Taint analysis detects if data coming from a source, such as user input, flows into a sink, such as an SQL query, unsanitized (not properly escaped). Both static and dynamic taint analyses have been widely applied to detect injection vulnerabilities in real world software. A main drawback of static analysis is that it could produce false alarms. In addition, it is extremely time-consuming to manually explain the flow of tainted data from the results of the analysis, to understand why a specific warning was raised. This paper formalizes BackFlow , a context-sensitive taint flow reconstructor that, starting from the results of a taint-analysis engine, reconstructs how tainted data flows inside the program and builds paths connecting sources to sinks. BackFlow has been implemented on Julia’s static taint analysis. Experimental results on a set of standard benchmarks show that, when BackFlow produces a taint graph for an injection warning, then there is empirical evidence that such warning is a true alarm. Moreover BackFlow scales to real world programs.
BackFlow: Backward Context-sensitive Flow Reconstruction of Taint Analysis Results
Pietro Ferrara;Luca Olivieri;
2020-01-01
Abstract
Taint analysis detects if data coming from a source, such as user input, flows into a sink, such as an SQL query, unsanitized (not properly escaped). Both static and dynamic taint analyses have been widely applied to detect injection vulnerabilities in real world software. A main drawback of static analysis is that it could produce false alarms. In addition, it is extremely time-consuming to manually explain the flow of tainted data from the results of the analysis, to understand why a specific warning was raised. This paper formalizes BackFlow , a context-sensitive taint flow reconstructor that, starting from the results of a taint-analysis engine, reconstructs how tainted data flows inside the program and builds paths connecting sources to sinks. BackFlow has been implemented on Julia’s static taint analysis. Experimental results on a set of standard benchmarks show that, when BackFlow produces a taint graph for an injection warning, then there is empirical evidence that such warning is a true alarm. Moreover BackFlow scales to real world programs.File | Dimensione | Formato | |
---|---|---|---|
article.pdf
non disponibili
Tipologia:
Documento in Pre-print
Licenza:
Accesso chiuso-personale
Dimensione
844.75 kB
Formato
Adobe PDF
|
844.75 kB | Adobe PDF | Visualizza/Apri |
I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.