Abstract
Tainted flow attacks originate from program inputs maliciously crafted to exploit software vulnerabilities. These attacks are common in server-side scripting languages, such as PHP. In 1997, Ørbæk and Palsberg formalized the problem of detecting these exploits as an instance of type-checking, and gave an O(V 3) algorithm to solve it, where V is the number of program variables. A similar algorithm was, ten years later, implemented on the Pixy tool. In this paper we give an O(V 2) solution to the same problem. Our solution uses Bodik et al.’s extended Static Single Assignment (e-SSA) program representation. The e-SSA form can be efficiently computed and it enables us to solve the problem via a sparse data-flow analysis. Using the same infrastructure, we compared a state-of-the-art data-flow solution with our technique. Both approaches have detected 36 vulnerabilities in well known PHP programs. Our results show that our approach tends to outperform the data-flow algorithm for bigger inputs. We have reported the bugs that we found, and an implementation of our algorithm is now publicly available.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ananian, S.: The Static Single Information Form. Master’s thesis, MIT (September 1999)
Appel, A.W., Palsberg, J.: Modern Compiler Implementation in Java, 2nd edn. Cambridge University Press, Cambridge (2002)
Biggar, P.: Design and Implementation of an Ahead-of-Time Compiler for PHP. Ph.D. thesis. Trinity College, Dublin (2009)
Biggar, P., de Vries, E., Gregg, D.: A practical solution for scripting language compilers. In: SAC, pp. 1916–1923. ACM, New York (2009)
Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: PLDI, pp. 321–333. ACM, New York (2000)
Choi, J.D., Cytron, R., Ferrante, J.: Automatic construction of sparse data flow evaluation graphs. In: POPL, pp. 55–66 (1991)
Chow, F.C., Chan, S., Liu, S.M., Lo, R., Streich, M.: Effective representation of aliases and indirect memory operations in SSA form. In: Gyimóthy, T. (ed.) CC 1996. LNCS, vol. 1060, pp. 253–267. Springer, Heidelberg (1996)
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. In: PLDI, pp. 50–62. ACM, New York (2009)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. TOPLAS 13(4), 451–490 (1991)
Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI, pp. 1–12. ACM, New York (2002)
Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: ISSSE, pp. 1–10. IEEE, Los Alamitos (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: S&P, pp. 258–263. IEEE, Los Alamitos (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: PLAS, pp. 27–36. ACM, New York (2006)
Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. TOPLAS 1(1), 121–141 (1979)
Ørbæk, P., Palsberg, J.: Trust in the λ-calculus. Journal of Functional Programming 7(6), 557–591 (1997)
Palsberg, J.: Efficient inference of object types. Inf. Comput. 123(2), 198–209 (1995)
Pioli, A., Burke, M., Hind, M.: Conditional pointer aliasing and constant propagation. Tech. Rep. 99-102, SUNY at New Paltz (1999)
Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)
Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL, pp. 49–61. ACM, New York (1995)
Rimsa, A.: Efficient detection of tainted flow vulnerabilities. Master’s thesis, Federal University of Minas Gerais (UFMG) (December 2010)
Rimsa, A.A., d’Amorim, M., Pereira, F.M.Q.: Efficient static checker for tainted variable attacks. In: SBLP. SBC (2010)
Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. Tech. rep., Sun Microsystems, Inc. (2008)
Scott, D., Sharp, R.: Specifying and enforcing application-level web security policies. Trans. on Knowl. and Data Eng. 15, 771–783 (2003)
Singer, J.: Static Program Analysis Based on Virtual Register Renaming. Ph.D. thesis, University of Cambridge (2006)
Sridharan, M., Fink, S.J., Bodik, R.: Thin slicing. In: PLDI, pp. 112–122. ACM, New York (2007)
Tavares, A.L.C., Pereira, F.M.Q., Bigonha, M.A.S., Bigonha, R.: Efficient SSI conversion. In: Brazilian Symposium on Programming Languages (SBLP), pp. 1–14 (2010)
Tripp, O., Pistoia, M., Fink, S., Sridharan, M., Weisman, O.: TAJ: Effective taint analysis of web applications. In: PLDI, pp. 87–97. ACM, New York (2009)
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: PLDI, pp. 32–41. ACM, New York (2007)
Weiser, M.: Program slicing. In: ICSE, pp. 439–449. IEEE, Los Alamitos (1981)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS. USENIX Association (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rimsa, A., d’Amorim, M., Quintão Pereira, F.M. (2011). Tainted Flow Analysis on e-SSA-Form Programs. In: Knoop, J. (eds) Compiler Construction. CC 2011. Lecture Notes in Computer Science, vol 6601. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19861-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-19861-8_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19860-1
Online ISBN: 978-3-642-19861-8
eBook Packages: Computer ScienceComputer Science (R0)