Andromeda: Accurate and Scalable Security Analysis of Web Applications

  • Omer Tripp
  • Marco Pistoia
  • Patrick Cousot
  • Radhia Cousot
  • Salvatore Guarnieri
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7793)

Abstract

Security auditing of industry-scale software systems mandates automation. Static taint analysis enables deep and exhaustive tracking of suspicious data flows for detection of potential leakage and integrity violations, such as cross-site scripting (XSS), SQL injection (SQLi) and log forging. Research in this area has taken two directions: program slicing and type systems. Both of these approaches suffer from a high rate of false findings, which limits the usability of analysis tools based on these techniques. Attempts to reduce the number of false findings have resulted in analyses that are either (i) unsound, suffering from the dual problem of false negatives, or (ii) too expensive due to their high precision, thereby failing to scale to real-world applications.

In this paper, we investigate a novel approach for enabling precise yet scalable static taint analysis. The key observation informing our approach is that taint analysis is a demand-driven problem, which enables lazy computation of vulnerable information flows, instead of eagerly computing a complete data-flow solution, which is the reason for the traditional dichotomy between scalability and precision. We have implemented our approach in Andromeda, an analysis tool that computes data-flow propagations on demand, in an efficient and accurate manner, and additionally features incremental analysis capabilities. Andromeda is currently in use in a commercial product. It supports applications written in Java, .NET and JavaScript. Our extensive evaluation of Andromeda on a suite of 16 production-level benchmarks shows Andromeda to achieve high accuracy and compare favorably to a state-of-the-art tool that trades soundness for precision.

Keywords

Security Static Analysis Taint Analysis Information Flow Integrity Abstract Interpretation 

References

  1. 1.
    Andersen, L.O.: Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Copenhagen, Denmark (May 1994)Google Scholar
  2. 2.
    Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: S&P (2002)Google Scholar
  3. 3.
    Bacon, D.F., Sweeney, P.F.: Fast static analysis of c++ virtual function calls. In: OOPSLA, pp. 324–341 (1996)Google Scholar
  4. 4.
    Chang, W., Streiff, B., Lin, C.: Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In: CCS (2008)Google Scholar
  5. 5.
    Cheng, B., Hwu, W.W.: Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation. In: Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, pp. 57–69 (2000)Google Scholar
  6. 6.
    Cousot, P., Cousot, R.: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  7. 7.
    Dean, J., Grove, D., Chambers, C.: Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 77–101. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Denning, D.E.: A Lattice Model of Secure Information Flow. CACM 19(5) (1976)Google Scholar
  9. 9.
    Denning, D.E., Denning, P.J.: Certification of Programs for Secure Information Flow. CACM 20(7) (1977)Google Scholar
  10. 10.
    Deutsch, A.: A Storeless Model of Aliasing and Its Abstractions Using Finite Representations of Right-regular Equivalence Relations. In: ICCL (1992)Google Scholar
  11. 11.
    Fuhrer, R., Tip, F., Kieżun, A., Dolby, J., Keller, M.: Efficiently Refactoring Java Applications to Use Generic Libraries. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 71–96. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: S&P (1982)Google Scholar
  13. 13.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S.: Saving the World Wide Web from Vulnerable JavaScript. In: ISSTA (2011)Google Scholar
  14. 14.
    Hammer, C., Krinke, J., Snelting, G.: Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In: S&P (2006)Google Scholar
  15. 15.
    Heintze, N., Tardieu, O.: Demand-Driven Pointer Analysis. In: PLDI (2001)Google Scholar
  16. 16.
    Lhoták, O., Hendren, L.J.: Context-Sensitive Points-to Analysis: Is It Worth It. In: CC (2006)Google Scholar
  17. 17.
    Livshits, V.B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: USENIX Security (2005)Google Scholar
  18. 18.
    McCamant, S., Ernst, M.D.: Quantitative Information Flow as Network Flow Capacity. In: PLDI (2008)Google Scholar
  19. 19.
    Minamide, Y.: Static Approximation of Dynamically Generated Web Pages. In: WWW (2005)Google Scholar
  20. 20.
    Myers, A.C.: JFlow: Practical Mostly-static Information Flow Control. In: POPL (1999)Google Scholar
  21. 21.
    Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: SOSP (1997)Google Scholar
  22. 22.
    Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: NDSS (2005)Google Scholar
  23. 23.
    Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Reps, T., Horwitz, S., Sagiv, M.: Precise Interprocedural Dataflow Analysis via Graph Reachability. In: POPL (1995)Google Scholar
  25. 25.
    Sabelfeld, A., Myers, A.C.: Language-based Information-flow Security. IEEE Journal on Selected Areas in Communications 21, 5–19 (2003)CrossRefGoogle Scholar
  26. 26.
    Saha, D.: Incremental Evaluation of Tabled Logic Programs. PhD thesis, State University of New York at Stony Brook, Stony Brook, NY, USA (2006)Google Scholar
  27. 27.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting Format String Vulnerabilities with Type Qualifiers. In: USENIX Security (2001)Google Scholar
  28. 28.
    Snelting, G., Robschink, T., Krinke, J.: Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4) (2006)Google Scholar
  29. 29.
    Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4F: Taint Analysis of Framework-based Web Applications. In: OOPSLA (2011)Google Scholar
  30. 30.
    Sridharan, M., Fink, S.J., Bodík, R.: Thin Slicing. In: PLDI (2007)Google Scholar
  31. 31.
    Sridharan, M., Bodík, R.: Refinement-based Context-sensitive Points-to Analysis for Java. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2006), Ottawa, ON, Canada, pp. 387–400 (June 2006)Google Scholar
  32. 32.
    Tateishi, T., Pistoia, M., Tripp, O.: Path- and Index-sensitive String Analysis Based on Monadic Second-order Logic. In: ISSTA (2011)Google Scholar
  33. 33.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: Effective Taint Analysis of Web Applications. In: PLDI (2009)Google Scholar
  34. 34.
    Volpano, D., Irvine, C., Smith, G.: A Sound Type System for Secure Flow Analysis. JCS 4(2-3) (1996)Google Scholar
  35. 35.
    Vosloo, I., Kourie, D.G.: Server-centric web frameworks: An overview. ACM Comput. Surv. 40(2), 4:1–4:33 (2008)CrossRefGoogle Scholar
  36. 36.
    Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: PLDI (2007)Google Scholar
  37. 37.
    Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: ICSE 2008 (2008)Google Scholar
  38. 38.
    Whaley, J., Lam, M.S.: Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In: PLDI (2004)Google Scholar
  39. 39.
    Yan, D., Xu, G., Rountev, A.: Demand-driven context-sensitive alias analysis for java. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, pp. 155–165 (2011)Google Scholar
  40. 40.
    Zheng, X., Rugina, R.: Demand-driven alias analysis for c. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 197–208 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Omer Tripp
    • 1
    • 2
  • Marco Pistoia
    • 3
  • Patrick Cousot
    • 4
  • Radhia Cousot
    • 5
  • Salvatore Guarnieri
    • 6
    • 2
  1. 1.Tel Aviv UniversityIsrael
  2. 2.IBM Software GroupUSA
  3. 3.IBM Thomas J. Watson Research CenterUSA
  4. 4.New York UniversityUSA
  5. 5.École Normale SupérieureFrance
  6. 6.University of WashingtonUSA

Personalised recommendations