{"id":"https://openalex.org/W7117315963","doi":"https://doi.org/10.48550/arxiv.2512.20705","title":"Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization","display_name":"Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization","publication_year":2025,"publication_date":"2025-12-23","ids":{"openalex":"https://openalex.org/W7117315963","doi":"https://doi.org/10.48550/arxiv.2512.20705"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2512.20705","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.20705","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2512.20705","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100377097","display_name":"Meng Wang","orcid":"https://orcid.org/0000-0001-6699-6902"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Wang, Meng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5076251456","display_name":"Philipp G\u00f6rz","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"G\u00f6rz, Philipp","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024986710","display_name":"Joschua Schilling","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Schilling, Joschua","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056634204","display_name":"Keno Ha\u00dfler","orcid":"https://orcid.org/0009-0008-9115-2769"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hassler, Keno","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102749086","display_name":"Liwei Guo","orcid":"https://orcid.org/0000-0001-8516-8045"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Guo, Liwei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056790702","display_name":"Thorsten Holz","orcid":"https://orcid.org/0000-0002-2783-1264"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Holz, Thorsten","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5121314085","display_name":"Ali Abbasi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Abbasi, Ali","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5100377097"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.43130001425743103,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.43130001425743103,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.26750001311302185,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.05959999933838844,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.7562000155448914},{"id":"https://openalex.org/keywords/heuristics","display_name":"Heuristics","score":0.48339998722076416},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.42170000076293945},{"id":"https://openalex.org/keywords/business-logic","display_name":"Business logic","score":0.40400001406669617},{"id":"https://openalex.org/keywords/business-rule","display_name":"Business rule","score":0.30709999799728394},{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.29649999737739563},{"id":"https://openalex.org/keywords/logic-model","display_name":"Logic model","score":0.2937999963760376},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.2847999930381775}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8090999722480774},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.7562000155448914},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5579000115394592},{"id":"https://openalex.org/C127705205","wikidata":"https://www.wikidata.org/wiki/Q5748245","display_name":"Heuristics","level":2,"score":0.48339998722076416},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.42170000076293945},{"id":"https://openalex.org/C146222976","wikidata":"https://www.wikidata.org/wiki/Q1204997","display_name":"Business logic","level":2,"score":0.40400001406669617},{"id":"https://openalex.org/C11066294","wikidata":"https://www.wikidata.org/wiki/Q1518244","display_name":"Business rule","level":4,"score":0.30709999799728394},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.29649999737739563},{"id":"https://openalex.org/C2775940519","wikidata":"https://www.wikidata.org/wiki/Q17067742","display_name":"Logic model","level":2,"score":0.2937999963760376},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.29339998960494995},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.2847999930381775},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.28360000252723694},{"id":"https://openalex.org/C2779628075","wikidata":"https://www.wikidata.org/wiki/Q1253258","display_name":"Downgrade","level":2,"score":0.28220000863075256},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.2799000144004822},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.27059999108314514},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.263700008392334},{"id":"https://openalex.org/C85345410","wikidata":"https://www.wikidata.org/wiki/Q851587","display_name":"Business process","level":3,"score":0.2590999901294708},{"id":"https://openalex.org/C46934059","wikidata":"https://www.wikidata.org/wiki/Q61515","display_name":"Outsourcing","level":2,"score":0.2567000091075897},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.2549000084400177}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2512.20705","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.20705","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2512.20705","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.20705","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.791591465473175}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Detecting":[0],"business":[1,50,83,242],"logic":[2,51,84,243],"vulnerabilities":[3,39,85,221],"is":[4,99],"a":[5,87,100,116,123,179,234],"critical":[6],"challenge":[7,113],"in":[8,16,96,203],"software":[9,94],"security.":[10],"These":[11,228],"flaws":[12,55,244],"come":[13],"from":[14],"mistakes":[15],"an":[17,142],"application's":[18,143],"design":[19],"or":[20],"implementation":[21],"and":[22,73,80,182,216,236],"allow":[23],"attackers":[24],"to":[25,41,48,63,68,131],"trigger":[26],"unintended":[27],"application":[28],"behavior.":[29,145],"Traditional":[30],"fuzzing":[31],"sanitizers":[32],"for":[33,239],"dynamic":[34],"analysis":[35],"excel":[36],"at":[37],"finding":[38,189],"related":[40],"memory":[42],"safety":[43],"violations":[44],"but":[45],"largely":[46],"fail":[47],"detect":[49],"vulnerabilities,":[52,215],"as":[53,137],"these":[54],"require":[56],"understanding":[57],"application-specific":[58],"semantic":[59],"context.":[60],"Recent":[61],"attempts":[62],"infer":[64],"this":[65,98,108,112],"context,":[66],"due":[67],"their":[69,134],"reliance":[70],"on":[71],"heuristics":[72],"non-portable":[74],"language":[75],"features,":[76],"are":[77],"inherently":[78],"brittle":[79],"incomplete.":[81],"As":[82],"constitute":[86],"majority":[88],"(27/40)":[89],"of":[90,104,173,205],"the":[91,157,161,171,193,226],"most":[92],"dangerous":[93],"weaknesses":[95],"practice,":[97],"worrying":[101],"blind":[102],"spot":[103],"existing":[105],"tools.":[106],"In":[107],"paper,":[109],"we":[110,175],"tackle":[111],"with":[114,178,192],"ANOTA,":[115,174],"novel":[117],"human-in-the-loop":[118],"sanitizer":[119],"framework.":[120],"ANOTA":[121,177,232],"introduces":[122],"lightweight,":[124],"user-friendly":[125],"annotation":[126],"system":[127],"that":[128,140,166,199,231],"enables":[129],"users":[130],"directly":[132],"encode":[133],"domain-specific":[135],"knowledge":[136],"lightweight":[138],"annotations":[139],"define":[141],"intended":[144],"A":[146],"runtime":[147],"execution":[148],"monitor":[149],"then":[150],"observes":[151],"program":[152],"behavior,":[153],"comparing":[154],"it":[155,184],"against":[156,185],"policies":[158],"defined":[159],"by":[160,247],"annotations,":[162],"thereby":[163],"identifying":[164],"deviations":[165],"indicate":[167],"vulnerabilities.":[168],"To":[169],"evaluate":[170],"effectiveness":[172],"combine":[176],"state-of-the-art":[180],"fuzzer":[181],"compare":[183],"other":[186],"popular":[187],"bug":[188],"methods":[190],"compatible":[191],"same":[194],"targets.":[195],"The":[196],"results":[197,229],"show":[198],"ANOTA+FUZZER":[200,209],"outperforms":[201],"them":[202],"terms":[204],"effectiveness.":[206],"More":[207],"specifically,":[208],"can":[210],"successfully":[211],"reproduce":[212],"43":[213],"known":[214],"discovered":[217],"22":[218],"previously":[219],"unknown":[220],"(17":[222],"CVEs":[223],"assigned)":[224],"during":[225],"evaluation.":[227],"demonstrate":[230],"provides":[233],"practical":[235],"effective":[237],"approach":[238],"uncovering":[240],"complex":[241],"often":[245],"missed":[246],"traditional":[248],"security":[249],"testing":[250],"techniques.":[251]},"counts_by_year":[],"updated_date":"2026-04-29T09:16:38.111599","created_date":"2025-12-26T00:00:00"}