P/Taint: Unified Points-to and Taint Analysis
Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what abstract objects a program expression may point to. In this work, we propose a deep unification of information-flow and points-to analysis. We observe that information-flow analysis is not a mere high-level client of points-to information, but it is indeed identical to points-to analysis on artificial abstract objects that represent different information sources. The very same algorithm can compute, simultaneously, two interlinked but separate results (points-to and information-flow values) with changes only to its initial conditions.
The benefits of such a unification are manifold. We can use existing points-to analysis implementations, with virtually no modification (only minor additions of extra logic for sanitization) to compute information flow concepts, such as value tainting. The algorithmic enhancements of points-to analysis (e.g., different flavors of context sensitivity) can be applied transparently to information-flow analysis. Heavy engineering work on points-to analysis (e.g., handling of the reflection API for Java) applies to information-flow analysis without extra effort. We demonstrate the benefits in a realistic implementation that leverages the Doop points-to analysis framework (including its context-sensitivity and reflection analysis features) to provide an information-flow analysis with excellent precision (over 91%) and recall (over 99%) for standard information-flow benchmarks.
Fri 27 OctDisplayed time zone: Tijuana, Baja California change
10:30 - 12:00
Static AnalysisOOPSLA at Regency C
Chair(s): Christian Hammer University of Potsdam
|IDEal: Efficient and Precise Alias-Aware Dataflow Analysis|
Johannes Späth Fraunhofer IEM, Karim Ali University of Alberta, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEMDOI
|P/Taint: Unified Points-to and Taint Analysis|
Neville Grech , Yannis Smaragdakis University of AthensDOI
|Data-Driven Context-Sensitivity for Points-to Analysis|
Sehun Jeong Korea University, South Korea, Minseok Jeon Korea University, South Korea, Sungdeok (Steve) Cha Korea University, South Korea, Hakjoo Oh Korea UniversityDOI
|Automatically Generating Features for Learning Program Analysis Heuristics for C-Like Languages|
Kwonsoo Chae Korea University, Hakjoo Oh Korea University, Kihong Heo University of Pennsylvania, USA, Hongseok Yang University of OxfordDOI