Table of Contents
Fetching ...

Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization

Meng Wang, Philipp Görz, Joschua Schilling, Keno Hassler, Liwei Guo, Thorsten Holz, Ali Abbasi

TL;DR

ANOTA tackles the detection gap for business logic vulnerabilities by introducing a human-in-the-loop, annotation-driven sanitizer that separates policy from mechanism. Developers encode their domain knowledge as lightweight annotations, which are enforced by a runtime policy monitor during dynamic analysis, enabling standard fuzzers to surface semantic-policy violations. Empirical results show that ANOTA+Fuzzer rediscovered 43 known vulnerabilities and found 22 new zero-day vulnerabilities (17 CVEs) across real-world Python projects, with modest overhead (~5–10%). Usability studies indicate annotations are intuitive, and practitioners regard the approach as a practical enhancement to existing testing workflows. The work demonstrates a scalable, extensible path to bridge semantic gaps left by traditional sanitizers and static analyzers, with open-source artifacts to support adoption and further research.

Abstract

Detecting business logic vulnerabilities is a critical challenge in software security. These flaws come from mistakes in an application's design or implementation and allow attackers to trigger unintended application behavior. Traditional fuzzing sanitizers for dynamic analysis excel at finding vulnerabilities related to memory safety violations but largely fail to detect business logic vulnerabilities, as these flaws require understanding application-specific semantic context. Recent attempts to infer this context, due to their reliance on heuristics and non-portable language features, are inherently brittle and incomplete. As business logic vulnerabilities constitute a majority (27/40) of the most dangerous software weaknesses in practice, this is a worrying blind spot of existing tools. In this paper, we tackle this challenge with ANOTA, a novel human-in-the-loop sanitizer framework. ANOTA introduces a lightweight, user-friendly annotation system that enables users to directly encode their domain-specific knowledge as lightweight annotations that define an application's intended behavior. A runtime execution monitor then observes program behavior, comparing it against the policies defined by the annotations, thereby identifying deviations that indicate vulnerabilities. To evaluate the effectiveness of ANOTA, we combine ANOTA with a state-of-the-art fuzzer and compare it against other popular bug finding methods compatible with the same targets. The results show that ANOTA+FUZZER outperforms them in terms of effectiveness. More specifically, ANOTA+FUZZER can successfully reproduce 43 known vulnerabilities, and discovered 22 previously unknown vulnerabilities (17 CVEs assigned) during the evaluation. These results demonstrate that ANOTA provides a practical and effective approach for uncovering complex business logic flaws often missed by traditional security testing techniques.

Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization

TL;DR

ANOTA tackles the detection gap for business logic vulnerabilities by introducing a human-in-the-loop, annotation-driven sanitizer that separates policy from mechanism. Developers encode their domain knowledge as lightweight annotations, which are enforced by a runtime policy monitor during dynamic analysis, enabling standard fuzzers to surface semantic-policy violations. Empirical results show that ANOTA+Fuzzer rediscovered 43 known vulnerabilities and found 22 new zero-day vulnerabilities (17 CVEs) across real-world Python projects, with modest overhead (~5–10%). Usability studies indicate annotations are intuitive, and practitioners regard the approach as a practical enhancement to existing testing workflows. The work demonstrates a scalable, extensible path to bridge semantic gaps left by traditional sanitizers and static analyzers, with open-source artifacts to support adoption and further research.

Abstract

Detecting business logic vulnerabilities is a critical challenge in software security. These flaws come from mistakes in an application's design or implementation and allow attackers to trigger unintended application behavior. Traditional fuzzing sanitizers for dynamic analysis excel at finding vulnerabilities related to memory safety violations but largely fail to detect business logic vulnerabilities, as these flaws require understanding application-specific semantic context. Recent attempts to infer this context, due to their reliance on heuristics and non-portable language features, are inherently brittle and incomplete. As business logic vulnerabilities constitute a majority (27/40) of the most dangerous software weaknesses in practice, this is a worrying blind spot of existing tools. In this paper, we tackle this challenge with ANOTA, a novel human-in-the-loop sanitizer framework. ANOTA introduces a lightweight, user-friendly annotation system that enables users to directly encode their domain-specific knowledge as lightweight annotations that define an application's intended behavior. A runtime execution monitor then observes program behavior, comparing it against the policies defined by the annotations, thereby identifying deviations that indicate vulnerabilities. To evaluate the effectiveness of ANOTA, we combine ANOTA with a state-of-the-art fuzzer and compare it against other popular bug finding methods compatible with the same targets. The results show that ANOTA+FUZZER outperforms them in terms of effectiveness. More specifically, ANOTA+FUZZER can successfully reproduce 43 known vulnerabilities, and discovered 22 previously unknown vulnerabilities (17 CVEs assigned) during the evaluation. These results demonstrate that ANOTA provides a practical and effective approach for uncovering complex business logic flaws often missed by traditional security testing techniques.
Paper Structure (52 sections, 1 figure, 9 tables)