Taint-style Vulnerabilities Research Articles

Detecting security vulnerabilities with vulnerability nets

Detecting security vulnerabilities is a crucial part in secure software development. Many static analysis tools have proved to be effective in finding vulnerabilities, but generally there are some complex and subtle vulnerabilities that can escape from detection. Manual audits are a complementary approach to using tools. Unfortunately, most manual analyses are tedious and error prone. To benefit from both the tools and manual audits, some approaches incorporate the auditor's expertise into a static analysis tool during vulnerability discovery. Following this strategy, this paper presents a representation of source code called a vulnerability net, which is a special Petri net that integrates with data dependence graphs and control flow graphs. The combined representation can facilitate the detection of taint-style vulnerabilities such as buffer overflows and injection vulnerabilities. We test the proposed approach on Securibench Micro and demonstrate that it has the capability to identify a variety of vulnerabilities while keeping the rates of false negatives and positives low.

Finding Taint-Style Vulnerabilities in Lua Application of IoT Firmware with Progressive Static Analysis

With the rapid growth of IoT devices, ensuring the security of embedded firmware has become a critical concern. Despite advances in existing vulnerability discovery methods, previous research has been limited to vulnerabilities occurring in binary programs. Although an increasing number of vendors are utilizing Lua scripting language in firmware development, no automated method is currently available to discover vulnerabilities in Lua-based programs. To fill this gap, in this paper, we propose FLuaScan, a novel progressive static analysis approach specifically designed to detect taint-style vulnerabilities in Lua applications in IoT firmware. FLuaScan first heuristically locates the code that handles user input, then divides the code into different segments to conduct a progressive taint analysis. Finally, a graph-based search method is applied to identify vulnerable code that satisfies the conditions of taint propagation. To comprehensively compare FLuaScan with state-of-the-art tool Tscancode, we conducted various experiments on a dataset consisting of 13 real-world firmware samples from different vendors. The results demonstrate the superior performance of FLuaScan in terms of accuracy (increased TP rate from 0% to 42.50%), effectiveness (discovered 21 vulnerabilities, of which 7 are unknown), and practicality (acceptable time overhead and visual output to assist in manual analysis).

Towards the application of recommender systems to secure coding

Secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowledge of secure coding standards, negligence, and poor performance of and usability issues with existing code analysis tools. Therefore, it is essential to create tools that address these issues and concerns. This article features the proposal, development, and evaluation of a recommender system that uses text mining techniques, coupled with IntelliSense technology, to recommend fixes for potential vulnerabilities in program code. The resulting system mines a large code base of over 1.6 million Java files using the MapReduce methodology, creating a knowledge base for a recommender system that provides fixes for taint-style vulnerabilities. Formative testing and a usability study determined that surveyed participants strongly believed that a recommender system would help programmers write more secure code.

Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Taint-style vulnerabilities can damage the service provided by mobile seriously. The pattern-based method is a practical way to detect taint-style vulnerabilities. Most of the methods extract the vulnerability patterns from the code base, however, sometimes missing the vulnerability patterns and resulting in some vulnerabilities undiscovered. The security patches contain valuable information about the vulnerabilities. To compensate for the inherent incompleteness of pattern matching, in this paper, we propose an approach to infer patterns with the security information carried on the security patches. The taint-style vulnerability is described as a 3-tuples (S src , S san , S sink ) here, which consist of sources(S src ), sanitization (S san ), and sinks(Ssink). For each pair of vulnerable and patched programs, we extract the sanitizations from the changes between the vulnerable code and corresponding patches, infer the sinks with the impact analysis, and determine the sources through the backward traversal on the control flow graph. Finally, the complete-linkage clustering method is applied to the extracted triples to summary the patterns. We evaluate our method with open source projects. The results show our method is effective: 1) our method infers vulnerability patterns for taint-style vulnerabilities; 2) compared with the method inferring patterns from the code base, new patterns are discovered; and 3) the inferred patterns are applied to search the similar vulnerabilities successfully.

Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown a...

Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming,