Tainted Flow Analysis On E-Ssa-Form Programs
CC'11/ETAPS'11: Proceedings of the 20th international conference on Compiler construction: part of the joint European conferences on theory and practice of software(2011)
摘要
Tainted How attacks originate from program inputs maliciously crafted to exploit software vulnerabilities. These attacks are common in server-side scripting languages, such as PHP. In 1997, Orbaek and Palsberg formalized the problem of detecting these exploits as an instance of type-checking, and gave an O(V-3) algorithm to solve it, where V is the number of program variables. A similar algorithm was, ten years later, implemented on the Pixy tool. In this paper we give an O(V-2) solution to the same problem. Our solution uses Bodik et al.'s extended Static Single Assignment (e-SSA) program representation. The e-SSA form can be efficiently computed and it enables us to solve the problem via a sparse data-How analysis. Using the same infrastructure, we compared a state-of-the-art data-flow solution with our technique. Both approaches have detected 36 vulnerabilities in well known PHP programs. Our results show that our approach tends to outperform the data-flow algorithm for bigger inputs. We have reported the bugs that we found, and an implementation of our algorithm is now publicly available.
更多查看译文
关键词
data-flow algorithm,similar algorithm,PHP program,program input,program representation,program variable,sparse data-flow analysis,state-of-the-art data-flow solution,e-SSA form,Pixy tool,Tainted flow analysis,e-SSA-form program
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络