Internet Archive Scholar

Type-Based Taint Analysis for Java Web Applications [chapter]

Wei Huang, Yao Dong, Ana Milanova
2014 Lecture Notes in Computer Science  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (309.0 kB)
https://web.archive.org/web/20190503075141/https://link.springer.com/content/pdf/10.1007%2F978-3-642-54804-8_10.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL. The file type is application/pdf.

Static taint analysis detects information flow vulnerabilities. It has gained considerable importance in the last decade, with the majority of work focusing on dataflow and points-to-based approaches. In this paper, we advocate type-based taint analysis. We present SFlow, a context-sensitive type system for secure information flow, and SFlow-Infer, a corresponding worst-case cubic inference analysis. Our approach effectively handles reflection, libraries and frameworks, features notoriously
more » ... icult for dataflow and points-to-based taint analysis. We implemented SFlow and SFlowInfer. Empirical results on 13 realworld Java web applications show that our approach is scalable and also precise, achieving false positive rate of 15%.
doi:10.1007/978-3-642-54804-8_10 fatcat:aydbrd7xtnd6zkbxf67kpy2azm
Citation

Wei Huang, Yao Dong, Ana Milanova. "Type-Based Taint Analysis for Java Web Applications." Lecture Notes in Computer Science (2014) 140-154