Tainted Flow Analysis on e-SSA-Form Programs

  • Andrei Rimsa
  • Marcelo d’Amorim
  • Fernando Magno Quintão Pereira
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6601)


Tainted flow attacks originate from program inputs maliciously crafted to exploit software vulnerabilities. These attacks are common in server-side scripting languages, such as PHP. In 1997, Ørbæk and Palsberg formalized the problem of detecting these exploits as an instance of type-checking, and gave an O(V 3) algorithm to solve it, where V is the number of program variables. A similar algorithm was, ten years later, implemented on the Pixy tool. In this paper we give an O(V 2) solution to the same problem. Our solution uses Bodik et al.’s extended Static Single Assignment (e-SSA) program representation. The e-SSA form can be efficiently computed and it enables us to solve the problem via a sparse data-flow analysis. Using the same infrastructure, we compared a state-of-the-art data-flow solution with our technique. Both approaches have detected 36 vulnerabilities in well known PHP programs. Our results show that our approach tends to outperform the data-flow algorithm for bigger inputs. We have reported the bugs that we found, and an implementation of our algorithm is now publicly available.


Program Representation Program Variable Symbolic Execution Program Point Reachability Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ananian, S.: The Static Single Information Form. Master’s thesis, MIT (September 1999)Google Scholar
  2. 2.
    Appel, A.W., Palsberg, J.: Modern Compiler Implementation in Java, 2nd edn. Cambridge University Press, Cambridge (2002)CrossRefGoogle Scholar
  3. 3.
    Biggar, P.: Design and Implementation of an Ahead-of-Time Compiler for PHP. Ph.D. thesis. Trinity College, Dublin (2009)Google Scholar
  4. 4.
    Biggar, P., de Vries, E., Gregg, D.: A practical solution for scripting language compilers. In: SAC, pp. 1916–1923. ACM, New York (2009)Google Scholar
  5. 5.
    Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: PLDI, pp. 321–333. ACM, New York (2000)CrossRefGoogle Scholar
  6. 6.
    Choi, J.D., Cytron, R., Ferrante, J.: Automatic construction of sparse data flow evaluation graphs. In: POPL, pp. 55–66 (1991)Google Scholar
  7. 7.
    Chow, F.C., Chan, S., Liu, S.M., Lo, R., Streich, M.: Effective representation of aliases and indirect memory operations in SSA form. In: Gyimóthy, T. (ed.) CC 1996. LNCS, vol. 1060, pp. 253–267. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  8. 8.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: PLDI, pp. 50–62. ACM, New York (2009)CrossRefGoogle Scholar
  10. 10.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. TOPLAS 13(4), 451–490 (1991)CrossRefGoogle Scholar
  11. 11.
    Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI, pp. 1–12. ACM, New York (2002)Google Scholar
  12. 12.
    Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: ISSSE, pp. 1–10. IEEE, Los Alamitos (2006)Google Scholar
  13. 13.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: S&P, pp. 258–263. IEEE, Los Alamitos (2006)Google Scholar
  14. 14.
    Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS, pp. 27–36. ACM, New York (2006)Google Scholar
  15. 15.
    Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. TOPLAS 1(1), 121–141 (1979)CrossRefzbMATHGoogle Scholar
  16. 16.
    Ørbæk, P., Palsberg, J.: Trust in the λ-calculus. Journal of Functional Programming 7(6), 557–591 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Palsberg, J.: Efficient inference of object types. Inf. Comput. 123(2), 198–209 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Pioli, A., Burke, M., Hind, M.: Conditional pointer aliasing and constant propagation. Tech. Rep. 99-102, SUNY at New Paltz (1999)Google Scholar
  19. 19.
    Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL, pp. 49–61. ACM, New York (1995)Google Scholar
  21. 21.
    Rimsa, A.: Efficient detection of tainted flow vulnerabilities. Master’s thesis, Federal University of Minas Gerais (UFMG) (December 2010)Google Scholar
  22. 22.
    Rimsa, A.A., d’Amorim, M., Pereira, F.M.Q.: Efficient static checker for tainted variable attacks. In: SBLP. SBC (2010)Google Scholar
  23. 23.
    Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. Tech. rep., Sun Microsystems, Inc. (2008)Google Scholar
  24. 24.
    Scott, D., Sharp, R.: Specifying and enforcing application-level web security policies. Trans. on Knowl. and Data Eng. 15, 771–783 (2003)CrossRefGoogle Scholar
  25. 25.
    Singer, J.: Static Program Analysis Based on Virtual Register Renaming. Ph.D. thesis, University of Cambridge (2006)Google Scholar
  26. 26.
    Sridharan, M., Fink, S.J., Bodik, R.: Thin slicing. In: PLDI, pp. 112–122. ACM, New York (2007)Google Scholar
  27. 27.
    Tavares, A.L.C., Pereira, F.M.Q., Bigonha, M.A.S., Bigonha, R.: Efficient SSI conversion. In: Brazilian Symposium on Programming Languages (SBLP), pp. 1–14 (2010)Google Scholar
  28. 28.
    Tripp, O., Pistoia, M., Fink, S., Sridharan, M., Weisman, O.: TAJ: Effective taint analysis of web applications. In: PLDI, pp. 87–97. ACM, New York (2009)CrossRefGoogle Scholar
  29. 29.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41. ACM, New York (2007)Google Scholar
  30. 30.
    Weiser, M.: Program slicing. In: ICSE, pp. 439–449. IEEE, Los Alamitos (1981)Google Scholar
  31. 31.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS. USENIX Association (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Andrei Rimsa
    • 1
  • Marcelo d’Amorim
    • 2
  • Fernando Magno Quintão Pereira
    • 1
  1. 1.UFMGBelo HorizonteBrazil
  2. 2.UFPERecifeBrazil

Personalised recommendations