Ruhr-Uni-Bochum

Hybrid Taint Analysis for Java EE

2020

Konferenz / Journal

Autor*innen

Gregor Snelting Martin Mohr Martin Hecker Martin Johns Florian D. Loch

Research Hub

Research Hub C: Sichere Systeme

Research Challenges

RC 7: Building Secure Systems
RC 8: Security with Untrusted Components

Abstract

We present a new approach to protect Java EE web applications against injection attacks, which can handle large commercial systems. We first describe a novel approach to taint analysis for Java EE, which can be characterized by “strings only”, “taint ranges”, and “no bytecode instrumentation”. We then explain how to combine this method with static analysis, based on the JOANA IFC framework. The resulting hybrid analysis will boost scalability and precision, while guaranteeing protection against XSS. The approach has been implemented in the Juturna tool; application examples and measurements are discussed.

Tags

Software Security
Web Security
Program Analysis