Your search keyword '"Giovanni Vigna"' showing total 6 results

1. Sailfish: Vetting Smart Contract State-Inconsistency Bugs in Seconds

Author

Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna

Subjects

FOS: Computer and information sciences, History, Computer Science - Cryptography and Security, Computer Science - Programming Languages, Polymers and Plastics, Business and International Management, Cryptography and Security (cs.CR), Industrial and Manufacturing Engineering, Programming Languages (cs.PL)

Abstract

This paper presents SAILFISH, a scalable system for automatically finding state-inconsistency bugs in smart contracts. To make the analysis tractable, we introduce a hybrid approach that includes (i) a light-weight exploration phase that dramatically reduces the number of instructions to analyze, and (ii) a precise refinement phase based on symbolic evaluation guided by our novel value-summary analysis, which generates extra constraints to over-approximate the side effects of whole-program execution, thereby ensuring the precision of the symbolic evaluation. We developed a prototype of SAILFISH and evaluated its ability to detect two state-inconsistency flaws, viz., reentrancy and transaction order dependence (TOD) in Ethereum smart contracts. Further, we present detection rules for other kinds of smart contract flaws that SAILFISH can be extended to detect. Our experiments demonstrate the efficiency of our hybrid approach as well as the benefit of the value summary analysis. In particular, we show that S SAILFISH outperforms five state-of-the-art smart contract analyzers (SECURITY, MYTHRIL, OYENTE, SEREUM and VANDAL ) in terms of performance, and precision. In total, SAILFISH discovered 47 previously unknown vulnerable smart contracts out of 89,853 smart contracts from ETHERSCAN .

Published

2022

2. Impacts of functional oligosaccharide on intestinal immune modulation in immunosuppressive mice

Author

Ma, Yan, primary, Peng, Xia, additional, Yang, Jingyu, additional, Giovanni, Vigna, additional, and Wang, Chen, additional

Published

2020

3. Key composition optimization of meat processed protein source by vacuum freeze-drying technology

Author

Ma, Yan, primary, Wu, Xingzhuang, additional, Zhang, Qi, additional, Giovanni, Vigna, additional, and Meng, Xianjun, additional

Published

2018

4. Client-side cross-site scripting protection

Author

Giovanni Vigna, Nenad Jovanovic, Engin Kirda, and Christopher Kruegel

Subjects

Client-side scripting, General Computer Science, business.industry, Computer science, Cross-site scripting, Cross-site request forgery, Dynamic web page, Character encodings in HTML, Content Security Policy, Client-side, Computer security, computer.software_genre, JavaScript, Internet security, World Wide Web, Upload, Scripting language, Server-side scripting, Web page, HTML scripting, Web application, business, Law, computer, computer.programming_language

Abstract

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is embedded into web pages to support dynamic client-side behavior. This script code is executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript code, browsers use a sand-boxing mechanism that limits a script to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user can be lured into downloading malicious JavaScript code from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) attacks. In general, XSS attacks are easy to execute, but difficult to detect and prevent. One reason is the high flexibility of HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript code as being malicious. This paper presents Noxes, which is, to the best of our knowledge, the first client-side solution to mitigate cross-site scripting attacks. Noxes acts as a web proxy and uses both manual and automatically generated rules to mitigate possible cross-site scripting attempts. Noxes effectively protects against information leakage from the user's environment while requiring minimal user interaction and customization effort.

Published

2009

5. Effects of soybean oligosaccharides on intestinal microbial communities and immune modulation in mice

Author

Ma, Yan, primary, Wu, Xingzhuang, additional, Giovanni, Vigna, additional, and Meng, Xianjun, additional

Published

2017

6. A multi-model approach to the detection of web-based attacks

Author

William Robertson, Giovanni Vigna, and Christopher Kruegel

Subjects

Web server, Computer Networks and Communications, Computer science, business.industry, Anomaly-based intrusion detection system, Vulnerability, Intrusion detection system, computer.software_genre, Computer security, Misuse detection, False positive paradox, Web application, Anomaly detection, Data mining, business, computer

Abstract

Web-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult to keep up with the daily disclosure of web-related vulnerabilities, and, in addition, vulnerabilities may be introduced by installation-specific web-based applications. Therefore, misuse detection systems should be complemented with anomaly detection systems. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications. The system analyzes client queries that reference server-side programs and creates models for a wide-range of different features of these queries. Examples of such features are access patterns of server-side programs or values of individual parameters in their invocation. In particular, the use of application-specific characterization of the invocation parameters allows the system to perform focused analysis and produce a reduced number of false positives. The system derives automatically the parameter profiles associated with web applications (e.g., length and structure of parameters) and relationships between queries (e.g., access times and sequences) from the analyzed data. Therefore, it can be deployed in very different application environments without having to perform time-consuming tuning and configuration.

Published

2005