SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript...
Transcript of SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript...
![Page 1: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/1.jpg)
1
Philipp Rümmer
Uppsala University
SAT/SMT/AR, July 6th, 2018
SMT, Strings, Security
![Page 2: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/2.jpg)
2
Plan
String constraints by example
A word equation primer
Decidable fragments of string constraints
![Page 3: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/3.jpg)
3
Strings in Verifcation
![Page 4: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/4.jpg)
4
String in verifiation
![Page 5: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/5.jpg)
5
String in verifiation
ASCII, Unicode
![Page 6: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/6.jpg)
6
String in verifiation
Regular expressionassertion:
![Page 7: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/7.jpg)
7
String in verifiation
Word/stringioniatenation
![Page 8: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/8.jpg)
8
String in verifiation
Loop invariant combiningword equations,regex constraints,length constraints
![Page 9: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/9.jpg)
9
String in verifiation
Substringconstraint
![Page 10: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/10.jpg)
10
String in verifiation
Or regex:
![Page 11: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/11.jpg)
11
String in verifiation
Presburgerlength constraint
![Page 12: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/12.jpg)
12
String in verifiation
→ Need a solver that supports all those operators!
![Page 13: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/13.jpg)
13
Alphabets
All constraints are formulated w.r.t. to some fxed fnite alphabet
(e.g., 8-bit ASCII) (e.g., UTF-32)
![Page 14: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/14.jpg)
14
Semantiis and notation
Finite sequences of letters: Empty word: Concatenation:
Equations: Language/regex membership: Word length:
![Page 15: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/15.jpg)
15
LARGE Alphabets
Naive use of fnite-state automata quickly becomes impossible
Conirete letters as transition guards →far too many transitions are needed to express interesting languages
Symbolii handling of letters is necessary
Sometimes complex string conversion functions necessary, e.g. UTF-8 ↔ UTF-32
![Page 16: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/16.jpg)
16
Injeition attaiks
xkcd.com
![Page 17: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/17.jpg)
17
What is happening here?
Possible SQL iommand in a program
database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");
![Page 18: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/18.jpg)
18
What is happening here?
Possible SQL iommand in a program
database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");
Command with input substituted
INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');
![Page 19: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/19.jpg)
19
What is happening here?
Possible SQL iommand in a program
database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");
Command with input substituted
INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');
Problem:Input string
ends quotation!
Commandembedded in
user inputis executed
![Page 20: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/20.jpg)
20
What is happening here?
Possible SQL iommand in a program
database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");
Since no sanitisation is applied, program is vulnerable to SQL injection attacks!
![Page 21: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/21.jpg)
21
How ian this be deteited?
Programcode
Input:User-controlled strings
Output:SQL commands
![Page 22: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/22.jpg)
22
How ian this be deteited?
Programcode
Input:User-controlled strings
Output:SQL commands
![Page 23: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/23.jpg)
23
How ian this be deteited?
Programcode
Input:User-controlled strings
Output:SQL commands
Regexor CFG
![Page 24: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/24.jpg)
24
What is happening here?
Possible SQL iommand in a program
database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");
However, this case could more easily be found with techniques like taint traiking
But what if sanitisation were actually applied?
![Page 25: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/25.jpg)
25
A subtle XSS vulnerability
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 26: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/26.jpg)
26
A subtle XSS vulnerability
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
Input string
![Page 27: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/27.jpg)
27
A subtle XSS vulnerability
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
Input stringHTML escape:& → &
JavaScriptescape:
' → \'
![Page 28: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/28.jpg)
28
A subtle XSS vulnerability
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
Input stringHTML escape:& → &
JavaScriptescape:
' → \'
Impliiit HTMLunescape
of the onclickattribute:
& → &
![Page 29: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/29.jpg)
29
An XSS vulnerability (2)
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
One possible attaikChoose cat to be ');alert(1);//
Generated HTML string is then:<button onclick="createCatList('');alert(1);//')">');alert(1);//</button>
![Page 30: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/30.jpg)
30
An XSS vulnerability (2)
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
One possible attaikChoose cat to be ');alert(1);//
Generated HTML string is then:<button onclick="createCatList('');alert(1);//')">');alert(1);//</button>
This will be unesiaped tocreateCatList('');alert(1);//')
![Page 31: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/31.jpg)
31
An XSS vulnerability (2)
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
One possible attaikChoose cat to be ');alert(1);//
Generated HTML string is then:<button onclick="createCatList('');alert(1);//')">');alert(1);//</button>
This will be unesiaped tocreateCatList('');alert(1);//')
Vulnerability since escapefunctions are applied in
wrong order
![Page 32: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/32.jpg)
32
Cross-site siripting
http://blog.aboutme.vn/choi-xss-tai-knock-xss-moe/
![Page 33: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/33.jpg)
33
Solvers for esiape ops?
