Comparative Analysis of Two Approaches to Static Taint Analysis

Belyaev, M. V.; Shimchik, N. V.; Ignatyev, Valery; Belevantsev, Andrey

doi:10.1134/s036176881806004x

Cited by 8 publications

(6 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We propose an analogical combination of two static analyses: IFDS-based analysis and symbolic execution. Unlike building taint analysis using static symbolic execution without IFDS framework, as we have already done for C# in [5], or as it is done for C and C++ in Svace [9], two-staged approach allows to deal with following issues. Every general-purpose static analyzer is required to balance between analysis precision and performance.…”

Section: Analysis Results Refinement Stagementioning

confidence: 99%

“…But this approach requires to gather constraints for these offsets using LLVM-instructions which are usually ignored by the IFDS engine, because values of these variables are not tainted. Therefore, it's better to build a dedicated symbolic execution engine and integrate it with existing IFDS engine or to build taint analysis immediately on symbolic execution [5]. Because of this we decided to use an existing symbolic execution tool as a second analysis stage.…”

Section: Memory Modelmentioning

confidence: 99%

See 1 more Smart Citation

Vulnerabilities Detection via Static Taint Analysis

Shimchik¹,

Игнатьев²

2019

Proceedings of ISP RAS

View full text Add to dashboard Cite

Due to huge amounts of code in modern software products, there is always a variety of subtle errors or flaws in programs, which are hard to discover during everyday use or through conventional testing. A lot of such errors could be used as a potential attack vector if they could be exploited by a remote user via manipulation of program input. This paper presents the approach for automatic detection of security vulnerabilities using interprocedural static taint analysis. The goal of this study is to develop the infrastructure for taint analysis applicable for detection of vulnerabilities in C and C++ programs and extensible with separate detectors. This tool is based on the Interprocedural Finite Distributive Subset (IFDS) algorithm and is able to perform interprocedural, context-sensitive, path-insensitive analysis of programs represented in LLVM form. According to our research it is not possible to achieve good results using pure taint analysis, so together with several enhancements of existing techniques we propose to supplement it with additional static symbolic execution based analysis stage, which has path-sensitivity and considers memory region sizes for filtering results found by the first stage. The evaluation of results was made on Juliet Test Suite and open-source projects with publicly known vulnerabilities from CVE database.

show abstract

Section: Analysis Results Refinement Stagementioning

confidence: 99%

Section: Memory Modelmentioning

confidence: 99%

Vulnerabilities Detection via Static Taint Analysis

Shimchik¹,

Игнатьев²

2019

Proceedings of ISP RAS

View full text Add to dashboard Cite

show abstract

“…Others have extended Java-based abstract interpretation frameworks to run precise data flow analysis on Android [34], or have focused on model checking for data flow properties [35], [36]. Taint tracking and symbolic execution can achieve the same degree of completeness, and neither approach offers superior performance in general [37]. In an attempt to combine the different approaches, work has been done to post-process taint tracking results using symbolic execution [38].…”

Section: Re L a T E D Wo R Kmentioning

confidence: 99%

Sustainable Solving: Reducing the Memory Footprint of IFDS-Based Data Flow Analyses Using Intelligent Garbage Collection

Arzt

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Static data flow analysis is an integral building block for many applications, ranging from compile-time code optimization to security and privacy analysis. When assessing whether a mobile app is trustworthy, for example, analysts need to identify which of the user's personal data is sent to external parties such as the app developer or cloud providers. Since accessing and sending data is usually done via API calls, tracking the data flow between source and sink API is often the method of choice. Precise algorithms such as IFDS help reduce the number of false positives, but also introduce significant performance penalties. With its fixpoint iteration over the program's entire exploded supergraph, IFDS is particularly memory-intensive, consuming hundreds of megabytes or even several gigabytes for medium-sized apps.In this paper, we present a technique called CLEANDROID for reducing the memory footprint of a precise IFDS-based data flow analysis and demonstrate its effectiveness in the popular FlowDroid open-source data flow solver. CLEANDROID efficiently removes edges from the path edge table used for the IFDS fixpoint iteration without affecting termination. As we show on 600 realworld Android apps from the Google Play Store, CLEANDROID reduces the average per-app memory consumption by around 63% to 78%. At the same time, CLEANDROID speeds up the analysis by up to 66%.

show abstract

“…This disadvantage is important especially for using SharpChecker with small projects. Such modeling is very significant for taint analysis engine [5], because it makes it possible to specify paths of tainted data propagation and cleanup between arguments, object fields and return value. The described approach seems to have an evident extension.…”

Section: Code Modelsmentioning

confidence: 99%

“…This paper is devoted to the possible methods for data provision that were tested with the static analysis tool SharpChecker [1], which is also available as a part of Svace [2], [3] static analyzer tool-set. SharpChecker contains several analysis engines: AST, dataflow, symbolic execution [4], taint [5] and experimental machine learning based subsystem [6]. Modeling of external libraries code is an important task in interprocedural source code analysis.…”

Section: Introductionmentioning

confidence: 99%

Modeling of library functions in an industrial static code analyzer

Беляев¹,

Романенков²,

Игнатьев³

2020

Proceedings of ISP RAS

View full text Add to dashboard Cite

SharpChecker is an industrial level static analyzer, which is aimed at detection of various bugs in C# source code. Because the tool is actively developed, it requires more and more precise information about program environment, especially about results and side-effects of library functions. The paper is devoted to the evolution of models for the standard library historically used by SharpChecker, its advantages and drawbacks. We have started from SQLite database with the most important functions properties, then introduced manually written C# model implementations of frequently used methods to add support of data container states and have recently developed a model, built by a preliminary analysis of library source code, which allows to gather all significant side-effects with conditions for almost whole C# library.

show abstract

Comparative Analysis of Two Approaches to Static Taint Analysis

Cited by 8 publications

References 1 publication

Vulnerabilities Detection via Static Taint Analysis

Vulnerabilities Detection via Static Taint Analysis

Sustainable Solving: Reducing the Memory Footprint of IFDS-Based Data Flow Analyses Using Intelligent Garbage Collection

Modeling of library functions in an industrial static code analyzer

Contact Info

Product

Resources

About