Compositional Taint Analysis for Enforcing Security Policies at Scale
Automated static dataflow analysis is an effective technique for detecting security critical issues like sensitive data leak, and vulnerability to injection attacks. Ensuring high precision and recall requires an analysis that is context, field and object sensitive. However, it is challenging to attain high precision and recall and scale to large industrial code bases. Compositional style analyses in which individual software components are analyzed separately, independent from their usage contexts, compute reusable summaries of components. This is an essential feature when deploying such analyses in CI/CD at code-review time or when scanning deployed container images. In both these settings the majority of software components stay the same between subsequent scans. However, it is not obvious how to extend such analyses to check the kind of contextual taint specifications that arise in practice, while maintaining compositionality.
In this work we present contextual dataflow modeling, an extension to the compositional analysis to check complex taint specifications and significantly increasing recall and precision. Furthermore, we show how such high-fidelity analysis can scale in production using three key optimizations: (i) discarding intermediate results for previously-analyzed components, an optimization exploiting the compositional nature of our analysis; (ii) a scope-reduction analysis to reduce the scope of the taint analysis w.r.t. the taint specifications being checked, and (iii) caching of analysis models. We show a 9.85% reduction in false positive rate on a comprehensive test suite comprising the OWASP open-source benchmarks as well as internal real-world code samples. We measure the performance and scalability impact of each individual optimization using open source JVM packages from the Maven central repository and internal AWS service codebases. This combination of high precision, recall, performance, and scalability has allowed us to enforce security policies at scale both internally within Amazon as well as for external customers.
Thu 7 DecDisplayed time zone: Pacific Time (US & Canada) change
11:00 - 12:30 | Program Analysis IIIDemonstrations / Research Papers / Industry Papers at Golden Gate C3 Chair(s): Marsha Chechik University of Toronto | ||
11:00 15mTalk | Practical Inference of Nullability Types Research Papers Nima Karimipour University of California, Riverside, Justin Pham University of California, Riverside, Lazaro Clapp Uber Technologies Inc, Manu Sridharan University of California at Riverside Media Attached | ||
11:15 15mTalk | LibKit: Detecting Third-Party Libraries in iOS Apps Research Papers Daniel Dominguez Alvarez University of Verona and IMDEA Software Institute, Alejandro de la Cruz IMDEA Software Institute, Alessandra Gorla IMDEA Software Institute, Juan Caballero IMDEA Software Institute Media Attached | ||
11:30 15mTalk | Compositional Taint Analysis for Enforcing Security Policies at Scale Industry Papers Subarno Banerjee Amazon Web Services, Siwei Cui Texas A & M University, Michael Emmi Amazon Web Services, Antonio Filieri Amazon Web Services, Liana Hadarean Amazon Web Services, Peixuan Li Amazon Web Services, Linghui Luo Amazon Web Services, Goran Piskachev Amazon Web Services, Nico Rosner Amazon Web Services, Aritra Sengupta Amazon Web Services, Omer Tripp Amazon, Jingbo Wang University of Southern California DOI Media Attached | ||
11:45 15mTalk | FunProbe: Probing Functions from Binary Code through Probabilistic Analysis Research Papers Media Attached | ||
12:00 15mTalk | BigDataflow: A Distributed Interprocedural Dataflow Analysis Framework Research Papers Zewen Sun Nanjing University, Duanchen Xu Nanjing University, Yiyu Zhang Nanjing University, Yun Qi Nanjing University, Yueyang Wang Nanjing University, Zhiqiang Zuo Nanjing University, Zhaokang Wang Nanjing University, Yue Li Nanjing University, Xuandong Li Nanjing University, Qingda Lu Alibaba Group, Wenwen Peng Alibaba Group, Shengjian (Daniel) Guo Baidu Security Media Attached | ||
12:15 7mTalk | CONAN: Statically Detecting Connectivity Issues in Android Applications Demonstrations Alejandro Mazuera-Rozo Universita della Svizzera italiana, Lugano, Switzerland and Universidad de los Andes, Colombia, Camilo Escobar-Velásquez Universidad de los Andes, Juan Espitia-Acero Universidad de los Andes, Colombia, Mario Linares-Vásquez Universidad de los Andes, Gabriele Bavota Software Institute, USI Università della Svizzera italiana Media Attached | ||