skip to main content
10.1145/1542476.1542486acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

TAJ: effective taint analysis of web applications

Published:15 June 2009Publication History

ABSTRACT

Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors.

We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applications. TAJ can analyze applications of virtually any size, as it employs a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vectors, with techniques to handle reflective calls, flow through containers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.

References

  1. L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Denmark, 1994.Google ScholarGoogle Scholar
  2. K. Ashcraft and D. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In S&P 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. R. Bodík, R. Gupta, and V. Sarkar. ABCD: Eliminating Array Bounds Checks on Demand. In PLDI 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In CCS 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. P. Cousot and R. Cousot. Modular Static Program Analysis. In CC 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. R. Cytron, J. Ferrante, B. K. Rosen, M. N.Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. TOPLAS, 13(4), 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. E. Denning. A Lattice Model of Secure Information Flow. CACM, 19(5), 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. D. E. Denning and P. J. Denning. Certification of Programs for Secure Information Flow. CACM, 20(7), 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. S. Fink, J. Dolby, and L. Colby. Semi-Automatic J2EE Transaction Configuration. IBM Research Report RC23326, 2004.Google ScholarGoogle Scholar
  10. S. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective Typestate Verification in the Presence of Aliasing. In ISSTA 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. J. S. Foster, T. Terauchi, and A. Aiken. Flow-Sensitive Type Qualifiers. In PLDI 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. J. A. Goguen and J. Meseguer. Security Policies and Security Models. In S&P 1982.Google ScholarGoogle Scholar
  13. C. Hammer, J. Krinke, and G. Snelting. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In ISSSE 2006.Google ScholarGoogle Scholar
  14. R. Hasti and S. Horwitz. Using Static Single Assignment Form to Improve Flow-insensitive Pointer Analysis. In PLDI 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. N. Heintze and O. Tardieu. Demand-Driven Pointer Analysis. In PLDI 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. S. Horwitz, T.W. Reps, and D. Binkley. Interprocedural Slicing Using Dependence Graphs. In PLDI 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. IBM Rational AppScan Developer Edition (AppScan DE), http: //www.ibm.com/software/awdtools/appscan/developerGoogle ScholarGoogle Scholar
  18. O. Lhot´ak and L. J. Hendren. Context-Sensitive Points-to Analysis: Is It Worth It? In CC 2006.Google ScholarGoogle Scholar
  19. B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In ASPLAS 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. S. McCamant and M. D. Ernst. Quantitative Information Flow as Network Flow Capacity. In PLDI 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. A. Milanova, A. Rountev, and B. G. Ryder. Parameterized Object Sensitivity for Points--to Analysis for Java. TOSEM, 14(1), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. C. Myers. JFlow: Practical Mostly-static Information Flow Control. In POPL 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In SOSP 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. OWASP, http://www.owasp.org.Google ScholarGoogle Scholar
  27. M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In ECOOP 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In POPL 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In CC 2003. Invited Paper. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In USENIX Security 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. G. Snelting, T. Robschink, and J. Krinke. Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4), 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. M. Sridharan and R. Bodík. Refinement-based Context-sensitive Points-to Analysis for Java. In PLDI 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. M. Sridharan, S. J. Fink, and R. Bodík. Thin Slicing. In PLDI 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Stanford SecuriBench Micro, http://suif.stanford.edu/~livshits/work/securibench-micro.Google ScholarGoogle Scholar
  35. T. J.Watson Libraries for Analysis (WALA), http://wala.sf.net.Google ScholarGoogle Scholar
  36. D. Volpano, C. Irvine, and G. Smith. A Sound Type System for Secure Flow Analysis. JCS, 4(2--3), 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly & Associates, Inc., 3rd edition, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In PLDI 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. G. Wassermann and Z. Su. Static Detection of Cross-site Scripting Vulnerabilities. In ICSE 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. J. Whaley and M. S. Lam. Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In PLDI 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. TAJ: effective taint analysis of web applications

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation
          June 2009
          492 pages
          ISBN:9781605583921
          DOI:10.1145/1542476
          • cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 44, Issue 6
            PLDI '09
            June 2009
            478 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/1543135
            Issue’s Table of Contents

          Copyright © 2009 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 15 June 2009

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article

          Acceptance Rates

          Overall Acceptance Rate406of2,067submissions,20%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!