String Solving with Word Equations and Transducers: Towards a Logic for Analysing Mutation XSS (Full Version)

TL;DR

This paper introduces a decidable fragment of string logic combining concatenations and transducers, enabling analysis of web security vulnerabilities like mutation XSS within a realistic browser model.

Contribution

It defines a decidable 'straight-line fragment' of combined string logic, applicable to security analysis and bounded model checking of string-manipulating programs.

Findings

Decidable logic fragment ranges from PSPACE to EXPSPACE complexity.

Expresses constraints for analyzing mutation XSS in web applications.

Remains decidable with additional constraints like length and regular constraints.

Abstract

We study the fundamental issue of decidability of satisfiability over string logics with concatenations and finite-state transducers as atomic operations. Although restricting to one type of operations yields decidability, little is known about the decidability of their combined theory, which is especially relevant when analysing security vulnerabilities of dynamic web pages in a more realistic browser model. On the one hand, word equations (string logic with concatenations) cannot precisely capture sanitisation functions (e.g. htmlescape) and implicit browser transductions (e.g. innerHTML mutations). On the other hand, transducers suffer from the reverse problem of being able to model sanitisation functions and browser transductions, but not string concatenations. Naively combining word equations and transducers easily leads to an undecidable logic. Our main contribution is to show that the "straight-line fragment" of the logic is decidable (complexity ranges from PSPACE to EXPSPACE). The fragment can express the program logics of straight-line string-manipulating programs with concatenations and transductions as atomic operations, which arise when performing bounded model checking or dynamic symbolic executions. We demonstrate that the logic can naturally express constraints required for analysing mutation XSS in web applications. Finally, the logic remains decidable in the presence of length, letter-counting, regular, indexOf, and disequality constraints.