research-article

TAJ: effective taint analysis of web applications

Authors:

Stephen J. Fink,

Manu Sridharan,

Omri WeismanAuthors Info & Claims

PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 87 - 97

https://doi.org/10.1145/1542476.1542486

Published: 15 June 2009 Publication History

Abstract

Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address critical requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applications, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors.

We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applications. TAJ can analyze applications of virtually any size, as it employs a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vectors, with techniques to handle reflective calls, flow through containers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.

References

[1]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Denmark, 1994.

[2]

K. Ashcraft and D. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In S&P 2002.

Digital Library

[3]

R. Bodík, R. Gupta, and V. Sarkar. ABCD: Eliminating Array Bounds Checks on Demand. In PLDI 2000.

Digital Library

[4]

W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In CCS 2008.

Digital Library

[5]

P. Cousot and R. Cousot. Modular Static Program Analysis. In CC 2002.

Digital Library

[6]

R. Cytron, J. Ferrante, B. K. Rosen, M. N.Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. TOPLAS, 13(4), 1991.

Digital Library

[7]

D. E. Denning. A Lattice Model of Secure Information Flow. CACM, 19(5), 1976.

Digital Library

[8]

D. E. Denning and P. J. Denning. Certification of Programs for Secure Information Flow. CACM, 20(7), 1977.

Digital Library

[9]

S. Fink, J. Dolby, and L. Colby. Semi-Automatic J2EE Transaction Configuration. IBM Research Report RC23326, 2004.

[10]

S. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective Typestate Verification in the Presence of Aliasing. In ISSTA 2006.

Digital Library

[11]

J. S. Foster, T. Terauchi, and A. Aiken. Flow-Sensitive Type Qualifiers. In PLDI 2002.

Digital Library

[12]

J. A. Goguen and J. Meseguer. Security Policies and Security Models. In S&P 1982.

[13]

C. Hammer, J. Krinke, and G. Snelting. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In ISSSE 2006.

[14]

R. Hasti and S. Horwitz. Using Static Single Assignment Form to Improve Flow-insensitive Pointer Analysis. In PLDI 1998.

Digital Library

[15]

N. Heintze and O. Tardieu. Demand-Driven Pointer Analysis. In PLDI 2001.

Digital Library

[16]

S. Horwitz, T.W. Reps, and D. Binkley. Interprocedural Slicing Using Dependence Graphs. In PLDI 1988.

Digital Library

[17]

IBM Rational AppScan Developer Edition (AppScan DE), http: //www.ibm.com/software/awdtools/appscan/developer

[18]

O. Lhot´ak and L. J. Hendren. Context-Sensitive Points-to Analysis: Is It Worth It? In CC 2006.

[19]

B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In ASPLAS 2005.

Digital Library

[20]

V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security 2005.

Digital Library

[21]

S. McCamant and M. D. Ernst. Quantitative Information Flow as Network Flow Capacity. In PLDI 2008.

Digital Library

[22]

A. Milanova, A. Rountev, and B. G. Ryder. Parameterized Object Sensitivity for Points--to Analysis for Java. TOSEM, 14(1), 2005.

Digital Library

[23]

Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW 2005.

Digital Library

[24]

A. C. Myers. JFlow: Practical Mostly-static Information Flow Control. In POPL 1999.

Digital Library

[25]

A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In SOSP 1997.

Digital Library

[26]

OWASP, http://www.owasp.org.

[27]

M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In ECOOP 2005.

Digital Library

[28]

T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In POPL 1995.

Digital Library

[29]

B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In CC 2003. Invited Paper.

Digital Library

[30]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In USENIX Security 2001.

Digital Library

[31]

G. Snelting, T. Robschink, and J. Krinke. Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4), 2006.

Digital Library

[32]

M. Sridharan and R. Bodík. Refinement-based Context-sensitive Points-to Analysis for Java. In PLDI 2006.

Digital Library

[33]

M. Sridharan, S. J. Fink, and R. Bodík. Thin Slicing. In PLDI 2007.

Digital Library

[34]

Stanford SecuriBench Micro, http://suif.stanford.edu/~livshits/work/securibench-micro.

[35]

T. J.Watson Libraries for Analysis (WALA), http://wala.sf.net.

[36]

D. Volpano, C. Irvine, and G. Smith. A Sound Type System for Secure Flow Analysis. JCS, 4(2--3), 1996.

Digital Library

[37]

L. Wall, T. Christiansen, and J. Orwant. Programming Perl. O'Reilly & Associates, Inc., 3rd edition, 2000.

Digital Library

[38]

G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In PLDI 2007.

