ABSTRACT
Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors.
We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applications. TAJ can analyze applications of virtually any size, as it employs a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vectors, with techniques to handle reflective calls, flow through containers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
- L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Denmark, 1994.Google Scholar
- K. Ashcraft and D. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In S&P 2002. Google Scholar
Digital Library
- R. Bodík, R. Gupta, and V. Sarkar. ABCD: Eliminating Array Bounds Checks on Demand. In PLDI 2000. Google Scholar
Digital Library
- W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In CCS 2008. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Modular Static Program Analysis. In CC 2002. Google Scholar
Digital Library
- R. Cytron, J. Ferrante, B. K. Rosen, M. N.Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. TOPLAS, 13(4), 1991. Google Scholar
Digital Library
- D. E. Denning. A Lattice Model of Secure Information Flow. CACM, 19(5), 1976. Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of Programs for Secure Information Flow. CACM, 20(7), 1977. Google Scholar
Digital Library
- S. Fink, J. Dolby, and L. Colby. Semi-Automatic J2EE Transaction Configuration. IBM Research Report RC23326, 2004.Google Scholar
- S. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective Typestate Verification in the Presence of Aliasing. In ISSTA 2006. Google Scholar
Digital Library
- J. S. Foster, T. Terauchi, and A. Aiken. Flow-Sensitive Type Qualifiers. In PLDI 2002. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security Policies and Security Models. In S&P 1982.Google Scholar
- C. Hammer, J. Krinke, and G. Snelting. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In ISSSE 2006.Google Scholar
- R. Hasti and S. Horwitz. Using Static Single Assignment Form to Improve Flow-insensitive Pointer Analysis. In PLDI 1998. Google Scholar
Digital Library
- N. Heintze and O. Tardieu. Demand-Driven Pointer Analysis. In PLDI 2001. Google Scholar
Digital Library
- S. Horwitz, T.W. Reps, and D. Binkley. Interprocedural Slicing Using Dependence Graphs. In PLDI 1988. Google Scholar
Digital Library
- IBM Rational AppScan Developer Edition (AppScan DE), http: //www.ibm.com/software/awdtools/appscan/developerGoogle Scholar
- O. Lhot´ak and L. J. Hendren. Context-Sensitive Points-to Analysis: Is It Worth It? In CC 2006.Google Scholar
- B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In ASPLAS 2005. Google Scholar
Digital Library
- V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security 2005. Google Scholar
Digital Library
- S. McCamant and M. D. Ernst. Quantitative Information Flow as Network Flow Capacity. In PLDI 2008. Google Scholar
Digital Library
- A. Milanova, A. Rountev, and B. G. Ryder. Parameterized Object Sensitivity for Points--to Analysis for Java. TOSEM, 14(1), 2005. Google Scholar
Digital Library
- Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW 2005. Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical Mostly-static Information Flow Control. In POPL 1999. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In SOSP 1997. Google Scholar
Digital Library
- OWASP, http://www.owasp.org.Google Scholar
- M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In ECOOP 2005. Google Scholar
Digital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In POPL 1995. Google Scholar
Digital Library
- B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In CC 2003. Invited Paper. Google Scholar
Digital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In USENIX Security 2001. Google Scholar
Digital Library
- G. Snelting, T. Robschink, and J. Krinke. Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4), 2006. Google Scholar
Digital Library
- M. Sridharan and R. Bodík. Refinement-based Context-sensitive Points-to Analysis for Java. In PLDI 2006. Google Scholar
Digital Library
- M. Sridharan, S. J. Fink, and R. Bodík. Thin Slicing. In PLDI 2007. Google Scholar
Digital Library
- Stanford SecuriBench Micro, http://suif.stanford.edu/~livshits/work/securibench-micro.Google Scholar
- T. J.Watson Libraries for Analysis (WALA), http://wala.sf.net.Google Scholar
- D. Volpano, C. Irvine, and G. Smith. A Sound Type System for Secure Flow Analysis. JCS, 4(2--3), 1996. Google Scholar
Digital Library
- L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly & Associates, Inc., 3rd edition, 2000. Google Scholar
Digital Library
- G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In PLDI 2007. Google Scholar
Digital Library
- G. Wassermann and Z. Su. Static Detection of Cross-site Scripting Vulnerabilities. In ICSE 2008. Google Scholar
Digital Library
- J. Whaley and M. S. Lam. Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In PLDI 2004. Google Scholar
Digital Library
Index Terms
TAJ: effective taint analysis of web applications
Recommendations
TAJ: effective taint analysis of web applications
PLDI '09Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...
ANDROMEDA: accurate and scalable security analysis of web applications
FASE'13: Proceedings of the 16th international conference on Fundamental Approaches to Software EngineeringSecurity auditing of industry-scale software systems mandates automation. Static taint analysis enables deep and exhaustive tracking of suspicious data flows for detection of potential leakage and integrity violations, such as cross-site scripting (XSS),...
Field-based static taint analysis for industrial microservices
ICSE-SEIP '22: Proceedings of the 44th International Conference on Software Engineering: Software Engineering in PracticeTaint analysis is widely used for tracing sensitive data. However, the state-of-the-art taint analyzers face challenges on recall, scalability, and precision when applied on industrial microservices. To overcome these challenges, we present a field-...







Comments