An Approach to Tainted Analysis in the Svace Static Analyzer

A substantial part of software security vulnerabilites occurs because of invalidated data which programs receive from untrusted sources and use then in critical operations. These issues can be addressed as a tainted data analysis problem. This work discusses the key feautures of an analysis to reasonably detect insecure tainted data usage flaws in real life program projects’ source code and describes the approach we realized in Svace static analysis tool.

1. Н. В. Шимчик, В. Н. Игнатьев и А. А. Белеванцев. Irbis: статический анализатор помеченных данных для поиска уязвимостей в программах на c/c++. Труды Института системного программирования РАН, 34(6):51–66, 2022.

2. MITRE Corporation. Common Weakness Enumeration (CWE). https://cwe.mitre.org/. Дата обращения: 2025-05-01.

3. MITRE Corporation. Common Weakness Enumeration (CWE) – CWE-707: Improper Neutralization. https://cwe.mitre.org/data/definitions/707.html. Дата обращения: 2025-05-01.

4. MITRE Corporation. Common Weakness Enumeration (CWE) – CWE-20: Improper Input Validation. https://cwe.mitre.org/data/definitions/20.html. Дата обращения: 2025-05-01.

5. MITRE Corporation. Common Weakness Enumeration (CWE) – CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (’Injection’). https://cwe.mitre.org/data/definitions/74.html. Дата обращения: 2025-05-01.

6. MITRE Corporation. 2024 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html. Дата обращения: 2025-05-01.

7. V. Ivannikov, A. Belevantsev, A. Borodin, V. Ignatiev, D. Zhurikhin и A. Avetisyan. Static analyzer svace for finding defects in a source program code. Programming and Computer Software, 40(5):265–275, 2014.

8. A. Belevantsev, A. Borodin, I. Dudina, V. Ignatiev, A. Izbyshev, S. Polyakov и D. Zhurikhin. Design and development of Svace static analyzers. In 2018 Ivannikov Memorial Workshop (IVMEM):3–9, 2018.

9. A. Borodin и I. Dudina. Intraprocedural Analysis Based on Symbolic Execution for Bug Detection. Programming and Computer Software, 47(8):858–865, 2021.

10. W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323–337, 1992.

11. D. Babic и A. J. Hu. Calysto: scalable and precise extended static checking. В Proceedings of the 30th international conference on Software engineering, страницы 211–220, 2008.

12. A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett и P. Hawkins. An overview of the saturn project. В Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, страницы 43–48, 2007.

13. W. R. Bush, J. D. Pincus и D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software-Practice and Experience, 30(7), 2000.

14. В. К. Кошелев, В. Н. Игнатьев и А. И. Борзилов. Инфраструктура статического анализа программ на языке c. Труды Института системного программирования РАН, 28(1):21–40, 2016.

15. A. Galustov, A. Borodin и A. Belevantsev. Devirtualization for static analysis with low level intermediate representation. В 2022 Ivannikov Ispras Open Conference (ISPRAS), страницы 18–23. IEEE, 2022.

16. Google LLC. Android open source project. https://source.android.com/, 2024. Дата обращения: 2025-05-01.

17. OWASP Foundation. Owasp webgoat project. https://owasp.org/www-project-webgoat/, 2023. Дата обращения: 2025-05-01.

18. National Security Agency. Juliet test suite for java. https://samate.nist.gov/SRD/testsuite.php, 2013. Дата обращения: 2025-05-01.

19. J. Newsome и D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. В NDSS, том 5, страницы 3–4. Citeseer, 2005.

20. E. Bodden. Inter-procedural data-flow analysis with ifds/ide and soot. В Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, страницы 3–8, 2012.

21. D. Evans и D. Larochelle. Improving security using extensible lightweight static analysis. IEEE software, 19(1):42–51, 2002.

22. U. Shankar, K. Talwar, J. S. Foster и D. Wagner. Detecting format string vulnerabilities with type qualifiers. В 10th USENIX Security Symposium (USENIX Security 01), 2001.

23. A. Borodin, A. Goremykin, S. Vartanov и A. Belevancev. Searching for tainted vulnerabilities in static analysis tool svace. Proceedings of the Institute for System Programming of the RAS, 33(1):7–32, 2021.