Digital Library

[39]

G. Wassermann and Z. Su. Static Detection of Cross-site Scripting Vulnerabilities. In ICSE 2008.

Digital Library

[40]

J. Whaley and M. S. Lam. Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In PLDI 2004.

Digital Library

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Cela SCiancone AGustafsson PHajdu ÁJia YKapus TKoshtenko MLewis WMao KMartac Dd'Amorim M(2024)Automated End-to-End Dynamic Taint Analysis for WhatsAppCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663824(21-26)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663824
Nahian ADemsky BRodríguez GSadayappan PSukumaran-Rajam A(2024)FlowProf: Profiling Multi-threaded Programs using Information-FlowProceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction10.1145/3640537.3641577(137-149)Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1145/3640537.3641577
Show More Cited By

Index Terms

TAJ: effective taint analysis of web applications
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Assertions
      2. Program analysis
    2. Program semantics

Recommendations

TAJ: effective taint analysis of web applications
PLDI '09

Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...
Field-based static taint analysis for industrial microservices
ICSE-SEIP '22: Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice

Taint analysis is widely used for tracing sensitive data. However, the state-of-the-art taint analyzers face challenges on recall, scalability, and precision when applied on industrial microservices. To overcome these challenges, we present a field-based ...
ANDROMEDA: accurate and scalable security analysis of web applications
FASE'13: Proceedings of the 16th international conference on Fundamental Approaches to Software Engineering

Security auditing of industry-scale software systems mandates automation. Static taint analysis enables deep and exhaustive tracking of suspicious data flows for detection of potential leakage and integrity violations, such as cross-site scripting (XSS),...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2009

492 pages

ISBN:9781605583921

DOI:10.1145/1542476

General Chair:
Michael Hind
IBM Research, USA
,
Program Chair:
Amer Diwan
University of Colorado at Boulder, USA

ACM SIGPLAN Notices Volume 44, Issue 6
PLDI '09
June 2009
478 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1543135
Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '09

Sponsor:

PLDI '09: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 15 - 21, 2009

Dublin, Ireland

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

268
Total Citations
View Citations
2,529
Total Downloads

Downloads (Last 12 months)193
Downloads (Last 6 weeks)14

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Cela SCiancone AGustafsson PHajdu ÁJia YKapus TKoshtenko MLewis WMao KMartac Dd'Amorim M(2024)Automated End-to-End Dynamic Taint Analysis for WhatsAppCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663824(21-26)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663824
Nahian ADemsky BRodríguez GSadayappan PSukumaran-Rajam A(2024)FlowProf: Profiling Multi-threaded Programs using Information-FlowProceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction10.1145/3640537.3641577(137-149)Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1145/3640537.3641577
Sofaer RDavid YKang MYu JCao YYang JNieh JRoychoudhury APaiva AAbreu RStorey M(2024)RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust DomainsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639199(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639199
Wang PLiu S(2024)Toward Pointer-Analysis-Based Vulnerability Discovery in Human–Machine Pair ProgrammingInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450001334:05(751-774)Online publication date: 22-Feb-2024
https://doi.org/10.1142/S0218194024500013
Lambers LSakizloglou LAl-Wardi OKhakharova T(2024)Taint Analysis for Graph APIs Focusing on Broken Access ControlGraph Transformation10.1007/978-3-031-64285-2_10(180-200)Online publication date: 2-Jul-2024
https://doi.org/10.1007/978-3-031-64285-2_10
Ahmed KWang YLis MRubin JChandra SBlincoe KTonella P(2023)ViaLin: Path-Aware Dynamic Taint Analysis for AndroidProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616330(1598-1610)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616330
Yuhala PFelber PGuiroux HLozi JTchana ASchiavoni VThomas G(2023)SecVProceedings of the 24th International Middleware Conference10.1145/3590140.3629116(207-219)Online publication date: 27-Nov-2023
https://dl.acm.org/doi/10.1145/3590140.3629116
Wang CWang WYao PShi QZhou JXiao XZhang C(2023) Anchor: Fast and Precise Value-flow Analysis for Containers via Memory OrientationACM Transactions on Software Engineering and Methodology10.1145/356580032:3(1-39)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3565800
Fernaldy KWardhana Asnar Y(2023)Detecting Command Injection and Cross-site Scripting Vulnerabilities Using Graph Representations2023 IEEE International Conference on Data and Software Engineering (ICoDSE)10.1109/ICoDSE59534.2023.10291446(49-54)Online publication date: 7-Sep-2023
https://doi.org/10.1109/ICoDSE59534.2023.10291446
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents