Taint analysis detects if data coming from a source, such as user input, flows into a sink, such as an SQL query, unsanitized (not properly escaped). Both static and dynamic taint analyses have been widely applied to detect injection vulnerabilities in real world software. A main drawback of static analysis is that it could produce false alarms. In addition, it is extremely time-consuming to manually explain the flow of tainted data from the results of the analysis, to understand why a specific warning was raised. This paper formalizes BackFlow , a context-sensitive taint flow reconstructor that, starting from the results of a taint-analysis engine, reconstructs how tainted data flows inside the program and builds paths connecting sources to sinks. BackFlow has been implemented on Julia’s static taint analysis. Experimental results on a set of standard benchmarks show that, when BackFlow produces a taint graph for an injection warning, then there is empirical evidence that such warning is a true alarm. Moreover BackFlow scales to real world programs.

BackFlow: Backward Context-sensitive Flow Reconstruction of Taint Analysis Results

Pietro Ferrara;
2020

Abstract

Taint analysis detects if data coming from a source, such as user input, flows into a sink, such as an SQL query, unsanitized (not properly escaped). Both static and dynamic taint analyses have been widely applied to detect injection vulnerabilities in real world software. A main drawback of static analysis is that it could produce false alarms. In addition, it is extremely time-consuming to manually explain the flow of tainted data from the results of the analysis, to understand why a specific warning was raised. This paper formalizes BackFlow , a context-sensitive taint flow reconstructor that, starting from the results of a taint-analysis engine, reconstructs how tainted data flows inside the program and builds paths connecting sources to sinks. BackFlow has been implemented on Julia’s static taint analysis. Experimental results on a set of standard benchmarks show that, when BackFlow produces a taint graph for an injection warning, then there is empirical evidence that such warning is a true alarm. Moreover BackFlow scales to real world programs.
Verification, Model Checking, and Abstract Interpretation
File in questo prodotto:
File Dimensione Formato  
article.pdf

non disponibili

Tipologia: Documento in Pre-print
Licenza: Accesso chiuso-personale
Dimensione 844.75 kB
Formato Adobe PDF
844.75 kB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/10278/3720935
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 4
  • ???jsp.display-item.citation.isi??? 2
social impact