Type-Based Taint Analysis for Java Web Applications

Static taint analysis detects information flow vulnerabilities. It has gained considerable importance in the last decade, with the majority of work focusing on dataflow and points-to-based approaches. In this paper, we advocate type-based taint analysis. We present SFlow, a context-sensitive type system for secure information flow, and SFlowInfer, a corresponding worst-case cubic inference analysis. Our approach effectively handles reflection, libraries and frameworks, features notoriously difficult for dataflow and points-to-based taint analysis. We implemented SFlow and SFlowInfer. Empirical results on 13 real-world Java web applications show that our approach is scalable and also precise, achieving false positive rate of 15%.

[1]  Michael D. Ernst,et al.  Ownership and immutability in generic Java , 2010, OOPSLA.

[2]  Jan Vitek,et al.  A Type System for Data-Centric Synchronization , 2010, ECOOP.

[3]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .

[4]  Ana Milanova,et al.  Static Object Race Detection , 2011, APLAS.

[5]  Michael D. Ernst,et al.  Javari: adding reference immutability to Java , 2005, OOPSLA '05.

[6]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[7]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[8]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[9]  Ana Milanova,et al.  Dataflow and Type-based Formulations for Reference Immutability , 2012 .

[10]  Dennis Giffhorn,et al.  Precise Analysis of Java Programs Using JOANA , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[11]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[12]  Ana Milanova,et al.  Composing polymorphic information flow systems with reference immutability , 2013, FTfJP@ECOOP.

[13]  Andrew C. Myers,et al.  Parameterized types for Java , 1997, POPL '97.

[14]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[15]  Michael D. Ernst,et al.  Inference and Checking of Object Ownership , 2012, ECOOP.

[16]  Jan Vitek,et al.  A data-centric approach to synchronization , 2012, TOPL.

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[19]  Michael D. Ernst,et al.  Building and using pluggable type-checkers , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[20]  Sophia Drossopoulou,et al.  Universe Types for Topology and Encapsulation , 2007, FMCO.

[21]  Michael D. Ernst,et al.  Practical pluggable types for java , 2008, ISSTA '08.

[22]  Michael D. Ernst,et al.  Reim & ReImInfer: checking and inference of reference immutability and method purity , 2012, OOPSLA '12.

[23]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[24]  Peter Müller,et al.  Universes: Lightweight Ownership for JML , 2005, J. Object Technol..

[25]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[26]  Dan Grossman,et al.  EnerJ: approximate data types for safe and general low-power computation , 2011, PLDI '11.

[27]  Michael D. Ernst,et al.  Object and reference immutability using Java generics , 2007, ESEC-FSE '07.

[28]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[29]  Jens Krinke,et al.  Intransitive Noninterference in Dependence Graphs , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[30]  Shay Artzi,et al.  F4F: taint analysis of framework-based web applications , 2011, OOPSLA '11.

[31]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[32]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[33]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[34]  Jeffrey S. Foster,et al.  Type qualifier inference for java , 2007, OOPSLA.

[35]  Gregor Snelting,et al.  Static path conditions for Java , 2008, PLAS '08.

[36]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[37]  James Noble ECOOP 2012 – Object-Oriented Programming , 2012, Lecture Notes in Computer Science.