Chainsaw: Chained Automated Workflow-based Exploit Generation
| Title | Chainsaw: Chained Automated Workflow-based Exploit Generation |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Alhuzali, Abeer, Eshete, Birhanu, Gjomemo, Rigel, Venkatakrishnan, V.N. |
| Conference Name | Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security |
| Date Published | October 2016 |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4139-4 |
| Keywords | composability, exploit generation, Human Behavior, injection vulnerabilities, Metrics, pubcrawl, relational database security, Resiliency, web security |
| Abstract | We tackle the problem of automated exploit generation for web applications. In this regard, we present an approach that significantly improves the state-of-art in web injection vulnerability identification and exploit generation. Our approach for exploit generation tackles various challenges associated with typical web application characteristics: their multi-module nature, interposed user input, and multi-tier architectures using a database backend. Our approach develops precise models of application workflows, database schemas, and native functions to achieve high quality exploit generation. We implemented our approach in a tool called Chainsaw. Chainsaw was used to analyze 9 open source applications and generated over 199 first- and second-order injection exploits combined, significantly outperforming several related approaches. |
| URL | https://dl.acm.org/doi/10.1145/2976749.2978380 |
| DOI | 10.1145/2976749.2978380 |
| Citation Key | alhuzali_chainsaw:_2016 |