Tue 18 Jul 2023 13:45 - 14:00 at Smith Classroom (Gates G10) - ISSTA 4: Static Analysis Chair(s): Christian Hammer

Static analysis is a powerful tool for detecting security vulnerabilities and other programming problems. Global taint tracking, in particular, can spot vulnerabilities arising from complicated data flow across multiple functions. However, precisely identifying which flows are problematic is challenging, and sometimes depends on factors beyond the reach of pure program analysis, such as conventions and informal knowledge. For example, learning that a parameter \texttt{name} of an API function \texttt{locale} ends up in a file path is surprising and potentially problematic. In contrast, it would be completely unsurprising to find that a parameter \texttt{command} passed to an API function \texttt{execaCommand} is eventually interpreted as part of an operating-system command. This paper presents Fluffy, a bimodal taint analysis that combines static analysis, which reasons about data flow, with machine learning, which probabilistically determines which flows are potentially problematic. The key idea is to let machine learning models predict from natural language information involved in a taint flow, such as API names, whether the flow is expected or unexpected, and to inform developers only about the latter. We present a general framework and instantiate it with four learned models, which offer different trade-offs between the need to annotate training data and the accuracy of predictions. We implement Fluffy on top of the CodeQL analysis framework and apply it to 250K JavaScript projects. Evaluating on five common vulnerability types, we find that Fluffy achieves an F1 score of 0.85 or more on four of them across a variety of datasets.

Tue 18 Jul

Displayed time zone: Pacific Time (US & Canada) change

13:30 - 15:00
ISSTA 4: Static AnalysisTechnical Papers at Smith Classroom (Gates G10)
Chair(s): Christian Hammer University of Passau
13:30
15m
Talk
Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis
Technical Papers
Kai Cheng Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences; Sangfor Technologies, Yaowen Zheng Nanyang Technological University, Tao Liu Pennsylvania State University, Le Guan University of Georgia, Peng Liu Pennsylvania State University, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Hongsong Zhu Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Kejiang Ye Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences
DOI
13:45
15m
Talk
Beware of the Unexpected: Bimodal Taint AnalysisACM SIGSOFT Distinguished Paper
Technical Papers
Yiu Wai Chow University of Stuttgart, Max Schaefer GitHub, Michael Pradel University of Stuttgart
DOI
14:00
15m
Talk
OCFI: Make Function Entry Identification Hard Again
Technical Papers
Chengbin Pang Nanjing University, Tiantai Zhang Nanjing University, Xuelan Xu Nanjing University, Linzhang Wang Nanjing University, Bing Mao Nanjing University
DOI
14:15
15m
Talk
Tai-e: A Developer-Friendly Static Analysis Framework for Java by Harnessing the Good Designs of Classics
Technical Papers
Tian Tan Nanjing University, Yue Li Nanjing University
DOI Pre-print
14:30
15m
Talk
That’s a Tough Call: Studying the Challenges of Call Graph Construction for WebAssemblyACM SIGSOFT Distinguished Artifact
Technical Papers
Daniel Lehmann University of Stuttgart, Michelle Thalakottur Northeastern University, Frank Tip Northeastern University, Michael Pradel University of Stuttgart
DOI
14:45
15m
Talk
Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesACM SIGSOFT Distinguished Paper
Technical Papers
Ningyu He Peking University, Zhehao Zhao Peking University, Jikai Wang Huazhong University of Science and Technology, Yubin Hu Beijing University of Posts and Telecommunications, Shengjian (Daniel) Guo Baidu Security, Haoyu Wang Huazhong University of Science and Technology, Guangtai Liang Huawei Cloud Computing Technologies, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University
DOI