Results 1  10
of
31
A Symbolic Execution Framework for JavaScript
 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2010
"... As AJAX applications gain popularity, clientside JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To ..."
Abstract

Cited by 60 (9 self)
 Add to MetaCart
As AJAX applications gain popularity, clientside JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code’s complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic endtoend tool, Kudzu, and apply it to the problem of finding clientside code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manuallyconstructed test suite.
The existential theory of equations with rational constraints in free groups is PSPACEcomplete
, 2001
"... ..."
Decision procedures for algebraic data types with abstractions
 IN 37TH ACM SIGACTSIGPLAN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL), 2010. DECISION PROCEDURES FOR ORDERED COLLECTIONS 15 SHE75. SAHARON SHELAH. THE MONADIC THEORY OF ORDER. THA ANNALS OF MATHEMATICS OF MATHEMATICS
, 2010
"... We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data ..."
Abstract

Cited by 23 (11 self)
 Add to MetaCart
We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data type values into values in other decidable theories (e.g. sets, multisets, lists, integers, booleans). Each instance of our decision procedure family is sound; we identify a widely applicable manytoone condition on abstraction functions that implies the completeness. Complete instances of our decision procedure include the following correctness statements: 1) a functional data structure implementation satisfies a recursively specified invariant, 2) such data structure conforms to a contract given in terms of sets, multisets, lists, sizes, or heights, 3) a transformation of a formula (or lambda term) abstract syntax tree changes the set of free variables in the specified way.
Solvability of Equations in Free Partially Commutative Groups Is Decidable
 INTERNATIONAL JOURNAL OF ALGEBRA AND COMPUTATION
, 2001
"... Trace monoids are wellstudied objects in computer science where they serve as a basic algebraic tool for analyzing concurrent systems. ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Trace monoids are wellstudied objects in computer science where they serve as a basic algebraic tool for analyzing concurrent systems.
Processing compressed texts: a tractability border
 Proc. CPM 2007
, 2007
"... Abstract. What kind of operations can we perform effectively (without full unpacking) with compressed texts? In this paper we consider three fundamental problems: (1) check the equality of two compressed texts, (2) check whether one compressed text is a substring of another compressed text, and (3) ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. What kind of operations can we perform effectively (without full unpacking) with compressed texts? In this paper we consider three fundamental problems: (1) check the equality of two compressed texts, (2) check whether one compressed text is a substring of another compressed text, and (3) compute the number of different symbols (Hamming distance) between two compressed texts of the same length. We present an algorithm that solves the first problem in O(n 3) time and the second problem in O(n 2 m) time. Here n is the size of compressed representation (we consider representations by straightline programs) of the text and m is the size of compressed representation of the pattern. Next, we prove that the third problem is actually #Pcomplete. Thus, we indicate a pair of similar problems (equivalence checking, Hamming distance computation) that have radically different complexity on compressed texts. Our algorithmic technique used for problems (1) and (2) helps for computing minimal periods and covers of compressed texts. 1
Wellnested context unification
 In CADE 2005, LNCS 3632
"... Abstract. Context unification (CU) is the open problem of solving context equations for trees. We distinguish a new decidable variant of CU– wellnested CU – and present a new unification algorithm that solves wellnested context equations in nondeterministic polynomial time. We show that minimal w ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
Abstract. Context unification (CU) is the open problem of solving context equations for trees. We distinguish a new decidable variant of CU– wellnested CU – and present a new unification algorithm that solves wellnested context equations in nondeterministic polynomial time. We show that minimal wellnested solutions of context equations can be composed from the material present in the equation (see Theorem 1). This property is wishful when modeling natural language ellipsis in CU. 1
Word equations over graph products
 In Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2003), Mumbai (India), number 2914 in Lecture Notes in Computer Science
, 2003
"... For monoids that satisfy a weak cancellation condition, it is shown that the decidability of the existential theory of word equations is preserved under graph products. Furthermore, it is shown that the positive theory of a graph product of groups can be reduced to the positive theories of those fac ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
For monoids that satisfy a weak cancellation condition, it is shown that the decidability of the existential theory of word equations is preserved under graph products. Furthermore, it is shown that the positive theory of a graph product of groups can be reduced to the positive theories of those factors, which commute with all other factors, and the existential theories of the remaining factors. Both results also include suitable constraints for the variables. Larger classes of constraints lead in many cases to undecidability results.
NonStructural Subtype Entailment in Automata Theory
, 2003
"... Decidability of nonstructural subtype entailment is a longstanding open problem in programming language theory. In this paper, we apply automata theoretic methods to characterize the problem equivalently by using regular expressions and word equations. This characterization induces new results on ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Decidability of nonstructural subtype entailment is a longstanding open problem in programming language theory. In this paper, we apply automata theoretic methods to characterize the problem equivalently by using regular expressions and word equations. This characterization induces new results on nonstructural subtype entailment, constitutes a promising starting point for further investigations on decidability, and explains for the first time why the problem is so difficult. The difficulty is caused by implicit word equations that we make explicit.
Monadic secondorder unification is NPcomplete
 In RTA’04, volume 3091 of LNCS
, 2004
"... Abstract. Bounded SecondOrder Unification is the problem of deciding, for a given secondorder equation t? = u and a positive integer m, whether there exists a unifier σ such that, for every secondorder variable F, the terms instantiated for F have at most m occurrences of every bound variable. I ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. Bounded SecondOrder Unification is the problem of deciding, for a given secondorder equation t? = u and a positive integer m, whether there exists a unifier σ such that, for every secondorder variable F, the terms instantiated for F have at most m occurrences of every bound variable. It is already known that Bounded SecondOrder Unification is decidable and NPhard, whereas general SecondOrder Unification is undecidable. We prove that Bounded SecondOrder Unification is NPcomplete, provided that m is given in unary encoding, by proving that a sizeminimal solution can be represented in polynomial space, and then applying a generalization of Plandowski’s polynomial algorithm that compares compacted terms in polynomial time. 1