Finding Security Vulnerabilities in Java Applications with Static Analysis

A number of recently discovered security vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks are caused by programming errors in Web-based applications. These vulnerabilities can lead to unauthorized data access by malicious users, loss of sensitive data, and application crashes. In this paper we propose a static analysis framework that detects all these and other vulnerabilities in Java applications. The user describes the vulnerabilities they wish to find in an intuitive specification language. This language makes the vulnerabilities above as well as new, yet undiscovered vulnerability patterns easy to describe. User-provided specifications are automatically translated into a sound and precise static analysis. Analysis results are presented to the user for assessment in a GUI auditing interface integrated within Eclipse, a popular Java development environment.

Our framework unifies vulnerabilities that stem from unchecked user input, which is widely recognized as the most common source of vulnerabilities in Web applications. We describe a static approach based on a sound context-sensitive inclusion-based points-to analysis implemented using binary decision diagrams, or BDDs. This analysis is precise, sound, and scalable, a combination that can solve problems impossible with other static techniques: we find all potential vulnerabilities in large real-life applications with a low false positive rate.

The static analysis approach described in this paper allows us to find 29 security vulnerabilities in 9 large, widely used open-source applications, including two vulnerabilities in widely used Java libraries. In fact, all but one applications in our benchmark suite have at least one vulnerability. Our analysis technique achieves high precision and only one of our benchmark applications generates false positives.