基于静态信息流跟踪的输入验证漏洞检测方法

doi:10.3785/j.issn.1008-973X.2015.04.011

浙江大学学报(工学版)

通信工程、自动化技术

基于静态信息流跟踪的输入验证漏洞检测方法

万志远, 周波

浙江大学计算机科学与技术学院,浙江杭州 310027

Static information flow tracking based approach to detect input validation vulnerabilities

WAN Zhi-yuan, ZHOU Bo

College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China

全文: PDF(1180 KB) HTML

摘要：

针对基于静态分析的漏洞检测技术的高误报率问题,提出基于静态信息流跟踪技术的输入验证漏洞检测方法. 在静态代码分析工具FindBugs上实现了该方法,对该方法的漏洞检测精确度和性能进行评估. 实验结果表明,采用该方法能够有效地检测输入验证漏洞,在不明显降低运行性能的前提下,将FindBugs的输入验证漏洞检测误报率降低了55.7%.

Abstract:

An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis. The approach was implemented on top of the static code analysis tool FindBugs. The performance and precision of our approach were evaluated. Experimental results show that our approach can effectively detect input validation vulnerabilities. The false positive rate of FindBugs was reduced by55.7% without significantly slowing the performance.

出版日期: 2015-04-01

TP 309

通讯作者: 周波，男，副教授 E-mail: bzhou@zju.edu.cn

作者简介: 万志远(1984—)，女，博士生，从事软件安全和程序分析的研究.E-mail: wanzhiyuan@zju.edu.cn

	服务
	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章

引用本文:

万志远, 周波. 基于静态信息流跟踪的输入验证漏洞检测方法[J]. 浙江大学学报(工学版), 10.3785/j.issn.1008-973X.2015.04.011.

WAN Zhi-yuan, ZHOU Bo. Static information flow tracking based approach to detect input validation vulnerabilities. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 10.3785/j.issn.1008-973X.2015.04.011.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2015.04.011 或 http://www.zjujournals.com/eng/CN/Y2015/V49/I4/683

［1］ CHESS B, WEST J. Secure programming with static analysis ［M］. Boston: Wesley, 2007.
［2］ DENNING P J. Certification of programs for secure information flow ［J］. Communications of the ACM, 1977, 20(7): 504-513.
［3］ SHANKAR U, TALWAR K, FOSTER J, et al. Detecting format string vulnerabilities with type qualifiers ［C］∥ Proceedings of 10th USENIX Security Symposium. Berkeley: USENIX， 2001.
［4］ MYERS A. JFlow: practical mostly-static information flow control ［C］∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1999.
［5］ LIVSHITS B, LAM M. Finding security vulnerabilities in Java applications with static analysis ［C］∥ Proceedings of 14th USENIX Security Symposium. Baltimore: USENIX, 2005.
［6］ TRIPP O, PISTOIA M, FINK S J, et al. TAJ: effective taint analysis of web applications ［C］∥ Proceedings of ACM Conference on Programming Language Design and Implementation. Dublin: ACM, 2009.
［7］ OWASP Top 10. 2014-03-21. https:∥www.owasp.org/index.php/Top_10_2013-Top_10.
［8］ KILDALL G A. A unified approach to global program optimization ［C］∥ Proceedings of the ACM Symposium on Principles of Programming Languages. New York: ACM, 1973.
［9］ GRTZER G. Lattice theory: first concepts and distributive lattices ［M］. San Francisco: Freeman, 1971.
［10］张鸣华.半格基础上的数据流分析［J］.计算机学报,1980(04): 309-320.
ZHANG Ming-hua. Dataflow analysis with semi-lattice ［J］. Chinese Journal of Computers, 1980(04): 309-320.
［11］ RAMALINGAM G. The undecidability of aliasing ［J］. ACM Transactions on Programming Languages and Systems, 1994, 16(5): 1467-1471.
［12］ ANDERSEN L O. Program analysis and specialization for the C programming language ［D］. Denmark: University of Copenhagen, 1994.
［13］ BRAVENBOER M, SMARAGDAKIS Y. Strictly declarative specication of sophisticated points-to analyses ［C］∥ Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2009.
［14］ FindBugsTM-Find Bugs in Java Programs. 2014-03-21. http:∥findbugs.sourceforge.net/.
［15］ Stanford SecuriBench. 2014-03-21. http:∥suif.stanford.edu/～livshits/securibench/.
［16］ ANDREW W A, JENS P. Modern compiler implementation in Java ［M］. Cambridge: Cambridge University Press, 2002.
［17］ VOLPANO D, IRVINE C, SMITH G. A sound type system for secure flow analysis ［J］. Journal of Computer Security, 1996, 4(2/3): 167-187.
［18］ FOSTER J, FAEHNDRICH M, AIKEN A. A theory of type qualifiers ［C］∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 1999.
［19］ HUANG Y, YU F, HANG C, et al. Securing web application code by static analysis and runtime protection ［C］∥ Proceedings of the 12th International World Wide Web Conference. New York: ACM, 2004.
［20］ PISTOIA M, FLYNN R J, KOVED L, et al. Interprocedural analysis for privileged code placement and tainted variable detection ［C］∥ Proceedings of the 19th European Conference on Object-Oriented Programming. Glasgow: Springer, 2005.
［21］ GUARNIERI S, PISTOIA M, TRIPP O, et al. Saving the world wide web from vulnerable JavaScript ［C］∥ Proceedings of the 20th International Symposium on Software Testing and Analysis. New York: ACM, 2011.
［22］ SRIDHARAN M, ARTZI S, PISTOIA M, et al. F4F: taint analysis of framework-based web applications ［C］∥ Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications. New York: ACM, 2011.
［23］ JOVANOVIC N, KRUEGEL C, KIRDA E. Pixy: a static analysis tool for detecting web application vulnerabilities ［C］∥ Proceedings of IEEE Symposium on Security and Privacy. Berkeley/Oakland: IEEE, 2006.
［24］黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证［J］.软件学报,2011, 22(9): 20362048.
HUANG Qiang, ZENG Qing-kai. Taint propagation analysis and dynamic verification with information flow policy ［J］. Journal of Software, 2011, 22(9): 2036-2048.
［25］ WHALEY J, LAM M. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams ［C］∥ Proceedings of ACM Conference on Programming Language Design and Implementation. New York: ACM, 2004.

