[1] Open Web Application Security Project. The ten most critical Web application security vulnerabilities [R/OL]. [2014-12-20]. http://www.owasp.org.cn/owasp-project/download/OWASPTop102013V1.2.pdf. [2] LAM M S, MARTIN M, LIVSHITS B, et al. Securing Web applications with static and dynamic information flow tracking [C]//PEPM'08: Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation. New York: ACM, 2008: 3-12. [3] CHANG W, STERIFF B, LIN C. Efficient and extensible security enforcement using dynamic data flow analysis [C]//CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 39-50. [4] HALDAR V, CHANDRA D, FRANZ M. Dynamic taint propagation for Java [C]//Proceedings of the 21st Annual Computer Security Applications Conference. Piscataway: IEEE, 2005: 274-282. [5] CHIN E, WAGNER D. Efficient character-level taint tracking for Java [C]//SWS 2009: Proceedings of the 6th ACM Workshop on Secure Web Services. New York: ACM, 2009: 2-12. [6] XU W, BHATKAR S, SEKAR R. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks [C]//USENIX-SS'06: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006, 15: Article No. 9. [7] NEWSOME J, SONG D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C]//NDSS Symposium 2005: Proceedings of the 2005 Symposium on Network and Distributed System Security. [S.l.]: Internet Society, 2005:116-128. [8] NGUYEN-TUONG A, GUARNIERI S, GREENE D, et al. Automatically hardening Web applications using precise tainting [C]//IFIP TC11: Proceedings of the 20th International Information Security Conference. Berlin: Springer, 2005: 372-382. [9] HALFOND W,ORSO A, MANOLIOS P. WASP: protecting Web applications using positive tainting and syntax-aware evaluation [J]. IEEE Transactions on Software Engineering, 2008, 34(1): 65-81. [10] SON S, McKINLEY K S, SHMATIKOV V. Diglossia: detecting code injection attacks with precision and efficiency [C]//CCS'13: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2013: 1181-1191. [11] PIETRASZEK T, BERGHE C V. Defending against injection attacks through context-sensitive string evaluation [C]//RAID 2005: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection, LNCS 3858. Berlin: Springer, 2005: 124-145. [12] WANG Y,LI Z,GUO T. Literal tainting method for preventing code injection attack in Web application [J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423. (王溢,李舟军,郭涛.防御代码注入式攻击的字面值污染方法[J].计算机研究与发展,2012,49(11):2414-2423.) [13] HUANG Y-W,YU F,HANG C, et al. Securing Web application code by static analysis and runtime protection [C]//WWW'04: Proceedings of the 13th International Conference on World Wide Web.New York: ACM, 2004: 40-52. [14] VOGT P, NENTWICH F, JOVANOVIC N, et al. Cross-site scripting prevention with dynamic data tainting and static analysis [C]//NDSS 2007: Proceeding of the 2007 Network and Distributed System Security Symposium. London: dblp Computer Science Bibliography, 2007: 189-197. [15] RAY D, LIGATTI J. Defining code-injection attacks [C]//POPL '12: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. New York: ACM, 2012: 179-190. [16] BISHT P,VENKATAKRISHNAN V N. XSS-GUARD: precise dynamic prevention of cross-site scripting attacks [C]//DIMVA '08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. New York: ACM, 2008: 23-43. [17] SCHWARTZ E J, AVGERINOS T, BRUMLEY D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask) [C]//SP'10: Proceedings of the 2010 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 2010: 317-331. |