Abstract
Security auditing of industry-scale software systems mandates automation. Static taint analysis enables deep and exhaustive tracking of suspicious data flows for detection of potential leakage and integrity violations, such as cross-site scripting (XSS), SQL injection (SQLi) and log forging. Research in this area has taken two directions: program slicing and type systems. Both of these approaches suffer from a high rate of false findings, which limits the usability of analysis tools based on these techniques. Attempts to reduce the number of false findings have resulted in analyses that are either (i) unsound, suffering from the dual problem of false negatives, or (ii) too expensive due to their high precision, thereby failing to scale to real-world applications.
In this paper, we investigate a novel approach for enabling precise yet scalable static taint analysis. The key observation informing our approach is that taint analysis is a demand-driven problem, which enables lazy computation of vulnerable information flows, instead of eagerly computing a complete data-flow solution, which is the reason for the traditional dichotomy between scalability and precision. We have implemented our approach in Andromeda, an analysis tool that computes data-flow propagations on demand, in an efficient and accurate manner, and additionally features incremental analysis capabilities. Andromeda is currently in use in a commercial product. It supports applications written in Java, .NET and JavaScript. Our extensive evaluation of Andromeda on a suite of 16 production-level benchmarks shows Andromeda to achieve high accuracy and compare favorably to a state-of-the-art tool that trades soundness for precision.
Keywords
- Security
- Static Analysis
- Taint Analysis
- Information Flow
- Integrity
- Abstract Interpretation
Chapter PDF
References
Andersen, L.O.: Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Copenhagen, Denmark (May 1994)
Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: S&P (2002)
Bacon, D.F., Sweeney, P.F.: Fast static analysis of c++ virtual function calls. In: OOPSLA, pp. 324–341 (1996)
Chang, W., Streiff, B., Lin, C.: Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In: CCS (2008)
Cheng, B., Hwu, W.W.: Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation. In: Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, pp. 57–69 (2000)
Cousot, P., Cousot, R.: Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In: POPL, pp. 238–252 (1977)
Dean, J., Grove, D., Chambers, C.: Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 77–101. Springer, Heidelberg (1995)
Denning, D.E.: A Lattice Model of Secure Information Flow. CACM 19(5) (1976)
Denning, D.E., Denning, P.J.: Certification of Programs for Secure Information Flow. CACM 20(7) (1977)
Deutsch, A.: A Storeless Model of Aliasing and Its Abstractions Using Finite Representations of Right-regular Equivalence Relations. In: ICCL (1992)
Fuhrer, R., Tip, F., Kieżun, A., Dolby, J., Keller, M.: Efficiently Refactoring Java Applications to Use Generic Libraries. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 71–96. Springer, Heidelberg (2005)
Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: S&P (1982)
Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S.: Saving the World Wide Web from Vulnerable JavaScript. In: ISSTA (2011)
Hammer, C., Krinke, J., Snelting, G.: Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In: S&P (2006)
Heintze, N., Tardieu, O.: Demand-Driven Pointer Analysis. In: PLDI (2001)
Lhoták, O., Hendren, L.J.: Context-Sensitive Points-to Analysis: Is It Worth It. In: CC (2006)
Livshits, V.B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: USENIX Security (2005)
McCamant, S., Ernst, M.D.: Quantitative Information Flow as Network Flow Capacity. In: PLDI (2008)
Minamide, Y.: Static Approximation of Dynamically Generated Web Pages. In: WWW (2005)
Myers, A.C.: JFlow: Practical Mostly-static Information Flow Control. In: POPL (1999)
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: SOSP (1997)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: NDSS (2005)
Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)
Reps, T., Horwitz, S., Sagiv, M.: Precise Interprocedural Dataflow Analysis via Graph Reachability. In: POPL (1995)
Sabelfeld, A., Myers, A.C.: Language-based Information-flow Security. IEEE Journal on Selected Areas in Communications 21, 5–19 (2003)
Saha, D.: Incremental Evaluation of Tabled Logic Programs. PhD thesis, State University of New York at Stony Brook, Stony Brook, NY, USA (2006)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting Format String Vulnerabilities with Type Qualifiers. In: USENIX Security (2001)
Snelting, G., Robschink, T., Krinke, J.: Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4) (2006)
Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4F: Taint Analysis of Framework-based Web Applications. In: OOPSLA (2011)
Sridharan, M., Fink, S.J., Bodík, R.: Thin Slicing. In: PLDI (2007)
Sridharan, M., Bodík, R.: Refinement-based Context-sensitive Points-to Analysis for Java. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2006), Ottawa, ON, Canada, pp. 387–400 (June 2006)
Tateishi, T., Pistoia, M., Tripp, O.: Path- and Index-sensitive String Analysis Based on Monadic Second-order Logic. In: ISSTA (2011)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: Effective Taint Analysis of Web Applications. In: PLDI (2009)
Volpano, D., Irvine, C., Smith, G.: A Sound Type System for Secure Flow Analysis. JCS 4(2-3) (1996)
Vosloo, I., Kourie, D.G.: Server-centric web frameworks: An overview. ACM Comput. Surv. 40(2), 4:1–4:33 (2008)
Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: PLDI (2007)
Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: ICSE 2008 (2008)
Whaley, J., Lam, M.S.: Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In: PLDI (2004)
Yan, D., Xu, G., Rountev, A.: Demand-driven context-sensitive alias analysis for java. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, pp. 155–165 (2011)
Zheng, X., Rugina, R.: Demand-driven alias analysis for c. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 197–208 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S. (2013). Andromeda: Accurate and Scalable Security Analysis of Web Applications. In: Cortellessa, V., Varró, D. (eds) Fundamental Approaches to Software Engineering. FASE 2013. Lecture Notes in Computer Science, vol 7793. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37057-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-37057-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37056-4
Online ISBN: 978-3-642-37057-1
eBook Packages: Computer ScienceComputer Science (R0)