Results 1  10
of
49
A Symbolic Execution Framework for JavaScript
 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2010
"... As AJAX applications gain popularity, clientside JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To ..."
Abstract

Cited by 132 (12 self)
 Add to MetaCart
As AJAX applications gain popularity, clientside JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code’s complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic endtoend tool, Kudzu, and apply it to the problem of finding clientside code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manuallyconstructed test suite.
Decision procedures for algebraic data types with abstractions
 IN 37TH ACM SIGACTSIGPLAN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL), 2010. DECISION PROCEDURES FOR ORDERED COLLECTIONS 15 SHE75. SAHARON SHELAH. THE MONADIC THEORY OF ORDER. THA ANNALS OF MATHEMATICS OF MATHEMATICS
, 2010
"... We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data ..."
Abstract

Cited by 36 (15 self)
 Add to MetaCart
We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data type values into values in other decidable theories (e.g. sets, multisets, lists, integers, booleans). Each instance of our decision procedure family is sound; we identify a widely applicable manytoone condition on abstraction functions that implies the completeness. Complete instances of our decision procedure include the following correctness statements: 1) a functional data structure implementation satisfies a recursively specified invariant, 2) such data structure conforms to a contract given in terms of sets, multisets, lists, sizes, or heights, 3) a transformation of a formula (or lambda term) abstract syntax tree changes the set of free variables in the specified way.
The existential theory of equations with rational constraints in free groups is PSPACEcomplete
, 2001
"... ..."
Processing compressed texts: a tractability border
 Proc. CPM 2007
, 2007
"... Abstract. What kind of operations can we perform effectively (without full unpacking) with compressed texts? In this paper we consider three fundamental problems: (1) check the equality of two compressed texts, (2) check whether one compressed text is a substring of another compressed text, and (3) ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
(Show Context)
Abstract. What kind of operations can we perform effectively (without full unpacking) with compressed texts? In this paper we consider three fundamental problems: (1) check the equality of two compressed texts, (2) check whether one compressed text is a substring of another compressed text, and (3) compute the number of different symbols (Hamming distance) between two compressed texts of the same length. We present an algorithm that solves the first problem in O(n 3) time and the second problem in O(n 2 m) time. Here n is the size of compressed representation (we consider representations by straightline programs) of the text and m is the size of compressed representation of the pattern. Next, we prove that the third problem is actually #Pcomplete. Thus, we indicate a pair of similar problems (equivalence checking, Hamming distance computation) that have radically different complexity on compressed texts. Our algorithmic technique used for problems (1) and (2) helps for computing minimal periods and covers of compressed texts. 1
Solvability of Equations in Free Partially Commutative Groups Is Decidable
 INTERNATIONAL JOURNAL OF ALGEBRA AND COMPUTATION
, 2001
"... Trace monoids are wellstudied objects in computer science where they serve as a basic algebraic tool for analyzing concurrent systems. ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
Trace monoids are wellstudied objects in computer science where they serve as a basic algebraic tool for analyzing concurrent systems.
Wellnested context unification
 In CADE 2005, LNCS 3632
"... Abstract. Context unification (CU) is the open problem of solving context equations for trees. We distinguish a new decidable variant of CU– wellnested CU – and present a new unification algorithm that solves wellnested context equations in nondeterministic polynomial time. We show that minimal w ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Context unification (CU) is the open problem of solving context equations for trees. We distinguish a new decidable variant of CU– wellnested CU – and present a new unification algorithm that solves wellnested context equations in nondeterministic polynomial time. We show that minimal wellnested solutions of context equations can be composed from the material present in the equation (see Theorem 1). This property is wishful when modeling natural language ellipsis in CU. 1
Word equations over graph products
 In Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2003), Mumbai (India), number 2914 in Lecture Notes in Computer Science
, 2003
"... For monoids that satisfy a weak cancellation condition, it is shown that the decidability of the existential theory of word equations is preserved under graph products. Furthermore, it is shown that the positive theory of a graph product of groups can be reduced to the positive theories of those fac ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
(Show Context)
For monoids that satisfy a weak cancellation condition, it is shown that the decidability of the existential theory of word equations is preserved under graph products. Furthermore, it is shown that the positive theory of a graph product of groups can be reduced to the positive theories of those factors, which commute with all other factors, and the existential theories of the remaining factors. Both results also include suitable constraints for the variables. Larger classes of constraints lead in many cases to undecidability results.
Monadic secondorder unification is NPcomplete
 In RTA’04, volume 3091 of LNCS
, 2004
"... Abstract. Bounded SecondOrder Unification is the problem of deciding, for a given secondorder equation t? = u and a positive integer m, whether there exists a unifier σ such that, for every secondorder variable F, the terms instantiated for F have at most m occurrences of every bound variable. I ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Bounded SecondOrder Unification is the problem of deciding, for a given secondorder equation t? = u and a positive integer m, whether there exists a unifier σ such that, for every secondorder variable F, the terms instantiated for F have at most m occurrences of every bound variable. It is already known that Bounded SecondOrder Unification is decidable and NPhard, whereas general SecondOrder Unification is undecidable. We prove that Bounded SecondOrder Unification is NPcomplete, provided that m is given in unary encoding, by proving that a sizeminimal solution can be represented in polynomial space, and then applying a generalization of Plandowski’s polynomial algorithm that compares compacted terms in polynomial time. 1
Stratified context unification is npcomplete
 In Proc. of the 3rd International Joint Conference on Automated Reasoning, IJCAR’06
, 2006
"... Abstract. Context Unification is the problem to decide for a given set of secondorder equations E where all secondorder variables are unary, whether there exists a unifier, such that for every secondorder variable X, theabstractionλx.r instantiated for X has exactly one occurrence of the bound va ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Context Unification is the problem to decide for a given set of secondorder equations E where all secondorder variables are unary, whether there exists a unifier, such that for every secondorder variable X, theabstractionλx.r instantiated for X has exactly one occurrence of the bound variable x in r. Stratified Context Unification is a specialization where the nesting of secondorder variables in E is restricted. It is already known that Stratified Context Unification is decidable, NPhard, and in PSPACE, whereas the decidability and the complexity of Context Unification is unknown. We prove that Stratified Context Unification is in NP by proving that a sizeminimal solution can be represented in a singleton tree grammar of polynomial size, and then applying a generalization of Plandowski’s polynomial algorithm that compares compacted terms in polynomial time. This also demonstrates the high potential of singleton tree grammars for optimizing programs maintaining large terms. A corollary of our result is that solvability of rewrite constraints is NPcomplete. 1