Most modern web applications utilize one or more web frameworks, which provide useful abstractions for common functionality. Due to extensive use of reflective language constructs in framework implementations, existing static taint analyses are often ineffective when applied to framework-based applications.
Security taint analysis is an information-flow analysis that automatically detects flows of untrusted data into security-sensitive computations (integrity violations) or flows of private data into computations that expose in- formation to public observers (confidentiality violations).
Information-flow security vulnerabilities account for six of the top ten security vulnerabilities according to the Open Web Application Security Project (OWASP). Previous work has shown that taint analysis can effectively expose such vulnerabilities in real-world web applications
While previous work has included ad hoc support for certain framework constructs, adding support for a large number of frameworks in this manner does not scale from an engineering standpoint.This paper presents F4F (Framework For Frameworks), a system for effective taint analysis of framework-based web applications.
F4F employs an initial analysis pass in which both application code and configuration files are processed to generate a specification of framework-related behaviors. A taint analysis engine can leverage these specifications to perform a much deeper, more precise analysis of framework-based applications. Our specification language has only a small number of simple but powerful constructs, easing analysis engine integration. With this architecture, new frameworks can be handled with no changes to the core analysis engine, yielding significant engineering benefits.
We implemented specification generators for several web frameworks and added F4F support to a state-of-the-art taint-analysis engine. In an experimental evaluation, the taint analysis enhanced with F4F discovered 525 new issues across nine benchmarks, a harmonic mean of 2.10X more issues per benchmark. Furthermore, manual inspection of a subset of the new issues showed that many were exploitable or reflected bad security practice.
To read this external content in full, download the complete paper from the author archives at Tel Aviv University.