![Page 34: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/34.jpg)
34
Solvers for esiape ops?
We need transducers!→ Automata with multiple tracks
![Page 35: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/35.jpg)
35
Solvers for esiape ops?
toUpperCase
a/Ab/Bc/C...
We need transducers!→ Automata with multiple tracks
![Page 36: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/36.jpg)
36
Solvers for esiape ops?
toUpperCase
a/Ab/Bc/C...
We need transducers!→ Automata with multiple tracks
htmlEsiape
</<>/>&/&...
replaieAll
...
![Page 37: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/37.jpg)
37
Solvers for esiape ops?
toUpperCase
a/Ab/Bc/C...
We need transducers!→ Automata with multiple tracks
htmlEsiape
</<>/>&/&...
replaieAll
...
Do not preserve length ...
![Page 38: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/38.jpg)
38
Other operations
String reversal Context-free grammars String-to-number conversions Replace-all with symbolic arguments ...
![Page 39: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/39.jpg)
39
SolvingString
Constraints
![Page 40: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/40.jpg)
40
Bit of Solver History
Bounded-length solvers Bit-vector-based: Hampi, Kaluza CP-based: Gecode
Automata-based tools Stranger, TRAU
SMT/DPLL/CDCL-based methods Z3-str/2/3, CVC4, S3/p, Norn, Sloth
(+ much theoretic work)
![Page 41: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/41.jpg)
41
Solving Word Equations
What are the solutions those equations?
![Page 42: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/42.jpg)
42
Nielsen's transformation
(also called Levi's lemma)
Theorem
![Page 43: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/43.jpg)
43
Nielsen's transformation
(also called Levi's lemma)
Theorem
![Page 44: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/44.jpg)
44
Nielsen's transformation
As a tableau rule
![Page 45: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/45.jpg)
45
Nielsen's transformation
As a tableau rule
![Page 46: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/46.jpg)
46
In the example
![Page 47: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/47.jpg)
47
How about this one?
![Page 48: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/48.jpg)
48
How about this one?
![Page 49: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/49.jpg)
49
How about this one?
Cyile!
![Page 50: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/50.jpg)
50
What ian be done?
Ignore cycles and hope for the best!
Identify fragments for which NT is guaranteed to terminate
Acyclic; straight-line
Improve NT and add termination criteria Makanin's method Simpler algorithms for quadratii equations
![Page 51: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/51.jpg)
51
Quadratii word equations
E.g.
Consider satisfability of asingle quadratii equation
DefnitionA word equation is quadratii if each variable occurs at most twice in the equation.
![Page 52: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/52.jpg)
52
Nielsen's transformation
Quadratii = simpler?
![Page 53: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/53.jpg)
53
Nielsen's transformation
Quadratii = simpler?
Number ofvariable
occurrencescannot increase!
![Page 54: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/54.jpg)
54
A deiision proiedure
Modifed Nielsen rule
![Page 55: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/55.jpg)
55
A deiision proiedure
Modifed Nielsen rule
Further rules
![Page 56: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/56.jpg)
56
Example
![Page 57: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/57.jpg)
57
Even more rules
One-sided Nielsen rule
![Page 58: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/58.jpg)
58
Deiision proiedure?
Soundness● If root is satisfable, at least one branch cannot
be closed
Completeness● If root is unsat, a closed proof exists● Follows from termination● Open branches → satisfying assignments
Termination● # of variable occurrences does not increase● Up to renaming of variables, only fnitely many
diferent equations exist
![Page 59: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/59.jpg)
59
Soundness argument
Label equations in the proof with: if equation is unsat if equation is sat, has variable
occurrences, and is length of for the shortest solution
Order pairs lexicographically
LemmaIn each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .
![Page 60: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/60.jpg)
60
Soundness argument
Label equations in the proof with: if equation is unsat if equation is sat, has variable
occurrences, and is length of for the shortest solution
Order pairs lexicographically
LemmaIn each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .
Decreasing labels→ Branch cannot
be closed!
![Page 61: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/61.jpg)
61
Combinations ...
Equations
Quadratii
![Page 62: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/62.jpg)
62
Combinations ...
