Affiliation:
1. IBM T.J. Watson Research Center, Yorktown Heights, NY, USA
2. IBM Software Group, Littleton, MA, USA
Abstract
This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. Due to extensive use of reflective language constructs in framework implementations, existing static taint analyses are often ineffective when applied to framework-based applications. While previous work has included ad hoc support for certain framework constructs, adding support for a large number of frameworks in this manner does not scale from an engineering standpoint.
F4F employs an initial analysis pass in which both application code and configuration files are processed to generate a specification of framework-related behaviors. A taint analysis engine can leverage these specifications to perform a much deeper, more precise analysis of framework-based applications. Our specification language has only a small number of simple but powerful constructs, easing analysis engine integration. With this architecture, new frameworks can be handled with no changes to the core analysis engine, yielding significant engineering benefits.
We implemented specification generators for several web frameworks and added F4F support to a state-of-the-art taint-analysis engine. In an experimental evaluation, the taint analysis enhanced with F4F discovered 525 new issues across nine benchmarks, a harmonic mean of 2.10X more issues per benchmark. Furthermore, manual inspection of a subset of the new issues showed that many were exploitable or reflected bad security practice.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Graphics and Computer-Aided Design,Software
Reference23 articles.
1. Typestate-oriented programming
2. Automatic Creation of Environment Models via Training
3. Java SE Desktop Technologies -- Java Beans. http://www.oracle.com/technetwork/java/javase/tech/index-jsp-138795.htm%l. Java SE Desktop Technologies -- Java Beans. http://www.oracle.com/technetwork/java/javase/tech/index-jsp-138795.htm%l.
4. Strictly declarative specification of sophisticated points-to analyses
5. S. Burbeck. Applications programming in Smalltalk-80: How to use model-view-controller (MVC). http://st-www.cs.illinois.edu/users/smarch/st-docs/mvc.html 1992. S. Burbeck. Applications programming in Smalltalk-80: How to use model-view-controller (MVC). http://st-www.cs.illinois.edu/users/smarch/st-docs/mvc.html 1992.
Cited by
13 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Fluently specifying taint-flow queries with fluentTQL;Empirical Software Engineering;2022-05-30
2. Statically Discovering High-Order Taint Style Vulnerabilities in OS Kernels;Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security;2021-11-12
3. Privacy and security constraints for code contributions;Software: Practice and Experience;2020-08-05
4. Salsa: static analysis of serialization features;Proceedings of the 22nd ACM SIGPLAN International Workshop on Formal Techniques for Java-Like Programs;2020-07-23
5. A Reusable SQL Injection Detection Method for Java Web Applications;KSII Transactions on Internet and Information Systems;2020-06-30