Tainted Flow Analysis on e-SSA-Form Programs

Tainted flow attacks originate from program inputs maliciously crafted to exploit software vulnerabilities. These attacks are common in server-side scripting languages, such as PHP. In 1997, orbaek and Palsberg formalized the problem of detecting these exploits as an instance of type-checking, and gave an O(V3) algorithm to solve it, where V is the number of program variables. A similar algorithm was, ten years later, implemented on the Pixy tool. In this paper we give an O(V2) solution to the same problem. Our solution uses Bodik et al.'s extended Static Single Assignment (e-SSA) program representation. The e-SSA form can be efficiently computed and it enables us to solve the problem via a sparse data-flow analysis. Using the same infrastructure, we compared a state-of-the-art data-flow solution with our technique. Both approaches have detected 36 vulnerabilities in well known PHP programs. Our results show that our approach tends to outperform the data-flow algorithm for bigger inputs. We have reported the bugs that we found, and an implementation of our algorithm is now publicly available.

[1]  Andrew P. Black ECOOP 2005 - Object-Oriented Programming, 19th European Conference, Glasgow, UK, July 25-29, 2005, Proceedings , 2005, ECOOP.

[2]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[3]  Mariza A. S. Bigonha,et al.  Efficient SSI Conversion , 2010 .

[4]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[5]  Jeremy Singer,et al.  Static program analysis based on virtual register renaming , 2006 .

[6]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[7]  Jens Palsberg Efficient Inference of Object Types , 1995, Inf. Comput..

[8]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[9]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[10]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[11]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[12]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[13]  David Gregg,et al.  A practical solution for scripting language compilers , 2009, SAC '09.

[14]  Paul Biggar Design and implementation of an ahead-of-time compiler for PHP , 2010 .

[15]  C. Scott Ananian,et al.  The static single information form , 2001 .

[16]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[17]  Raymond Lo,et al.  Effective Representation of Aliases and Indirect Memory Operations in SSA Form , 1996, CC.

[18]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[19]  D. B. Davis,et al.  Sun Microsystems Inc. , 1993 .

[20]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[21]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[22]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[23]  Anthony Pioli,et al.  Conditional Pointer Aliasing and Constant Propagation , 1999 .

[24]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[25]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[26]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[27]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[28]  Jong-Deok Choi,et al.  Automatic construction of sparse data flow evaluation graphs , 1991, POPL '91.

[29]  Andrew W. Appel,et al.  Modern Compiler Implementation in Java , 1997 .

[30]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[31]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.