Equations
Quadratii
RegexConstraints
![Page 63: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/63.jpg)
63
Combinations ...
Equations
Quadratii
RegexConstraints
✓
![Page 64: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/64.jpg)
64
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
![Page 65: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/65.jpg)
65
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
?
![Page 66: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/66.jpg)
66
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
![Page 67: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/67.jpg)
67
Transduition
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
![Page 68: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/68.jpg)
68
Transduition
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
Undeiidable
![Page 69: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/69.jpg)
69
Transduition
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
Undeiidable
![Page 70: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/70.jpg)
70
Transduition
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
Undeiidable
![Page 71: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/71.jpg)
71
Transduition
Combinations ...
Equations
Quadratii
RegexConstraints
✓Length
Constraints
??
Undeiidable
![Page 72: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/72.jpg)
72
The Norn fragment
1. Boolean structure
2. Acyclic (linear) word equations
3. Regex memberships
4. Length constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014
![Page 73: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/73.jpg)
73
The Norn fragment
1. Boolean structure
2. Acyclic (linear) word equations
3. Regex memberships
4. Length constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014
(a decidable fragment)
![Page 74: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/74.jpg)
74
The Norn fragment
1. Boolean structure
2. Acyclic (linear) word equations
3. Regex memberships
4. Length constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014
(a decidable fragment)
Order inwhichprocedurehandlesoperators
![Page 75: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/75.jpg)
75
Examples
![Page 76: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/76.jpg)
76
1. Boolean struiture
Use standard DPLL/CDCL → Easy Just consider conjunctions of literals
But we need to handle negation! Negated word equations Negated regex constraints Negated length constraints
![Page 77: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/77.jpg)
77
1. Boolean struiture
Use standard DPLL/CDCL → Easy Just consider conjunctions of literals
But we need to handle negation! Negated word equations Negated regex constraints Negated length constraints
✓✓
?
![Page 78: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/78.jpg)
78
1b. Negative word eqs.
Lemma
Can be reduced to positive equations:
![Page 79: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/79.jpg)
79
1b. Negative word eqs.
Lemma
Large alphabets→ a, b need to be
handled symbolicallyin practice
Can be reduced to positive equations:
![Page 80: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/80.jpg)
80
1b. Negative word eqs.
Lemma
Can be reduced to positive equations:
TheoremAny Boolean combination of word equations canbe reduced to a single word equation with thesame set of solutions (when projected to theoriginal set of variables).
![Page 81: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/81.jpg)
81
2. Aiyilii word equations
Reduce to solved form by systematic application of Nielsen’s transformation:
( do not occur in )
After that, eliminate equations by inlining!
![Page 82: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/82.jpg)
82
3. Regular expressions
Membership tests with ioniatenation can be split:
Tests with same left-hand side can be merged:
![Page 83: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/83.jpg)
83
3. Regular expressions
Membership tests with ioniatenation can be split:
Tests with same left-hand side can be merged:
Disjunction overstates of
automatonrepresenting
![Page 84: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/84.jpg)
84
4. Length ionstraints
Compute the length abstraition of each regex constraint:
Conjoin length abstractions with other length constraints and check satisfability
![Page 85: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/85.jpg)
85
4. Length ionstraints
Compute the length abstraition of each regex constraint:
Conjoin length abstractions with other length constraints and check satisfability
A Presburgerformula that canbe extracted in
linear time from
![Page 86: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/86.jpg)
86
5. Optimisations ...
E.g., exploit length information when splitting equations or regexes
(still too slow ...)
![Page 87: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/87.jpg)
87
Adding Transducers .
![Page 88: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/88.jpg)
88
3. Regular expressions
Membership tests with ioniatenation can be split:
Tests with same left-hand side can be merged:
![Page 89: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/89.jpg)
89
3. Regular expressions
Membership tests with ioniatenation can be split:
Tests with same left-hand side can be merged:
Does not workany more withtransducers!
![Page 90: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/90.jpg)
90
The Sloth fragments
1. Boolean structure (no negation)
2. Straight-line word equations
3. n-track transducer constraints
Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)
![Page 91: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/91.jpg)
91
The Sloth fragments
1. Boolean structure (no negation)
2. Straight-line word equations
3. n-track transducer constraints
Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)
→ also decidable!
![Page 92: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/92.jpg)
92
Transduiers
DefnitionAn n-traik transduier is a fnite-stateautomaton over the alphabetAn n-track transducer defnes an n-aryrational relation.
