ABSTRACT
This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. Due to extensive use of reflective language constructs in framework implementations, existing static taint analyses are often ineffective when applied to framework-based applications. While previous work has included ad hoc support for certain framework constructs, adding support for a large number of frameworks in this manner does not scale from an engineering standpoint.
F4F employs an initial analysis pass in which both application code and configuration files are processed to generate a specification of framework-related behaviors. A taint analysis engine can leverage these specifications to perform a much deeper, more precise analysis of framework-based applications. Our specification language has only a small number of simple but powerful constructs, easing analysis engine integration. With this architecture, new frameworks can be handled with no changes to the core analysis engine, yielding significant engineering benefits.
We implemented specification generators for several web frameworks and added F4F support to a state-of-the-art taint-analysis engine. In an experimental evaluation, the taint analysis enhanced with F4F discovered 525 new issues across nine benchmarks, a harmonic mean of 2.10X more issues per benchmark. Furthermore, manual inspection of a subset of the new issues showed that many were exploitable or reflected bad security practice.
- J. Aldrich, J. Sunshine, D. Saini, and Z. Sparks. Typestate-oriented programming. In OOPSLA Onward!, 2009. Google ScholarDigital Library
- T. Ball, V. Levin, and F. Xie. Automatic creation of environment models via training. In TACAS, 2004.Google ScholarCross Ref
- Java SE Desktop Technologies -- Java Beans. http://www.oracle.com/technetwork/java/javase/tech/index-jsp-138795.htm%l.Google Scholar
- M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In OOPSLA, 2009. Google ScholarDigital Library
- S. Burbeck. Applications programming in Smalltalk-80: How to use model-view-controller (MVC). http://st-www.cs.illinois.edu/users/smarch/st-docs/mvc.html, 1992.Google Scholar
- P. Centonze, G. Naumovich, S. J. Fink, and M. Pistoia. Role-Based Access Control Consistency Validation. In ISSTA, 2006. Google ScholarDigital Library
- The Unified Expression Language. http://java.sun.com/products/jsp/reference/techart/unifiedEL.html.Google Scholar
- S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from vulnerable JavaScript. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, 2011. Google ScholarDigital Library
- C. Jaspan and J. Aldrich. Checking framework interactions with relationships. In ECOOP, 2009. Google ScholarDigital Library
- Java EE at a Glance. http://www.oracle.com/technetwork/java/javaee/.Google Scholar
- JavaServer Pages Technology. http://java.sun.com/products/jsp/.Google Scholar
- B. Livshits, J. Whaley, and M. S. Lam. Reflection analysis for Java. In K. Yi, editor, Proceedings of the 3rd Asian Symposium on Programming Languages and Systems, Nov. 2005. Google ScholarDigital Library
- V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005. Google ScholarDigital Library
- V. B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009. Google ScholarDigital Library
- A. C. Myers. JFlow: practical mostly-static information flow control. In POPL, 1999. Google ScholarDigital Library
- R. O'Callahan. Generalized Aliasing as a Basis for Program Analysis Tools. PhD thesis, Carnegie Mellon University, November 2000. Google ScholarDigital Library
- OWASP. Cross-site scripting. http://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Accessed 16-August-2011.Google Scholar
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001. Google ScholarDigital Library
- T. Tateishi, M. Pistoia, and O. Tripp. Path- and index-sensitive string analysis based on monadic second-order logic. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, ISSTA '11, 2011. Google ScholarDigital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In PLDI, 2009. Google ScholarDigital Library
- R. Vallée-Rai, L. Hendren, V. Sundaresan, P. Lam, E. Gagnon, and P. Co. Soot - a Java optimization framework. In Proceedings of CASCON, 1999.Google Scholar
- T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net.Google Scholar
- Wikipedia. Comparison of web application frameworks. http://en.wikipedia.org/wiki/Comparison_of_web_application_frameworks. Accessed 16-August-2011.Google Scholar
- X. Zhang, L. Koved, M. Pistoia, S. Weber, T. Jaeger, G. Marceau, and L. Zeng. The case for analysis preserving language transformation. In ISSTA, 2006. Google ScholarDigital Library
Index Terms
- F4F: taint analysis of framework-based web applications
Recommendations
P/Taint: unified points-to and taint analysis
Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
TAJ: effective taint analysis of web applications
PLDI '09Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has ...
F4F: taint analysis of framework-based web applications
OOPSLA '11This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications. Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. ...
Comments