research-article

F4F: taint analysis of framework-based web applications

Authors:

Manu Sridharan,

Salvatore Guarnieri,

Ryan BergAuthors Info & Claims

OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications

Pages 1053 - 1068

https://doi.org/10.1145/2048066.2048145

Published: 22 October 2011 Publication History

Abstract

This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. Due to extensive use of reflective language constructs in framework implementations, existing static taint analyses are often ineffective when applied to framework-based applications. While previous work has included ad hoc support for certain framework constructs, adding support for a large number of frameworks in this manner does not scale from an engineering standpoint.

F4F employs an initial analysis pass in which both application code and configuration files are processed to generate a specification of framework-related behaviors. A taint analysis engine can leverage these specifications to perform a much deeper, more precise analysis of framework-based applications. Our specification language has only a small number of simple but powerful constructs, easing analysis engine integration. With this architecture, new frameworks can be handled with no changes to the core analysis engine, yielding significant engineering benefits.

We implemented specification generators for several web frameworks and added F4F support to a state-of-the-art taint-analysis engine. In an experimental evaluation, the taint analysis enhanced with F4F discovered 525 new issues across nine benchmarks, a harmonic mean of 2.10X more issues per benchmark. Furthermore, manual inspection of a subset of the new issues showed that many were exploitable or reflected bad security practice.

References

[1]

J. Aldrich, J. Sunshine, D. Saini, and Z. Sparks. Typestate-oriented programming. In OOPSLA Onward!, 2009.

Digital Library

[2]

T. Ball, V. Levin, and F. Xie. Automatic creation of environment models via training. In TACAS, 2004.

[3]

Java SE Desktop Technologies -- Java Beans. http://www.oracle.com/technetwork/java/javase/tech/index-jsp-138795.htm%l.

[4]

M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In OOPSLA, 2009.

Digital Library

[5]

S. Burbeck. Applications programming in Smalltalk-80: How to use model-view-controller (MVC). http://st-www.cs.illinois.edu/users/smarch/st-docs/mvc.html, 1992.

[6]

P. Centonze, G. Naumovich, S. J. Fink, and M. Pistoia. Role-Based Access Control Consistency Validation. In ISSTA, 2006.

Digital Library

[7]

The Unified Expression Language. http://java.sun.com/products/jsp/reference/techart/unifiedEL.html.

[8]

S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from vulnerable JavaScript. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, 2011.

Digital Library

[9]

C. Jaspan and J. Aldrich. Checking framework interactions with relationships. In ECOOP, 2009.

Digital Library

[10]

Java EE at a Glance. http://www.oracle.com/technetwork/java/javaee/.

[11]

JavaServer Pages Technology. http://java.sun.com/products/jsp/.

[12]

B. Livshits, J. Whaley, and M. S. Lam. Reflection analysis for Java. In K. Yi, editor, Proceedings of the 3rd Asian Symposium on Programming Languages and Systems, Nov. 2005.

Digital Library

[13]

V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.

Digital Library

[14]

V. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009.

Digital Library

[15]

A. C. Myers. JFlow: practical mostly-static information flow control. In POPL, 1999.

Digital Library

[16]

R. O'Callahan. Generalized Aliasing as a Basis for Program Analysis Tools. PhD thesis, Carnegie Mellon University, November 2000.

Digital Library

[17]

OWASP. Cross-site scripting. http://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Accessed 16-August-2011.

[18]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001.

Digital Library

[19]

T. Tateishi, M. Pistoia, and O. Tripp. Path- and index-sensitive string analysis based on monadic second-order logic. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, ISSTA '11, 2011.

Digital Library

[20]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In PLDI, 2009.

Digital Library

[21]

R. Vallée-Rai, L. Hendren, V. Sundaresan, P. Lam, E. Gagnon, and P. Co. Soot - a Java optimization framework. In Proceedings of CASCON, 1999.

[22]

T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net.

[23]

Wikipedia. Comparison of web application frameworks. http://en.wikipedia.org/wiki/Comparison_of_web_application_frameworks. Accessed 16-August-2011.

