Abstract
Static taint analysis detects information flow vulnerabilities. It has gained considerable importance in the last decade, with the majority of work focusing on dataflow and points-to-based approaches.
In this paper, we advocate type-based taint analysis. We present SFlow, a context-sensitive type system for secure information flow, and SFlowInfer, a corresponding worst-case cubic inference analysis. Our approach effectively handles reflection, libraries and frameworks, features notoriously difficult for dataflow and points-to-based taint analysis.
We implemented SFlow and SFlowInfer. Empirical results on 13 real-world Java web applications show that our approach is scalable and also precise, achieving false positive rate of 15%.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
HP fortify static code analyzer (2013), http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812#.Uk4YZWRhsyk
IBM security AppScan (2013), http://www-03.ibm.com/software/products/us/en/appscan/
Dietl, W., Müller, P.: Universes: Lightweight ownership for JML. Journal of Object Technology 4(8), 5–32 (2005)
Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: PLDI, pp. 192–203 (May 1999)
Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for Android applications. EC SPRIDE Technical Report TUD-CS-2013-0113 (2013), http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf
Huang, W., Dietl, W., Milanova, A., Ernst, M.D.: Inference and checking of object ownership. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 181–206. Springer, Heidelberg (2012)
Huang, W., Dong, Y., Milanova, A.: Type-based taint analysis for Java web applications. Rensselaer Polytechnic Institute Technical Report RPI-CS-13-02 (2013), http://www.cs.rpi.edu/~huangw5/docs/RPI-CS-13-02.pdf
Huang, W., Milanova, A., Dietl, W., Ernst, M.D.: ReIm & ReImInfer: Checking and inference of reference immutability and method purity. In: OOPSLA, pp. 879–896 (2012)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX Security (2005)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. Technical Report. Stanford University (2005), http://suif.stanford.edu/~livshits/papers/tr/webappsec_tr.pdf
Milanova, A., Huang, W.: Composing information flow type systems with reference immutability. In: FTfJP (2013)
Myers, A.C.: JFlow: Practical mostly-static information flow control. In: POPL, pp. 228–241 (1999)
Myers, A.C., Bank, J.A., Liskov, B.: Parameterized types for Java. In: POPL (1997)
OWASP. Top ten project (2013), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Papi, M.M., Ali, M., Correa Jr., T.L., Perkins, J.H., Ernst, M.D.: Practical pluggable types for Java. In: ISSTA, pp. 201–212 (2008)
Sampson, A., Dietl, W., Fortuna, E.: EnerJ: Approximate data types for safe and general low-power computation. In: PLDI, pp. 164–174 (2011)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: USENIX Security (2001)
Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4F: Taint analysis of framework-based web applications. In: OOPSLA, pp. 1053–1068 (2011)
Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: ANDROMEDA: Accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013. LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: Effective taint analysis of web applications. In: PLDI, pp. 87–97 (2009)
Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security, 167–187 (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Huang, W., Dong, Y., Milanova, A. (2014). Type-Based Taint Analysis for Java Web Applications. In: Gnesi, S., Rensink, A. (eds) Fundamental Approaches to Software Engineering. FASE 2014. Lecture Notes in Computer Science, vol 8411. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54804-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-54804-8_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54803-1
Online ISBN: 978-3-642-54804-8
eBook Packages: Computer ScienceComputer Science (R0)