SAGA: Detecting Security Vulnerabilities Using Static Aspect Analysis

TL;DR

SAGA is a static analysis approach that detects a wide range of security vulnerabilities in Python code by analyzing control- and data-flow information, achieving high accuracy and speed.

Contribution

The paper introduces SAGA, a versatile static analysis tool for Python that supports numerous vulnerability types and outperforms existing tools in accuracy and efficiency.

Findings

Achieved 100% sensitivity and 99.15% specificity on a dataset of vulnerabilities.

Detected vulnerabilities in less than 31 seconds, faster than baseline tools.

Outperformed four common security analysis tools in accuracy and speed.

Abstract

Python is one of the most popular programming languages; as such, projects written in Python involve an increasing number of diverse security vulnerabilities. However, existing state-of-the-art analysis tools for Python only support a few vulnerability types. Hence, there is a need to detect a large variety of vulnerabilities in Python projects. In this paper, we propose the SAGA approach to detect and locate vulnerabilities in Python source code in a versatile way. SAGA includes a source code parser able to extract control- and data-flow information and to represent it as a symbolic control-flow graph, as well as a domain-specific language defining static aspects of the source code and their evolution during graph traversals. We have leveraged this language to define a library of static aspects for integrity, confidentiality, and other security-related properties. We have evaluated SAGA on a dataset of 108 vulnerabilities, obtaining 100% sensitivity and 99.15% specificity, with only one false positive, while outperforming four common security analysis tools. This analysis was performed in less than 31 seconds, i.e., between 2.5 and 512.1 times faster than the baseline tools.