Abstract
AbstractPrevious work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable or malicious taint-flows. These languages, however, are designed primarily for security experts who are expected to be knowledgeable in taint analysis. Software developers, however, consider these languages to be complex. This paper thus presents fluent TQL, a query specification language particularly for taint-flows. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL’s abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluent TQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluent TQL expressiveness. Based on existing examples from the literature, we have used fluentTQL to implement queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java Spring PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected malicious taint-flows, 18 taint-flows were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time.
Funder
European Regional Development Fund
Fraunhofer-Institut für Entwurfstechnik Mechatronik IEM
Publisher
Springer Science and Business Media LLC
Reference63 articles.
1. Antoniadis A, Filippakis N, Krishnan P, Ramesh R, Allen N, Smaragdakis Y (2020) Static analysis of java enterprise applications: frameworks and caches, the elephants in the room. In: Proceedings of the 41st ACM SIGPLAN conference on programming language design and implementation, PLDI 2020. https://doi.org/10.1145/3385412.3386026. ACM, New York, pp 794–807
2. Arzt S, Rasthofer S, Bodden E (2013) Susi: a tool for the fully automated classification and categorization of android sources and sinks. In: Network and distributed system security symposium 2013, NDSS’13
3. Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Traon Y L, Octeau D, McDaniel P (2014) Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN conference on programming language design and implementation, PLDI ’14. ACM, New York, pp 259–269
4. Bodden E (2018) The secret sauce in efficient and precise static analysis: the beauty of distributive, summary-based static analyses (and how to master them). In: ACM SIGPLAN International workshop on the state of the art in java program analysis (SOAP 2018), ISSTA ’18. ACM, New York, pp 85–93
5. Brooke J (2013) Sus: a retrospective. J Usability Stud 8(2):29–40
Cited by
4 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. DocFlow: Extracting Taint Specifications from Software Documentation;Proceedings of the 46th IEEE/ACM International Conference on Software Engineering;2024-02-06
2. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study;Empirical Software Engineering;2023-09
3. Model Generation For Java Frameworks;2023 IEEE Conference on Software Testing, Verification and Validation (ICST);2023-04
4. To what extent can we analyze Kotlin programs using existing Java taint analysis tools?;2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM);2022-10