Identifying Security Relevant Warnings from Static Code Analysis Tools through Code Tainting

Abstract

Static code analysis tools are often used by developers as early vulnerability detectors. Due to their automation they are less time-consuming and error-prone then manual reviews. However, they produce large quantities of warnings that developers have to manually examine and understand.In this paper, we look at a solution that makes static code analysis tools more useful as an early vulnerability detector. We use flow-sensitive, interprocedural and context-sensitive data flow analysis to determine the point of user input and its migration through the source code to the actual exploit. By determining a vulnerabilities point of entry we lower the number of warnings a tool produces and we provide the developer with more information why this warning could be a real security threat. We use our approach in three different ways depending on what tool we examined. First, With the commercial static code analysis tool, Coverity, we reanalyze its results and create a set of warnings that are specifically relevant from a security perspective. Secondly, we altered the open source analysis tool Findbugs to only analyze code that has been tainted by user input. Third, we created an own analysis tool that focuses on XSS vulnerabilities in Java code.