[24]

X. Zhang, L. Koved, M. Pistoia, S. Weber, T. Jaeger, G. Marceau, and L. Zeng. The case for analysis preserving language transformation. In ISSTA, 2006.

Digital Library

Cited By

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Santos JMirakhorli MShokri A(2024)Seneca: Taint-Based Call Graph Construction for Java Object DeserializationProceedings of the ACM on Programming Languages10.1145/36498518:OOPSLA1(1125-1153)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649851
Di PLiu BGao YRoychoudhury APaiva AAbreu RStorey MAniche MNagappan N(2024)MicroFuzz: An Efficient Fuzzing Framework for MicroservicesProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639723(216-227)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639477.3639723
Show More Cited By

Index Terms

F4F: taint analysis of framework-based web applications

Recommendations

P/Taint: unified points-to and taint analysis

Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
TAJ: effective taint analysis of web applications
PLDI '09

Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...
F4F: taint analysis of framework-based web applications
OOPSLA '11

This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications

October 2011

1104 pages

ISBN:9781450309400

DOI:10.1145/2048066

General Chair:
Cristina Videira Lopes
University of California, Irvine, USA
,
Program Chair:
Kathleen Fisher
Tufts University, USA

ACM SIGPLAN Notices Volume 46, Issue 10
OOPSLA '11
October 2011
1063 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2076021
Issue’s Table of Contents

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SPLASH '11

Sponsor:

SIGPLAN

SPLASH '11: Conference on Systems, Programming, and Applications: Software for Humanity

October 22 - 27, 2011

Oregon, Portland, USA

Acceptance Rates

Overall Acceptance Rate 268 of 1,244 submissions, 22%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

86
Total Citations
View Citations
967
Total Downloads

Downloads (Last 12 months)55
Downloads (Last 6 weeks)4

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Santos JMirakhorli MShokri A(2024)Seneca: Taint-Based Call Graph Construction for Java Object DeserializationProceedings of the ACM on Programming Languages10.1145/36498518:OOPSLA1(1125-1153)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649851
Di PLiu BGao YRoychoudhury APaiva AAbreu RStorey MAniche MNagappan N(2024)MicroFuzz: An Efficient Fuzzing Framework for MicroservicesProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639723(216-227)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639477.3639723
Wu RHe YHuang JWang CTang WShi QXiao XZhang CRoychoudhury APaiva AAbreu RStorey M(2024)LibAlchemy: A Two-Layer Persistent Summary Design for Taming Third-Party Libraries in Static Bug-Finding SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639132(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639132
Song XWang YCheng XLiang GWang QZhu ZRoychoudhury APaiva AAbreu RStorey M(2024)Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency AnalysisProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639123(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639123
Meng HLi HLu JShi CCao LLi LGao L(2024)AutoWeb: Automatically Inferring Web Framework Semantics via Configuration MutationEngineering of Complex Computer Systems10.1007/978-3-031-66456-4_20(369-389)Online publication date: 29-Sep-2024
https://doi.org/10.1007/978-3-031-66456-4_20
Xu LTang YChen H(2023)A method to web application taint analysis by computing data dependencySixth International Conference on Computer Information Science and Application Technology (CISAT 2023)10.1117/12.3003984(102)Online publication date: 11-Oct-2023
https://doi.org/10.1117/12.3003984
Fernaldy KWardhana Asnar Y(2023)Detecting Command Injection and Cross-site Scripting Vulnerabilities Using Graph Representations2023 IEEE International Conference on Data and Software Engineering (ICoDSE)10.1109/ICoDSE59534.2023.10291446(49-54)Online publication date: 7-Sep-2023
https://doi.org/10.1109/ICoDSE59534.2023.10291446
Luo LPiskachev GKrishnamurthy RDolby JBodden ESchäf M(2023)Model Generation For Java Frameworks2023 IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST57152.2023.00024(165-175)Online publication date: Apr-2023
https://doi.org/10.1109/ICST57152.2023.00024
Ouyang YShao KChen KShen RChen CXu MZhang YZhang LGrundy JPollock LPenta M(2023)MirrorTaint: Practical Non-Intrusive Dynamic Taint Tracking for JVM-Based Microservice SystemsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00210(2514-2526)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00210
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents