TAJ: effective taint analysis of web applications

Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applications. TAJ can analyze applications of virtually any size, as it employs a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vectors, with techniques to handle reflective calls, flow through containers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.

[1]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[2]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[3]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[4]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[5]  Barbara G. Ryder Dimensions of Precision in Reference Analysis of Object-Oriented Programming Languages , 2003, CC.

[6]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[7]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[8]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[9]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[10]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[11]  Yasuhiko Minamide Static approximation of dynamically generated Web pages , 2005, WWW '05.

[12]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[13]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[14]  Julian Dolby,et al.  Semi-Automatic J2EE Transaction Configuration , 2004 .

[15]  Gregor Snelting,et al.  Information flow control for Java based on path conditions in dependence graphs , 2006 .

[16]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[17]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[18]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[19]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[20]  Patrick Cousot,et al.  Modular Static Program Analysis , 2002, CC.

[21]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[22]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[23]  Larry Wall,et al.  Programming Perl , 1991 .

[24]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[25]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[26]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[27]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[28]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[29]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[30]  Susan Horwitz,et al.  Using static single assignment form to improve flow-insensitive pointer analysis , 1998, PLDI '98.

[31]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[32]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[33]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[34]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[35]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[36]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.