![Page 93: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/93.jpg)
93
Transduiers
DefnitionAn n-traik transduier is a fnite-stateautomaton over the alphabetAn n-track transducer defnes an n-aryrational relation.
![Page 94: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/94.jpg)
94
Transduiers
DefnitionAn n-traik transduier is a fnite-stateautomaton over the alphabetAn n-track transducer defnes an n-aryrational relation.
![Page 95: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/95.jpg)
95
HTML Esiaping
![Page 96: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/96.jpg)
96
Undeiidability
Proposition/FolkloreString constraints with rational relations areundeiidable.
Post correspondence problem:Given word pairs
is there an index sequence with
![Page 97: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/97.jpg)
97
Undeiidability
Proposition/FolkloreString constraints with rational relations areundeiidable.
Post correspondence problem:Given word pairs
is there an index sequence with
Undeiidable
![Page 98: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/98.jpg)
98
Fragments: aiyilii formulas
Positive Boolean comb. of rational relations applied to distinct variables
In every , and share at most one variable
PSPACE-complete[Barcelo, Figuiera, and Libkin’13]
![Page 99: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/99.jpg)
99
Straight-line fragment SL
Conjunction of equations sorted by dependency:
All pairwise distinct Each may only occur in Each is concatenation, or
(interpreted as ) Regex constraints
![Page 100: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/100.jpg)
100
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 101: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/101.jpg)
101
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 102: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/102.jpg)
102
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 103: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/103.jpg)
103
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 104: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/104.jpg)
104
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 105: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/105.jpg)
105
SL example
JavaSiript embedded in a web-page
var x = goog.string.htmlEscape(cat);var y = goog.string.escapeString(x);
catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';
![Page 106: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/106.jpg)
106
Deiision proiedure for SL
SL Acyclic
Splittingconcat
![Page 107: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/107.jpg)
107
Deiision proiedure for SL
SL Acyclic
Splittingconcat
Linear blow-upfor each split
![Page 108: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/108.jpg)
108
Deiision proiedure for SL
SL Acyclic
Splittingconcat
Linear blow-upfor each split
BooleanTrans.System
![Page 109: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/109.jpg)
109
Deiision proiedure for SL
SL Acyclic
Splittingconcat
Linear blow-upfor each split
BooleanTrans.System
Hardware ModelCheiker
(PSPACE!)
![Page 110: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/110.jpg)
110
Deiidability for aiyilii f.
![Page 111: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/111.jpg)
111
Deiidability for aiyilii f.
![Page 112: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/112.jpg)
112
Deiidability for aiyilii f.
(Product automaton)
![Page 113: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/113.jpg)
113
Deiidability for aiyilii f.
(Product automaton)
Consistency=
Non-emptiness
![Page 114: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/114.jpg)
114
Deiidability for aiyilii f.
(Product automaton)
Consistency=
Non-emptiness
But how to dothis in PSPACE?
![Page 115: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/115.jpg)
Alternating Finite Automata
q1
q2
a
q3
a
q4
q5
a
q6
a
AFA P AFA P has
Q – a set of states,∆ – a set of transitions
, for example,I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 116: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/116.jpg)
Alternating Finite Automata
q1
q2
a
q3
a
q4
q5
a
q6
a
AFA P AFA P hasQ – a set of states,∆ – a set of transitions
, for example,I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 117: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/117.jpg)
Alternating Finite Automata
q1
q2
a
q3
a
q4
q5
a
q6
a
AFA P AFA P hasQ – a set of states,∆ – a set of transitions, for example,
I ∆(q4) = a ∧ (q5 ∨ q6),
I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 118: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/118.jpg)
Alternating Finite Automata
q1
q2
a
q3
aq4
q5
a
q6
a
AFA P AFA P hasQ – a set of states,∆ – a set of transitions, for example,
I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 119: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/119.jpg)
Alternating Finite Automata
q1
q2
a
q3
a
q4
q5
a
q6
a
AFA P AFA P hasQ – a set of states,∆ – a set of transitions, for example,
I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 120: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/120.jpg)
Alternating Finite Automata
q1
q2
a
q3
a
q4
q5
a
q6
a
AFA P AFA P hasQ – a set of states,∆ – a set of transitions, for example,
I ∆(q4) = a ∧ (q5 ∨ q6),I ∆(q1) = a ∧ q2 ∧ q3,
I – a positive Boolean formula overstates,F – a negative Boolean formula overstates,
The main advantage compared to NFA is that AFA/AFT can easilyencode concatenation and all Boolean operations on formulae.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22
![Page 121: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/121.jpg)
AND between Two AFTs
c/a a/d
c/a/? ?/a/d
a/b b/c
a/b/? ?/b/c
d/c c/b
d/c/? ?/c/b
R1(name, x) R2(x , y)
R12(name, x , y)
∧
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 14 / 22
![Page 122: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/122.jpg)
AND between Two AFTs
c/a a/d
c/a/? ?/a/d
a/b b/c
a/b/? ?/b/c
d/c c/b
d/c/? ?/c/b
R1(name, x) R2(x , y)
R12(name, x , y)
∧
QR12 = QR1 ∪QR2
IR12 = IR1 ∧ IR2
FR12 = FR1 ∧ FR2
∆R12 = ∆R1 ∪∆R2
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 14 / 22
![Page 123: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/123.jpg)
SL→ AFT
The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.
