Extensible Framework For Static Vulnerability Detection Based On Taint Analysis

Software vulnerabilities are an important factor in threatening computer system security.There is a type of vulnerability that are caused by improper handling of exter-nal input.Especially in C/C++ program,programmers may ignore the checks of some of the security-sensitive operations(such as division,array access,memory access,etc.)associated with external input,resulting in potential security vulnerabilities(such as zero-error,array cross-border,memory access,etc.).Static analysis technology can find many kinds of vulnerabilities in the source code and it has no need to execute the program to be tested compared to dynamic analysis.And static analysis don't need to prepare test cases for the program to be tested where it saves a lot of work and has higher efficiency.Moreover,static analysis can scan all the code of the program under test,rather than dynamic analysis can only detect the part of code which is executed.But the existing static analysis tools can only detect pre-set vulnerabilities.When a new vulnerability arises,new vulnerability detection tools are needed to be developed.Developing a new vulnerability detection tools takes high cost and long time.In this paper,we concentrate on the C/C++ program vulnerabilities caused by missing security checks for external input and propose an extensible tool framework for static vulner-ability detection based on taint analysis.The main work of this paper is described as follows:1.Propose a static taint analysis method for C/C++ programs.Based on the simpli-fied model of C/C++ language,we define the taint type inference rules.And we propose the static taint analysis method and process,including intra-procedural analysis analysis and inter-procedural analysis analysis.2.Propose an extensible vulnerability detection framework based on taint analysis.The framework defines a general vulnerability detection method for insufficient attack protection about security-sensitive operations which is based on external input.The method is analyzing program structural and locating security-sensitive operations,taint analysis and detecting missing checks for attack protection.The framework provide two kinds of extensible functions:1)provides a taint analysis method based on customizable rules.2)provides a extensible detection method for security checks missing of security-sensitive operations.Users only need to configure the information about a kind of security-sensitive operations and it can automatically detect the missing checks vulnerability for this kind of operations.3.Based on the above work,we implement a prototype tools of extensible vulner-ability detection framework and conduct some case studies.We implement the the program structure analysis module,taint analysis module and missing secu-rity checks detection module.And we also implement the automatic detection of tree types of vulnerability:array index out-of-bound detection,divide-by-zero detection and memory access API out-of-bound detection.And we also implement the optimization for taint information storage and AST files storage for large scale program.We assess the precision,performance and optimization effect of taint analysis on some programs.