Taint Dependency Sequences: A Characterization of Insecure Execution Paths Based on Input-Sensitive Cause Sequences

Numerous software vulnerabilities can be activated only with dedicated user inputs. Taint analysis is a security check which consists in looking for possible dependency chains between user inputs and vulnerable statements (like array accesses). Most of the existing static taint analysis tools produce some warnings on potentially vulnerable program locations. It is then up to the developer to analyze these results by scanning the possible execution paths that may lead to these locations with unsecured user inputs. We present a Taint Dependency Sequences Calculus, based on a fine-grain data and control taint analysis, that aims to help the developer in this task by providing some information on the set of paths that need to be analyzed. Following some ideas introduced in [1], [2], we also propose some metrics to characterize these paths in term of "dangerousness". This approach is illustrated with the help of the Verisec Suite [3] and by describing a prototype, called STAC.

[1]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[4]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[5]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[7]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[8]  Spiros Mancoridis,et al.  Static Security Analysis Based on Input-Related Software Faults , 2009, 2009 13th European Conference on Software Maintenance and Reengineering.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[11]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[12]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[13]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[14]  Vitaly Shmatikov,et al.  Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[15]  Mary Lou Soffa,et al.  Refining buffer overflow detection via demand-driven path-sensitive analysis , 2007, PASTE '07.

[16]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[17]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[18]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[19]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[20]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[21]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.