Exploring context-sensitive data flow analysis for early vulnerability detection

Context-sensitive data-flow analysis improves vulnerability detection.Early detection encourages programmers to promptly fix security vulnerabilities.We built a benchmark for 11 vulnerabilities in order to promote study replications.Our early detector of security vulnerabilities is available at Eclipse marketplace. Secure programming is the practice of writing programs that are resistant to attacks by malicious people or programs. Programmers of secure software have to be continuously aware of security vulnerabilities when writing their program statements. In order to improve programmers' awareness, static analysis techniques have been devised to find vulnerabilities in the source code. However, most of these techniques are built to encourage vulnerability detection a posteriori, only when developers have already fully produced (and compiled) one or more modules of a program. Therefore, this approach, also known as late detection, does not support secure programming but rather encourages posterior security analysis. The lateness of vulnerability detection is also influenced by the high rate of false positives yielded by pattern matching, the underlying mechanism used by existing static analysis techniques. The goal of this paper is twofold. First, we propose to perform continuous detection of security vulnerabilities while the developer is editing each program statement, also known as early detection. Early detection can leverage his knowledge on the context of the code being created, contrary to late detection when developers struggle to recall and fix the intricacies of the vulnerable code they produced from hours to weeks ago. Second, we explore context-sensitive data flow analysis (DFA) for improving vulnerability detection and mitigate the limitations of pattern matching. DFA might be suitable for finding if an object has a vulnerable path. To this end, we have implemented a proof-of-concept Eclipse plugin for continuous DFA-based detection of vulnerabilities in Java programs. We also performed two empirical studies based on several industry-strength systems to evaluate if the code security can be improved through DFA and early vulnerability detection. Our studies confirmed that: (i) the use of context-sensitive DFA significantly reduces the rate of false positives when compared to existing techniques, without being detrimental to the detector performance, and (ii) early detection improves the awareness among developers and encourages programmers to fix security vulnerabilities promptly.

[1]  David Geer Eclipse becomes the dominant Java IDE , 2005, Computer.

[2]  James A. Kupsch,et al.  Manual vs. Automated Vulnerability Assessment: A Case Study , 2009 .

[3]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[4]  Lars Lundberg,et al.  Evaluating the cost reduction of static code analysis for software security , 2008, PLAS '08.

[5]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[6]  Mauricio A. Saca Refactoring improving the design of existing code , 2017, 2017 IEEE 37th Central America and Panama Convention (CONCAPAN XXXVII).

[7]  Edward B. Allen,et al.  High false positive detection of security vulnerabilities: a case study , 2012, ACM-SE '12.

[8]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[9]  Sverre H. Huseby Innocent Code: A Security Wake-Up Call for Web Programmers , 2004 .

[10]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[11]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[12]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[13]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[14]  Mira Mezini,et al.  A recommendation system for exception handling code , 2012, 2012 5th International Workshop on Exception Handling (WEH).

[15]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Armin Biere,et al.  Combined Static and Dynamic Analysis , 2005, AIOOL@VMCAI.

[17]  Marco Guarnieri Security vulnerabilities detection and protection using eclipse , 2011 .

[18]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[19]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[20]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[21]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).