Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Song, Tingyu; Li, Xiaohong; Feng, Zhiyong; Xu, Guangquan

doi:10.1109/access.2019.2911592

Cited by 3 publications

(1 citation statement)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While much effort has been spent on automatically proposing relevant sources, sanitizers, and sinks (Piskachev et al, 2019;Arzt et al, 2013;Sas et al, 2018) or inference of taint-flows (source-sanitizer-sink paths) (Livshits et al, 2009;Chibotaru et al, 2019;Song et al, 2019), in practice taint analyses still require substantial manual specification effort.…”

Section: Introductionmentioning

confidence: 99%

Fluently specifying taint-flow queries with fluentTQL

Piskachev¹,

Späth²,

Budde³

et al. 2022

Preprint

View full text Add to dashboard Cite

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domainspecific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable or malicious taint-flows. These languages, however, are designed primarily for security experts who are expected to be knowledgeable in taint analysis. Software developers, however, consider these languages to be complex.This paper thus presents fluentTQL, a query specification language particularly for taint-flow. fluentTQL is internal Java DSL and uses a fluentinterface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL's abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluentTQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluentTQL expressiveness.Based on existing examples from the literature, we have used fluentTQL to implement queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with Flow-Droid 13 taint-flows were found. Similarly, in a vulnerable version of the Java Spring PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected malicious taint-flows, 18 taint-flows were detected. In a user study with 26

show abstract

Section: Introductionmentioning

confidence: 99%

Fluently specifying taint-flow queries with fluentTQL

Piskachev¹,

Späth²,

Budde³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

Fluently specifying taint-flow queries with fluentTQL

Piskachev

Späth²,

Budde

et al. 2022

Empir Software Eng

View full text Add to dashboard Cite

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable or malicious taint-flows. These languages, however, are designed primarily for security experts who are expected to be knowledgeable in taint analysis. Software developers, however, consider these languages to be complex. This paper thus presents fluent TQL, a query specification language particularly for taint-flows. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL’s abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluent TQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluent TQL expressiveness. Based on existing examples from the literature, we have used fluentTQL to implement queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java Spring PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected malicious taint-flows, 18 taint-flows were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time.

show abstract

Comparing fine-grained source code changes and code churn for bug prediction - A retrospective

Pinzger

Giger²,

Gall

2021

SIGSOFT Softw. Eng. Notes

View full text Add to dashboard Cite

More than two decades ago, researchers started to mine the data stored in software repositories to help software developers in making informed decisions for developing and testing software systems. Bug prediction was one of the most promising and popular research directions that uses the data stored in software repositories to predict the bug-proneness or number of bugs in source files. On that topic and as part of Emanuel's PhD studies, we submitted a paper with the title Comparing fine-grained source code changes and code churn for bug prediction [8] to the 8th Working Conference on Mining Software Engineering, held 2011 in beautiful Honolulu, Hawaii. Ten years later, it got selected as one of the finalists to receive the MSR 2021 Most Influential Paper Award. In the following, we provide a retrospective on our work, describing the road to publishing this paper, its impact in the field of bug prediction, and the road ahead.

show abstract

Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Cited by 3 publications

References 31 publications

Fluently specifying taint-flow queries with fluentTQL

Fluently specifying taint-flow queries with fluentTQL

Fluently specifying taint-flow queries with fluentTQL

Comparing fine-grained source code changes and code churn for bug prediction - A retrospective

Contact Info

Product

Resources

About