Beware of the Unexpected: Bimodal Taint AnalysisACM SIGSOFT Distinguished Paper
Static analysis is a powerful tool for detecting security vulnerabilities and other programming problems. Global taint tracking, in particular, can spot vulnerabilities arising from complicated data flow across multiple functions. However, precisely identifying which flows are problematic is challenging, and sometimes depends on factors beyond the reach of pure program analysis, such as conventions and informal knowledge. For example, learning that a parameter \texttt{name} of an API function \texttt{locale} ends up in a file path is surprising and potentially problematic. In contrast, it would be completely unsurprising to find that a parameter \texttt{command} passed to an API function \texttt{execaCommand} is eventually interpreted as part of an operating-system command. This paper presents Fluffy, a bimodal taint analysis that combines static analysis, which reasons about data flow, with machine learning, which probabilistically determines which flows are potentially problematic. The key idea is to let machine learning models predict from natural language information involved in a taint flow, such as API names, whether the flow is expected or unexpected, and to inform developers only about the latter. We present a general framework and instantiate it with four learned models, which offer different trade-offs between the need to annotate training data and the accuracy of predictions. We implement Fluffy on top of the CodeQL analysis framework and apply it to 250K JavaScript projects. Evaluating on five common vulnerability types, we find that Fluffy achieves an F1 score of 0.85 or more on four of them across a variety of datasets.
Tue 18 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | ISSTA 4: Static AnalysisTechnical Papers at Smith Classroom (Gates G10) Chair(s): Christian Hammer University of Passau | ||
13:30 15mTalk | Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis Technical Papers Kai Cheng Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences; Sangfor Technologies, Yaowen Zheng Nanyang Technological University, Tao Liu Pennsylvania State University, Le Guan University of Georgia, Peng Liu Pennsylvania State University, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Hongsong Zhu Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Kejiang Ye Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
13:45 15mTalk | Beware of the Unexpected: Bimodal Taint AnalysisACM SIGSOFT Distinguished Paper Technical Papers DOI | ||
14:00 15mTalk | OCFI: Make Function Entry Identification Hard Again Technical Papers Chengbin Pang Nanjing University, Tiantai Zhang Nanjing University, Xuelan Xu Nanjing University, Linzhang Wang Nanjing University, Bing Mao Nanjing University DOI | ||
14:15 15mTalk | Tai-e: A Developer-Friendly Static Analysis Framework for Java by Harnessing the Good Designs of Classics Technical Papers DOI Pre-print | ||
14:30 15mTalk | That’s a Tough Call: Studying the Challenges of Call Graph Construction for WebAssemblyACM SIGSOFT Distinguished Artifact Technical Papers Daniel Lehmann University of Stuttgart, Michelle Thalakottur Northeastern University, Frank Tip Northeastern University, Michael Pradel University of Stuttgart DOI | ||
14:45 15mTalk | Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesACM SIGSOFT Distinguished Paper Technical Papers Ningyu He Peking University, Zhehao Zhao Peking University, Jikai Wang Huazhong University of Science and Technology, Yubin Hu Beijing University of Posts and Telecommunications, Shengjian (Daniel) Guo Baidu Security, Haoyu Wang Huazhong University of Science and Technology, Guangtai Liang Huawei Cloud Computing Technologies, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University DOI |