IFDS Taint Analysis with Access Paths

TL;DR

This paper introduces a demand-driven, scalable static taint analysis method for large Java web applications that improves upon existing approaches by avoiding expensive alias analysis.

Contribution

We propose a novel IFDS-based taint analysis that is demand-driven and scalable, suitable for very large industrial Java applications.

Findings

Achieves faster analysis times for large codebases

Maintains high precision without relying on alias analysis

Scales to industrial-size Java web applications

Abstract

Over the years, static taint analysis emerged as the analysis of choice to detect some of the most common web application vulnerabilities, such as SQL injection (SQLi) and cross-site scripting (XSS)~\cite{OWASP}. Furthermore, from an implementation perspective, the IFDS dataflow framework stood out as one of the most successful vehicles to implement static taint analysis for real-world Java applications. While existing approaches scale reasonably to medium-size applications (e.g. up to one hour analysis time for less than 100K lines of code), our experience suggests that no existing solution can scale to very large industrial code bases (e.g. more than 1M lines of code). In this paper, we present our novel IFDS-based solution to perform fast and precise static taint analysis of very large industrial Java web applications. Similar to state-of-the-art approaches to taint analysis, our IFDS-based taint analysis uses \textit{access paths} to abstract objects and fields in a program. However, contrary to existing approaches, our analysis is demand-driven, which restricts the amount of code to be analyzed, and does not rely on a computationally expensive alias analysis, thereby significantly improving scalability.