2 A translation of concatenations to AFTs:1 Eliminating equations by substitutions.
ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧R3(z, innerHtml) ∧ P(innerHtml)
AFT R12 AFT R3 AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22
![Page 124: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/124.jpg)
AFT→ BTS
Variables of the Boolean transition system (BTS) =states of the automaton (AFT):
I q1,q2,q3.
The initial and final formulae of the BTS =initial and final formulae of the AFT:
I I = q1,I F = q2 ∧ q3.
The transition function of the BTS = conjunction of formulaederived from individual transitions of the AFT:
I Trans = ∃ symb : q1 → symb = a ∧ q′2 ∧ q′
3.
q1
q2 q3a
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22
![Page 125: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/125.jpg)
AFT→ BTS
Variables of the Boolean transition system (BTS) =states of the automaton (AFT):
I q1,q2,q3.The initial and final formulae of the BTS =initial and final formulae of the AFT:
I I = q1,I F = q2 ∧ q3.
The transition function of the BTS = conjunction of formulaederived from individual transitions of the AFT:
I Trans = ∃ symb : q1 → symb = a ∧ q′2 ∧ q′
3.
q1
q2 q3a
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22
![Page 126: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/126.jpg)
AFT→ BTS
Variables of the Boolean transition system (BTS) =states of the automaton (AFT):
I q1,q2,q3.The initial and final formulae of the BTS =initial and final formulae of the AFT:
I I = q1,I F = q2 ∧ q3.
The transition function of the BTS = conjunction of formulaederived from individual transitions of the AFT:
I Trans = ∃ symb : q1 → symb = a ∧ q′2 ∧ q′
3.
q1
q2 q3a
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22
![Page 127: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/127.jpg)
SL→ AFT
The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.2 A translation of concatenations to AFTs:
1 Eliminating equations by substitutions.
ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦w2 ◦ x ◦w3 ∧R3(z, innerHtml) ∧ P(innerHtml)
AFT R12 AFT R3 AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22
![Page 128: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/128.jpg)
Eliminating Equations by Substitutions
ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦w2 ◦ x ◦w3 ∧R3(z, innerHtml) ∧ P(innerHtml)
ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦w2 ◦ x ◦w3, innerHtml) ∧P(innerHtml)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22
![Page 129: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/129.jpg)
Eliminating Equations by Substitutions
ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦w2 ◦ x ◦w3 ∧R3(z, innerHtml) ∧ P(innerHtml)
ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦w2 ◦ x ◦w3, innerHtml) ∧P(innerHtml)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22
![Page 130: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/130.jpg)
Eliminating Equations by Substitutions
ϕ ::= R12(name, x , y) ∧ z = w1 ◦ y ◦w2 ◦ x ◦w3 ∧R3(z, innerHtml) ∧ P(innerHtml)
ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦w2 ◦ x ◦w3, innerHtml) ∧P(innerHtml)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22
![Page 131: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/131.jpg)
SL→ AFT
The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.2 A translation of concatenations to AFTs:
1 Eliminating equations by substitutions.
2 Handling rational relations with concatenations in arguments.
ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦ w2 ◦ x ◦ w3, innerHtml) ∧P(innerHtml)
AFT R12 AFT R3AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22
![Page 132: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/132.jpg)
SL→ AFT
The translation into an AFT will be carried out in the following steps:1 A translation of conjunctions to AFTs.2 A translation of concatenations to AFTs:
1 Eliminating equations by substitutions.2 Handling rational relations with concatenations in arguments.
ϕ ::= R12(name, x , y) ∧ R3(w1 ◦ y ◦w2 ◦ x ◦w3, innerHtml) ∧P(innerHtml)
AFT R12 AFT R3AFT PP. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22
![Page 133: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/133.jpg)
Splitting of Arguments
Run of the AFT R
z
x
y
Consider ϕ ::= R(x ◦ y , z) ∧ ψ.
