论文信息 - Analyst-oriented taint analysis by taint path slicing and aggregation

Analyst-oriented taint analysis by taint path slicing and aggregation

Taint analysis determines whether values from untrusted or private sources may flow into security-sensitive or public sinks, and can discover many common security vulnerabilities in both Web and mobile applications. Static taint analysis detects suspicious data flows without running the application and achieves a good coverage. However, most existing static taint analysis tools only focus on discovering taint paths from sources to sinks and do not concern about the requirements of analysts for sanitization check and exploration. The sanitization can make a taint path no more dangerous but should be checked or explored by analysts manually in many cases and the process is very costly. During our preliminary study, we found that many statements along taint paths are not relevant to the sanitization and there are a lot of redundancies among taint paths with the same source or sink. Based on these two observations, we have designed and implemented the taint path slicing and aggregation algorithms, aiming at mitigating the workload of the analysts and helping them get a better comprehension of the taint behaviors of target applications. Experimental evaluations on real-world applications show that our proposed algorithms can reduce the taint paths effectively and efficiently.

[1] Zhemin Yang,et al. LeakMiner: Detect Information Leakage on Android with Static Taint Analysis , 2012, 2012 Third World Congress on Software Engineering.

[2] David W. Binkley,et al. Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[3] Gregor Snelting,et al. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[4] Xiaoguang Mao,et al. Effective Fault Localization Approach Using Feedback , 2012, IEICE Trans. Inf. Syst..

[5] Jacques Klein,et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[6] Yuhua Qi,et al. Slice-based statistical fault localization , 2014, J. Syst. Softw..

[7] Thomas W. Reps,et al. Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[8] Patrick Cousot,et al. Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[9] Hao Chen,et al. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[10] Benjamin Livshits,et al. Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.