TY - GEN
T1 - Taint Trace Analysis For Java Web Applications
AU - Li, Yaju
AU - Zhang, Chenyi
AU - Li, Qin
N1 - Publisher Copyright:
© 2022 Knowledge Systems Institute Graduate School. All rights reserved.
PY - 2022
Y1 - 2022
N2 - Taint analysis is concerned about whether a value in a program can be influenced, or tainted, by user input. Existing works on taint analysis focus on tracking the propagation of taint flows between variables in a program, and a security risk is reported whenever a taint source (user input) flows to a taint sink (resource that requires protection). However, a reported bug may have its taint source and taint sink located in different software components, which complicates the bug tracking and bug confirmation for developers. In this paper, we propose Taint Trace Analysis (TTA), which extends P/Taint, a context-sensitive Java taint analysis project, by making the taint information flow explicit. Thanks to the underlying Datalog semantics, we describe a way to extract traces of taint flows across program contexts and field accesses in the Doop framework. Different from existing works that produce only source-sink pairs, the output of TTA can be visualized as a set of traces which illustrate the inter-procedural taint propagation from taint sources to their corresponding sinks. As a consequence, TTA provides more useful information for developers and users after a vulnerability is reported. Our implementation is also efficient, and as shown in our experiment, it adds only a small run-time overhead on top of P/Taint for a range of analyses with different types of context-sensitivities applied.
AB - Taint analysis is concerned about whether a value in a program can be influenced, or tainted, by user input. Existing works on taint analysis focus on tracking the propagation of taint flows between variables in a program, and a security risk is reported whenever a taint source (user input) flows to a taint sink (resource that requires protection). However, a reported bug may have its taint source and taint sink located in different software components, which complicates the bug tracking and bug confirmation for developers. In this paper, we propose Taint Trace Analysis (TTA), which extends P/Taint, a context-sensitive Java taint analysis project, by making the taint information flow explicit. Thanks to the underlying Datalog semantics, we describe a way to extract traces of taint flows across program contexts and field accesses in the Doop framework. Different from existing works that produce only source-sink pairs, the output of TTA can be visualized as a set of traces which illustrate the inter-procedural taint propagation from taint sources to their corresponding sinks. As a consequence, TTA provides more useful information for developers and users after a vulnerability is reported. Our implementation is also efficient, and as shown in our experiment, it adds only a small run-time overhead on top of P/Taint for a range of analyses with different types of context-sensitivities applied.
KW - Automatic trace generation
KW - Java web application
KW - Program analysis
KW - Taint analysis
UR - https://www.scopus.com/pages/publications/85137166282
U2 - 10.18293/SEKE2022-161
DO - 10.18293/SEKE2022-161
M3 - 会议稿件
AN - SCOPUS:85137166282
T3 - Proceedings of the International Conference on Software Engineering and Knowledge Engineering, SEKE
SP - 184
EP - 189
BT - SEKE 2022 - Proceedings of the 34th International Conference on Software Engineering and Knowledge Engineering
PB - Knowledge Systems Institute Graduate School
T2 - 34th International Conference on Software Engineering and Knowledge Engineering, SEKE 2022
Y2 - 1 July 2022 through 10 July 2022
ER -