Taint analysis detects if data coming from a source, such as user input, flows into a sink, such as an SQL query, unsanitized (not properly escaped). Both static and dynamic taint analyses have been widely applied to detect injection vulnerabilities in real world software. A main drawback of static analysis is that it could produce false alarms. In addition, it is extremely time-consuming to manually explain the flow of tainted data from the results of the analysis, to understand why a specific warning was raised. This paper formalizes BackFlow , a context-sensitive taint flow reconstructor that, starting from the results of a taint-analysis engine, reconstructs how tainted data flows inside the program and builds paths connecting sources to sinks. BackFlow has been implemented on Julia’s static taint analysis. Experimental results on a set of standard benchmarks show that, when BackFlow produces a taint graph for an injection warning, then there is empirical evidence that such warning is a true alarm. Moreover BackFlow scales to real world programs.
|Data di pubblicazione:||2020|
|Titolo:||BackFlow: Backward Context-sensitive Flow Reconstruction of Taint Analysis Results|
|Titolo del libro:||Verification, Model Checking, and Abstract Interpretation|
|Digital Object Identifier (DOI):||http://dx.doi.org/10.1007/978-3-030-39322-9_2|
|Appare nelle tipologie:||4.1 Articolo in Atti di convegno|
File in questo prodotto:
|article.pdf||Documento in Pre-print||Accesso chiuso-personale||Riservato|