Comparative Analysis of Two Approaches to Static Taint Analysis

Currently, one of the most efficient ways to detect software security flaws is taint analysis. It can be based on static code analysis, and it helps detect bugs that lead to vulnerabilities, such as code injection or leaks of private data. Two approaches to the implementation of tainted data propaga...

Full description

Saved in:
Bibliographic Details
Published in:Programming and computer software 2018-11, Vol.44 (6), p.459-466
Main Authors: Belyaev, M. V., Shimchik, N. V., Ignatyev, V. N., Belevantsev, A. A.
Format: Article
Language:English
Subjects:
Algorithms
Artificial Intelligence
Computer Science
Data flow analysis
Detectors
Flaw detection
Infrastructure
Libraries
Methods
Operating Systems
Propagation
Semantics
Sensors
Software
Software Engineering
Software Engineering/Programming and Operating Systems
Static code analysis
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Currently, one of the most efficient ways to detect software security flaws is taint analysis. It can be based on static code analysis, and it helps detect bugs that lead to vulnerabilities, such as code injection or leaks of private data. Two approaches to the implementation of tainted data propagation over the program intermediate representation are proposed and compared. One of them is based on dataflow analysis (IFDS), and the other is based on symbolic execution. In this paper, the implementation of both approaches in the framework of the existing static analyzer infrastructure for detecting bugs in C# programs are described. These approaches are compared from the viewpoint of the scope of application, quality of results, performance, and resource requirements. Since both approaches use a common infrastructure for accessing information about the program and are implemented by the same team of developers, the results of the comparison are more significant and accurate than usual, and they can be used to select the best option in the context of the specific program and task. Our experiments show that it is possible to achieve the same completeness regardless of the chosen approach. The IFDS-based implementation has higher performance comparing with the symbolic execution for detectors with a small amount of tainted data sources. In the case of multiple detectors and a large number of sources, the scalability of the IFDS approach is worse than the scalability of the symbolic execution.
ISSN:0361-7688
1608-3261
DOI:10.1134/S036176881806004X