This invention relates generally to analysis of program code and, more specifically, relates to static analysis of program code.
This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section.
Static analysis is an analysis that involves examining the code of programs such as Web programs without executing the code of the program. Some type of model is (or, more typically, models are) created of the code of the program, to estimate what would happen when the code actually is executed.
Static security analysis generally takes the form of taint analysis, where the analysis may be parameterized by a set of security rules, each rule being a triple <Src,San,Snk> denoting the following:
1) source statements (Src) reading untrusted user inputs;
2) downgrader statements (San) endorsing untrusted data by either endorsing or sanitizing the untrusted data; and
3) sink statements (Snk) performing security-sensitive operations.
There are a number of techniques for analyzing taint flow from sources to sinks. These techniques also consider whether flow passed through a downgrader (also called an endorser or sanitizer for endorsement or sanitization, respectively) that performs downgrading of the taint. One set of techniques includes graphs such as call graphs. Call graphs are directed graphs that represent calling relationships between methods in a computer program.
Using such techniques, given security rule r, a flow from a source in Srcr to a sink in Snkr that does not pass through a downgrader from Sanr comprises a potential vulnerability.
One of the biggest advantages of static security analysis, compared to black-box security testing, is that static security analysis can become an integral part of the development process: The analysis can be run on a system that is not in a deployable state (e.g., because of missing code, errors, or inability to run the system on the given hardware resources), and also runs significantly faster than a black-box scan and without the need to configure the analysis.
Although static security analysis has many benefits, the analysis may still be improved.