Lightweight automated detection of unsafe information leakage via exceptions

Abstract

Unintended information leakage is one of the most common and severe problems facing modern applications. To help developers detect information leaks before they can be leveraged by attackers, we present a new static analysis-based technique for detecting a specific type of information leak: information leaks via exceptions. Because it focuses on a specific type of leak, the technique is able to be efficient, effective, and easy to use, qualities that are often lacking in more general techniques. We implemented our technique in a prototype tool, UDLD, and performed an extensive empirical evaluation using 19 real web applications. The results of the evaluation show that UDLD is both efficient and effective at detecting unsafe information leaks via exceptions; for the subjects that we considered, UDLD is the fastest among several alternative tools. Moreover, it reported more true leaks than existing state-of-the-art tools with no known false negatives and no false positives.