We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:
I One conjuction for everyconfiguration (set of states) C wherea run may be split.
I Exponentional (2Q) for generalAFTs.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22
![Page 134: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/134.jpg)
Splitting of Arguments
Run of the AFT R
z
x
y
Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.
z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:
I One conjuction for everyconfiguration (set of states) C wherea run may be split.
I Exponentional (2Q) for generalAFTs.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22
![Page 135: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/135.jpg)
Splitting of Arguments
Run of the AFT R
z1
z2
x
y
Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.
ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:
I One conjuction for everyconfiguration (set of states) C wherea run may be split.
I Exponentional (2Q) for generalAFTs.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22
![Page 136: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/136.jpg)
Splitting of Arguments
Run of the AFT R
z1
z2
C
x
y
Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].
A simple variant:I One conjuction for every
configuration (set of states) C wherea run may be split.
I Exponentional (2Q) for generalAFTs.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22
![Page 137: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/137.jpg)
Splitting of Arguments
Run of the AFT R
z1
z2
C
x
y
Consider ϕ ::= R(x ◦ y , z) ∧ ψ.We need to split z into two parts.z = z1 ◦ z2 where z1 and z2 are freshvariables.ϕ ::= RCF (x , z1) ∧ RCI(y , z2) ∧ψ[z/z1 ◦ z2].A simple variant:
I One conjuction for everyconfiguration (set of states) C wherea run may be split.
I Exponentional (2Q) for generalAFTs.
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22
![Page 138: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/138.jpg)
Splitting of Arguments
Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.
R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.
I Remember the configuration by using additional states.
Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).
R(y , z2)
R′(x , y , z1, z2)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22
![Page 139: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/139.jpg)
Splitting of Arguments
Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).
Guess the initial configuration R(y , z2) nondeterministically.
I Remember the configuration by using additional states.
Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).
R(x , z1) R(y , z2)
R′(x , y , z1, z2)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22
![Page 140: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/140.jpg)
Splitting of Arguments
Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.
I Remember the configuration by using additional states.Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).
R(x , z1)
R(y , z2)
R′(x , y , z1, z2)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22
![Page 141: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/141.jpg)
Splitting of Arguments
Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.
I Remember the configuration by using additional states.
Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).
R(x , z1) R(y , z2)
R′(x , y , z1, z2)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22
![Page 142: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/142.jpg)
Splitting of Arguments
Given a formula ϕ ::= R(x ◦ y , z) ∧ ψ.R is split to two AFTs: R(x , z1) and R(y , z2).Guess the initial configuration R(y , z2) nondeterministically.
I Remember the configuration by using additional states.Check whether the final states of R(x , z1) correspond tothe initial states of R(y , z2).
R(x , z1) R(y , z2)
R′(x , y , z1, z2)
P. Janku, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22
![Page 143: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/143.jpg)
115
Deiision proiedure for SL
SL Acyclic
Splittingconcat
Linear blow-upfor each split
BooleanTrans.System
Model Cheiker(nuXmv, ABC)
![Page 144: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/144.jpg)
116
The TRAU fragment
1. General word-equations
2. General transducers
3. Context-free grammars
4. Length constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string constraints. PLDI 2017: 602-617
![Page 145: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/145.jpg)
117
The TRAU fragment
1. General word-equations
2. General transducers
3. Context-free grammars
4. Length constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string constraints. PLDI 2017: 602-617
→ undecidable!
![Page 146: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/146.jpg)
118
Overview of TRAU ...
![Page 147: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/147.jpg)
119
Are we there yet?
Expressiveness
Efciency Precision/guarantees
![Page 148: SMT, Strings, Securityregerg/ssa/string-slides.pdf · 31 An XSS vulnerability (2) JavaSiript embedded in a web-page var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x);](https://reader033.fdocuments.in/reader033/viewer/2022042303/5ecee6ea9648e02c7b7f9c34/html5/thumbnails/148.jpg)
120
Joint work with ...
Parosh Aziz Abdulla Mohamed Faouzi
Atig Yu-Fang Chen Bui Phi Diep Lukás Holík
Petr Janků Anthony W. Lin Ahmed Rezine Jari Stenman Tomás Vojnar
and others