An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis. The approach was implemented on top of the static code analysis tool FindBugs. The performance and precision of our approach were evaluated. Experimental results show that our approach can effectively detect input validation vulnerabilities. The false positive rate of FindBugs was reduced by55.7% without significantly slowing the performance.
WAN Zhi-yuan, ZHOU Bo. Static information flow tracking based approach to detect input validation vulnerabilities. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2015, 49(4): 683-691.
[1] CHESS B, WEST J. Secure programming with static analysis [M]. Boston: Wesley, 2007.
[2] DENNING P J. Certification of programs for secure information flow [J]. Communications of the ACM, 1977, 20(7): 504-513.
[3] SHANKAR U, TALWAR K, FOSTER J, et al. Detecting format string vulnerabilities with type qualifiers [C]∥ Proceedings of 10th USENIX Security Symposium. Berkeley: USENIX, 2001.
[4] MYERS A. JFlow: practical mostly-static information flow control [C]∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1999.
[5] LIVSHITS B, LAM M. Finding security vulnerabilities in Java applications with static analysis [C]∥ Proceedings of 14th USENIX Security Symposium. Baltimore: USENIX, 2005.
[6] TRIPP O, PISTOIA M, FINK S J, et al. TAJ: effective taint analysis of web applications [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. Dublin: ACM, 2009.
[7] OWASP Top 10. 2014-03-21. https:∥www.owasp.org/index.php/Top_10_2013-Top_10.
[8] KILDALL G A. A unified approach to global program optimization [C]∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1973.
[9] GRTZER G. Lattice theory: first concepts and distributive lattices [M]. San Francisco: Freeman, 1971.
[10] 张鸣华.半格基础上的数据流分析[J].计算机学报,1980(04): 309-320.
ZHANG Ming-hua. Dataflow analysis with semi-lattice [J]. Chinese Journal of Computers, 1980(04): 309-320.
[11] RAMALINGAM G. The undecidability of aliasing [J]. ACM Transactions on Programming Languages and Systems, 1994, 16(5): 1467-1471.
[12] ANDERSEN L O. Program analysis and specialization for the C programming language [D]. Denmark: University of Copenhagen, 1994.
[13] BRAVENBOER M, SMARAGDAKIS Y. Strictly declarative specication of sophisticated points-to analyses [C]∥ Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2009.
[14] FindBugsTM-Find Bugs in Java Programs. 2014-03-21. http:∥findbugs.sourceforge.net/.
[15] Stanford SecuriBench. 2014-03-21. http:∥suif.stanford.edu/~livshits/securibench/.
[16] ANDREW W A, JENS P. Modern compiler implementation in Java [M]. Cambridge: Cambridge University Press, 2002.
[17] VOLPANO D, IRVINE C, SMITH G. A sound type system for secure flow analysis [J]. Journal of Computer Security, 1996, 4(2/3): 167-187.
[18] FOSTER J, FAEHNDRICH M, AIKEN A. A theory of type qualifiers [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 1999.
[19] HUANG Y, YU F, HANG C, et al. Securing web application code by static analysis and runtime protection [C]∥ Proceedings of the 12th International World Wide Web Conference. New York: ACM, 2004.
[20] PISTOIA M, FLYNN R J, KOVED L, et al. Interprocedural analysis for privileged code placement and tainted variable detection [C]∥ Proceedings of the 19th European Conference on Object-Oriented Programming. Glasgow: Springer, 2005.
[21] GUARNIERI S, PISTOIA M, TRIPP O, et al. Saving the world wide web from vulnerable JavaScript [C]∥ Proceedings of the 20th International Symposium on Software Testing and Analysis. New York: ACM, 2011.
[22] SRIDHARAN M, ARTZI S, PISTOIA M, et al. F4F: taint analysis of framework-based web applications [C]∥ Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2011.
[23] JOVANOVIC N, KRUEGEL C, KIRDA E. Pixy: a static analysis tool for detecting web application vulnerabilities [C]∥ Proceedings of IEEE Symposium on Security and Privacy. Berkeley/Oakland: IEEE, 2006.
[24] 黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证[J].软件学报,2011, 22(9): 20362048.
HUANG Qiang, ZENG Qing-kai. Taint propagation analysis and dynamic verification with information flow policy [J]. Journal of Software, 2011, 22(9): 2036-2048.
[25] WHALEY J, LAM M. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 2004.
TU Li-Hua, CHEN Gang, WANG Wei, CHEN Ke, DONG Jin-Xiang. Containerbased self-organizing storage model[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2010, 44(5): 915-922.
[10]
BANG Zhi-Yu, LI Shan-Beng, YANG Chao-Hui, LIN Xin. Anonymous authorization in trust management[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2010, 44(5): 897-902.
