Simple Linear String Constraints 1

Modern web applications often suffer from command injection attacks such as Cross-Site Scripting and SQL Injection. Even equipped with sanitation code, many systems can still be penetrated due to the existence of software bugs (see e.g., the Samy Worm). It is desirable to automatically discover such vulnerabilities, given the bytecode of a web application. One solution would be symbolically executing the target system and constructing constraints for matching path conditions and attack patterns. The solution to such constraints is an attack signature, based on which, the attack process can be replayed. Constraint solving is the key to the success of symbolic execution. For web applications, string constraints receive most of the attention because web applications are essentially text processing programs. The study of string constraints has to balance between expressiveness and complexity. We present Simple Linear String Equation (SISE), a decidable fragment of the general string constraint system. SISE models a collection of regular replacement operations (such as greedy, reluctant, declarative, and finite replacement), which are frequently used by text processing programs. The semantics of these replacement operations are precisely modeled using finite state transducers, with various automata techniques developed for simulating procedural semantics such as left-most matching. By composing atomic transducers of a SISE, we show that a recursive algorithm can be used to compute the solution pool, which contains the value range of each variable in all feasible concrete solutions. Then a concrete variable solution can be synthesized from a solution pool. To accelerate solver performance, a symbolic representation of finite state transducer is developed, which allows the constraint solver to support a 16-bit Unicode alphabet in practice. The algorithm is implemented in a Java constraint solver called SUSHI.