can be erroneous or malicious.The analysis annotates the abstract parse stacks to identitywhere user input might appear,and the semantic analysis tracks the influenceof the user input upon the document's meaning.

该项目提供了一种基于方法的自动化方法和工具，并在其执行，PHP，Perl或JavaScript程序之前分析和验证，该程序在其执行情况下，该程序动态生成HMTL，XML和SQL文档。方法论将源自（k）的技术整合，数据流量分析和程序安全性，以合成程序 - 分析。启用程序（例如，PHP脚本），该程序生成文档并给出了文档语言（例如，html for for for html）的文档语言（例如，for for for for html for for for for html for for a l lrs for granm fors grals pars）pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars pars（k） analysis to analyze the program andpredict the context-free grammatical structure of thedocuments to be generated by the program.The tool computes abstract parse stacks, a novel and innovative structurethat encodes a generated document's context-free structure.Next, the tool applies formal semantics techniques to compute froman abstract parse stack its context-sensitive semantics, that is, themeaning of the dynamically generated document.Dynamically generated文档通常是通过用户提供的输入组装来的，这可能是错误的或恶意的。分析说明了可能会出现用户输入的Arvister Parse堆栈，并且语义分析跟踪了用户对文档含义的影响的影响。