论文标题

流利地用fluenttql指定污染流量查询

Fluently specifying taint-flow queries with fluentTQL

论文作者

Piskachev, Goran, Späth, Johannes, Budde, Ingo, Bodden, Eric

论文摘要

先前的工作表明,只有正确自定义在使用它们的上下文时,污点分析才有用。现有特定域的语言(DSL)允许通过定义拒绝列出的数据流规则来描述潜在脆弱的污染流。但是,这些语言主要是为在污点分析中知识渊博的安全专家设计的。软件开发人员认为这些语言很复杂。本文介绍了fluenttql,这是一种查询语言,尤其是针对污点。 FluentTQL是内部Java DSL,并使用Fluent-Interface Design。 FluentTQL查询可以表达各种污染风格的漏洞类型,例如注射,跨站点脚本或路径遍历。本文介绍了FluentTQL的抽象和具体语法,并定义了其运行时语义。语义与任何基本分析无关,并允许通过各种污点分析评估FluentTQL查询。在两个污点分析求解器(Boomerang and Flowdroid)之上,FluentTQL的实例化显示和验证fluentTQL的表现力。根据文献中现有的示例,我们对Java中的11种流行安全漏洞类型实施了查询。使用我们的SQL注入规范,基于Boomerang的污点分析在OWASP Webgoat应用程序中发现了所有17个已知的污染流,而使用FlowDroid 13污染流。同样,在Java Petclinic应用程序的脆弱版本中,基于Boomerang的Taint Analysis都发现了所有七个预期的污染流。在七个具有25个预期污染流的现实世界的Android应用中,检测到18个。在与26个软件开发人员的用户研究中,FluentTQL达到了高可用性得分。与Semmle/github的最先进的DSL相比,参与者发现FluentTQL更可用,因此他们能够在较短的时间内指定污点分析查询。

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable taint-flows. These languages, however, are designed primarily for security experts who are knowledgeable in taint analysis. Software developers consider these languages to be complex. This paper presents fluentTQL, a query language particularly for taint-flow. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL's abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluentTQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluentTQL expressiveness. Based on existing examples from the literature, we implemented queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected taint-flows, 18 were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time.

扫码加入交流群

加入微信交流群

微信交流群二维码

扫码加入学术交流群,获取更多资源