This invention relates generally to analysis of program code and, more specifically, relates to static analysis of program code.
This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section.
Static analysis is an analysis that involves examining the code of programs such as Web programs without executing the code of the program. Some type of model is (or, more typically, models are) created of the code of the program, to estimate what would happen when the code actually is executed.
Static security analysis generally takes the form of taint analysis, where the analysis may be parameterized by a set of security rules, each rule being a triple <Src,San,Snk> denoting the following:
1) source statements (Src) reading untrusted user inputs;
2) downgrader statements (San) endorsing untrusted data by either endorsing or sanitizing the untrusted data; and
3) sink statements (Snk) performing security-sensitive operations.
There are a number of techniques for analyzing taint flow from sources to sinks. These techniques also consider whether flow passed through a downgrader (also called an endorser or sanitizer for endorsement or sanitization, respectively) that performs downgrading of the taint. Using such techniques, given security rule r, a flow from a source in Srcr to a sink in Snkr that does not pass through a downgrader from Sanr comprises a potential vulnerability.
Static analysis is a necessity when auditing industry-scale software systems. Such systems are too large and complex to lend themselves to thorough manual review. A key difficulty, however, is that the analysis typically reports an overwhelming number of findings. For example, for a medium-size application, a commercial static security analysis typically reports thousands of issues, if not more.
Thus, it would be beneficial to reduce the number of reported issues.