Abstract
Currently, one of the most efficient ways to detect software security flaws is taint analysis. It can be based on static code analysis, and it helps detect bugs that lead to vulnerabilities, such as code injection or leaks of private data. Two approaches to the implementation of tainted data propagation over the program intermediate representation are proposed and compared. One of them is based on dataflow analysis (IFDS), and the other is based on symbolic execution. In this paper, the implementation of both approaches in the framework of the existing static analyzer infrastructure for detecting bugs in C# programs are described. These approaches are compared from the viewpoint of the scope of application, quality of results, performance, and resource requirements. Since both approaches use a common infrastructure for accessing information about the program and are implemented by the same team of developers, the results of the comparison are more significant and accurate than usual, and they can be used to select the best option in the context of the specific program and task. Our experiments show that it is possible to achieve the same completeness regardless of the chosen approach. The IFDS-based implementation has higher performance comparing with the symbolic execution for detectors with a small amount of tainted data sources. In the case of multiple detectors and a large number of sources, the scalability of the IFDS approach is worse than the scalability of the symbolic execution.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.REFERENCES
T. Reps, T., Horwitz, S., and Sagiv, M., Precise interprocedural dataflow analysis via graph reachability, Proc. of the 22nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, San Francisco, Calif., ACM, 1995, pp. 49–61. http://doi.acm.org/ 10.1145/199448.199462
Arzt, S. et al., FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, Proc. of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, Edinburgh, United Kingdom, ACM, 2014, pp. 259–269. http://doi.acm.org/10.1145/2594291.2594299
Fritz, C. et al., Highly precise taint analysis for Android applications, Techn., Rep., No. TUD-CS-2013-0113, EC SPRIDE, 2013. http://www.bodden.de/pubs/ TUD-CS-2013-0113.pdf.
Koshelev, V.K., Ignatyev, V.N., and Borzilov, A.I., C\(\# \) static analysis framework, Trudy Inst. Sist. Program. Ross. Akad. Nauk, 2016, vol. 28, no. 1, pp. 21–40.
Koshelev, V., Dudina, I., Ignatyev, V., and Borzilov, A., Path-sensitive bug detection analysis of C\(\# \) program illustrated by null pointer dereference, Trudy Inst. Sist. Program. Ross. Akad. Nauk, 2015, vol. 27, no. 5, pp. 59–86.
Author information
Authors and Affiliations
Corresponding authors
Additional information
Translated by A. Klimontovich
Rights and permissions
About this article
Cite this article
Belyaev, M.V., Shimchik, N.V., Ignatyev, V.N. et al. Comparative Analysis of Two Approaches to Static Taint Analysis. Program Comput Soft 44, 459–466 (2018). https://doi.org/10.1134/S036176881806004X
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1134/S036176881806004X