|
|
Static information flow tracking based approach to detect input validation vulnerabilities |
WAN Zhi-yuan, ZHOU Bo |
College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China |
|
|
Abstract An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis. The approach was implemented on top of the static code analysis tool FindBugs. The performance and precision of our approach were evaluated. Experimental results show that our approach can effectively detect input validation vulnerabilities. The false positive rate of FindBugs was reduced by55.7% without significantly slowing the performance.
|
Published: 01 April 2015
|
|
基于静态信息流跟踪的输入验证漏洞检测方法
针对基于静态分析的漏洞检测技术的高误报率问题,提出基于静态信息流跟踪技术的输入验证漏洞检测方法. 在静态代码分析工具FindBugs上实现了该方法,对该方法的漏洞检测精确度和性能进行评估. 实验结果表明,采用该方法能够有效地检测输入验证漏洞,在不明显降低运行性能的前提下,将FindBugs的输入验证漏洞检测误报率降低了55.7%.
|
|
[1] CHESS B, WEST J. Secure programming with static analysis [M]. Boston: Wesley, 2007.
[2] DENNING P J. Certification of programs for secure information flow [J]. Communications of the ACM, 1977, 20(7): 504-513.
[3] SHANKAR U, TALWAR K, FOSTER J, et al. Detecting format string vulnerabilities with type qualifiers [C]∥ Proceedings of 10th USENIX Security Symposium. Berkeley: USENIX, 2001.
[4] MYERS A. JFlow: practical mostly-static information flow control [C]∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1999.
[5] LIVSHITS B, LAM M. Finding security vulnerabilities in Java applications with static analysis [C]∥ Proceedings of 14th USENIX Security Symposium. Baltimore: USENIX, 2005.
[6] TRIPP O, PISTOIA M, FINK S J, et al. TAJ: effective taint analysis of web applications [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. Dublin: ACM, 2009.
[7] OWASP Top 10. 2014-03-21. https:∥www.owasp.org/index.php/Top_10_2013-Top_10.
[8] KILDALL G A. A unified approach to global program optimization [C]∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1973.
[9] GRTZER G. Lattice theory: first concepts and distributive lattices [M]. San Francisco: Freeman, 1971.
[10] 张鸣华.半格基础上的数据流分析[J].计算机学报,1980(04): 309-320.
ZHANG Ming-hua. Dataflow analysis with semi-lattice [J]. Chinese Journal of Computers, 1980(04): 309-320.
[11] RAMALINGAM G. The undecidability of aliasing [J]. ACM Transactions on Programming Languages and Systems, 1994, 16(5): 1467-1471.
[12] ANDERSEN L O. Program analysis and specialization for the C programming language [D]. Denmark: University of Copenhagen, 1994.
[13] BRAVENBOER M, SMARAGDAKIS Y. Strictly declarative specication of sophisticated points-to analyses [C]∥ Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2009.
[14] FindBugsTM-Find Bugs in Java Programs. 2014-03-21. http:∥findbugs.sourceforge.net/.
[15] Stanford SecuriBench. 2014-03-21. http:∥suif.stanford.edu/~livshits/securibench/.
[16] ANDREW W A, JENS P. Modern compiler implementation in Java [M]. Cambridge: Cambridge University Press, 2002.
[17] VOLPANO D, IRVINE C, SMITH G. A sound type system for secure flow analysis [J]. Journal of Computer Security, 1996, 4(2/3): 167-187.
[18] FOSTER J, FAEHNDRICH M, AIKEN A. A theory of type qualifiers [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 1999.
[19] HUANG Y, YU F, HANG C, et al. Securing web application code by static analysis and runtime protection [C]∥ Proceedings of the 12th International World Wide Web Conference. New York: ACM, 2004.
[20] PISTOIA M, FLYNN R J, KOVED L, et al. Interprocedural analysis for privileged code placement and tainted variable detection [C]∥ Proceedings of the 19th European Conference on Object-Oriented Programming. Glasgow: Springer, 2005.
[21] GUARNIERI S, PISTOIA M, TRIPP O, et al. Saving the world wide web from vulnerable JavaScript [C]∥ Proceedings of the 20th International Symposium on Software Testing and Analysis. New York: ACM, 2011.
[22] SRIDHARAN M, ARTZI S, PISTOIA M, et al. F4F: taint analysis of framework-based web applications [C]∥ Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2011.
[23] JOVANOVIC N, KRUEGEL C, KIRDA E. Pixy: a static analysis tool for detecting web application vulnerabilities [C]∥ Proceedings of IEEE Symposium on Security and Privacy. Berkeley/Oakland: IEEE, 2006.
[24] 黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证[J].软件学报,2011, 22(9): 20362048.
HUANG Qiang, ZENG Qing-kai. Taint propagation analysis and dynamic verification with information flow policy [J]. Journal of Software, 2011, 22(9): 2036-2048.
[25] WHALEY J, LAM M. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams [C]∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 2004. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|