Static security analysis using a hybrid representation of string values

What is claimed is: 1. A hybrid string constructor, comprising: a string parser configured to parse received string information to produce one or more string components; a database configured to store a set of known concretizations; a processor configured to compare the one or more string components to the set of known concretizations to determine string components that may be represented concretely, to abstract all string components that could not be represented concretely, and to create a hybrid string representation that includes at least one concrete string component and at least one abstracted string component; and wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker. 2. The hybrid string constructor of claim 1 , wherein the set of known concretizations further includes strings that refer to a page's uniform resource location. 3. The hybrid string constructor of claim 2 , wherein the set of known concretizations further includes strings that include the JavaScript object “document.location”. 4. The hybrid string constructor of claim 1 , wherein the processor is further configured to bind between an external configuration file and string variables to automatically concretize a string component. 5. The hybrid string constructor of claim 4 , wherein the processor is further configured to monitor framework interfaces used to retrieve string values from the configuration files. 6. The hybrid string constructor of claim 1 , wherein the processor is further configured to replace a string component with one or more regular expressions to abstract the string component. 7. The hybrid string constructor of claim 1 , wherein the processor is further configured to concatenate said at least one concrete string component and said at least one abstracted string component to form a hybrid string representation. 8. The hybrid string constructor of claim 1 , wherein the string information comprises a combination of program code and markup code. 9. A static analysis system for static analysis, comprising: a source parser configured to accept program code and to parse said program code into string information; a hybrid string constructor comprising: a string parser configured to parse received string information to produce one or more string components; a database configured to store a set of known concretizations; wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker; and a processor configured to compare the one or more string components to the set of known concretizations to determine string components that may be represented concretely, to abstract all string components that could not be represented concretely, and to create a hybrid string representation that includes at least one concrete string component and at least one abstracted string component; and a static analysis module configured to perform a taint analysis on the hybrid string representation to locate potential vulnerabilities. 10. The static security system of claim 9 , wherein the set of known concretizations further includes strings that refer to a page's uniform resource location. 11. The static security system of claim 10 , wherein the set of known concretizations further includes strings that include the JavaScript object “document.location”. 12. The static security system of claim 9 , wherein the processor is further configured to bind between an external configuration file and string variables to automatically concretize a string component. 13. The static security system of claim 12 , wherein the processor is further configured to monitor framework interfaces used to retrieve string values from the configuration files. 14. The static security system of claim 9 , wherein the processor is further configured to replace a string component with one or more regular expressions to abstract the string component. 15. The static security system of claim 9 , wherein the processor is further configured to concatenate said at least one concrete string component and said at least one abstracted string component to form a hybrid string representation. 16. The static security system of claim 9 , wherein the string information comprises a combination of program code and markup code. 17. A static analysis system for static analysis, comprising: a source parser configured to accept program code and to parse said program code into string information; a hybrid string constructor comprising: a string parser configured to parse received string information to produce one or more string components; a database configured to store a set of known concretizations that include string configurations that cannot be interfered with by an attacker; and a processor configured to compare the one or more string components to the set of known concretizations to determine string components that may be represented concretely, to abstract all string components that could not be represented concretely by replacing said string components with one or more regular expressions, and to create a hybrid string representation that includes at least one concrete string component and at least one abstracted string component by concatenating said at least one string component and said at least one abstracted string component; and a static analysis module configured to perform a taint analysis on the hybrid string representation to locate potential vulnerabilities.