F4F: taint analysis of framework-based web applications

This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. Due to extensive use of reflective language constructs in framework implementations, existing static taint analyses are often ineffective when applied to framework-based applications. While previous work has included ad hoc support for certain framework constructs, adding support for a large number of frameworks in this manner does not scale from an engineering standpoint. F4F employs an initial analysis pass in which both application code and configuration files are processed to generate a specification of framework-related behaviors. A taint analysis engine can leverage these specifications to perform a much deeper, more precise analysis of framework-based applications. Our specification language has only a small number of simple but powerful constructs, easing analysis engine integration. With this architecture, new frameworks can be handled with no changes to the core analysis engine, yielding significant engineering benefits. We implemented specification generators for several web frameworks and added F4F support to a state-of-the-art taint-analysis engine. In an experimental evaluation, the taint analysis enhanced with F4F discovered 525 new issues across nine benchmarks, a harmonic mean of 2.10X more issues per benchmark. Furthermore, manual inspection of a subset of the new issues showed that many were exploitable or reflected bad security practice.

[1]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[2]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[3]  Stephen L. Burbeck,et al.  Applications programming in smalltalk-80: how to use model-view-controller (mvc) , 1987 .

[4]  Fei Xie,et al.  Automatic Creation of Environment Models via Training , 2004, TACAS.

[5]  Robert O'Callahan,et al.  Generalized aliasing as a basis for program analysis tools , 2001 .

[6]  Jonathan Aldrich,et al.  Typestate-oriented programming , 2009, OOPSLA Companion.

[7]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[8]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[9]  Trent Jaeger,et al.  The case for analysis preserving language transformation , 2006, ISSTA '06.

[10]  Mike Shema Cross-Site Scripting , 2010 .

[11]  Marco Pistoia,et al.  Path- and index-sensitive string analysis based on monadic second-order logic , 2011, ISSTA '11.

[12]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[13]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[14]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[15]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[16]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA '09.

[17]  Paolina Centonze,et al.  Role-Based access control consistency validation , 2006, ISSTA '06.

[18]  Jonathan Aldrich,et al.  Checking framework interactions with relationships , 2008, ECOOP.