Hybrid Taint Analysis for Java EE
2020Conference / Journal
Authors
Gregor Snelting Martin Mohr Martin Hecker Martin Johns Florian D. Loch
Research Hub
								
									Research Hub C: Sichere Systeme
									
								
							
Research Challenges
										
											RC 7: Building Secure Systems
										
											RC 8: Security with Untrusted Components
										
									
Abstract
We present a new approach to protect Java EE web applications against injection attacks, which can handle large commercial systems. We first describe a novel approach to taint analysis for Java EE, which can be characterized by “strings only”, “taint ranges”, and “no bytecode instrumentation”. We then explain how to combine this method with static analysis, based on the JOANA IFC framework. The resulting hybrid analysis will boost scalability and precision, while guaranteeing protection against XSS. The approach has been implemented in the Juturna tool; application examples and measurements are discussed.