[1]	蒋煦, 张长胜, 戴大蒙, 阮婧, 慕德俊. Android应用程序隐私数据泄露检测[J]. 浙江大学学报(工学版), 2016, 50(12): 2357-2363.
[2]	马春来, 单洪, 李志, 朱立新. 移动用户下一地点预测新方法[J]. 浙江大学学报(工学版), 2016, 50(12): 2371-2379.
[3]	万志远, 周波. 支持局部调用图生成的指针分析[J]. 浙江大学学报(工学版), 2015, 49(6): 1031-1040.
[4]	王友卫, 刘元宁, 朱晓冬. 用于图像内容认证的半脆弱水印新算法[J]. J4, 2013, 47(6): 969-976.
[5]	李卓,陈健,蒋晓宁,曾宪庭,潘雪增. 基于多域特征的JPEG图像盲检测算法[J]. J4, 2011, 45(9): 1528-1538.
[6]	马晨华, 王进, 裘炅, 陆国栋. 基于情景约束的工作流柔性访问控制模型[J]. J4, 2010, 44(12): 2297-2308.
[7]	陈珂，胡天磊，陈刚. 基于角色的信任证覆盖网络中高效信任链搜索[J]. J4, 2010, 44(12): 2241-2250.
[8]	周天舒, 李劲松, 杨一兵, 陈运奇, 薛万国, 赵军平. 区域医疗系统数据真实性保障流程优化[J]. J4, 2010, 44(8): 1484-1489.
[9]	余利华, 陈刚, 王伟, 陈柯, 董金祥. 一种基于容器的自组织存储模型[J]. J4, 2010, 44(5): 915-922.
[10]	彭志宇, 李善平, 杨朝晖, 林欣. 信任管理中的匿名授权方法[J]. J4, 2010, 44(5): 897-902.
[11]	姜励, 陈健, 平玲娣, 陈小平. 多线程程序的信息抹除和降密安全策略[J]. J4, 2010, 44(5): 854-862.
[12]	付剑晶, 王珂. 基于交叉控制流混淆技术的编译方法[J]. J4, 2010, 44(5): 903-909.
[13]	江颉, 张杰, 陈德人. 基于推理的上下文感知RBAC模型设计和实现[J]. J4, 2009, 43(09): 1609-1614.
[14]	陈珂, 邵峰, 陈刚, 等. XML结构化匹配中的位图过滤加速法[J]. J4, 2009, 43(09): 1549-1556.
[15]	黄勇, 陈小平, 陈文智, 等. 支持动态调节的保密性和完整性统一模型[J]. J4, 2009, 43(8): 1377-1382.

Viewed

Full text

Abstract

Cited

Shared

Discussed