Group colloquium: Reasoning about the correctness of sanitizers

When: March 7, 2019, 15:45-16:30

Who: Sophie Lathouwers

Many web applications use sanitizers in order to defend against attacks such as SQL injections and XSS. However, it is difficult to write correct sanitizers. Therefore I have developed a method to reason about the correctness of sanitizer implementations. This method learns models, symbolic finite transducers, in a black-box manner, which then describe the behavior of the sanitizers. These models are then compared to specified models in order to find erroneous behavior. I have implemented this method in a tool called SFTLearning which can automatically derive models from real-world sanitizers.