Static taint analysis of web applications: Haven't we solved this problem yet?

Francois Gauthier
Oracle Labs Brisbane

Automated security analysis of web applications has been the focus of much
research work in the past decade. As a result, static taint analysis proved to
be the technique of choice to detect some of the most prevalent flaws in web
applications, such as cross-site scripting (XSS) and SQL injection (SQLi).

While highly precise approaches to static taint analysis have been developed
over recent years, they still fail to scale to industrial size web
applications. As a  consequence, state-of-the-art tools for security
assessment of industrial web  applications still rely on scalable but unsound
approaches.

In this presentation, we will discuss our latest progress in developing a
precise,  yet scalable static taint analysis for JEE web applications.
Specific support for JEE features such as session, request and request
dispatchers allows the analysis to properly handle callbacks invoked by the
JEE server, while flow and  context-sensitivity provided by the IFDS framework
allows for precise results.  Preliminary results on real-world open-source
benchmarks will be also be presented  and compared against state-of-the-art
tools.