Oracle Corporation
MODULAR TAINT ANALYSIS WITH ACCESS PATHS

Abstract:

A method may include extracting, from an instruction of a function in source code, (i) a left-hand side (LHS) access path including a first variable and a first sequence of fields and (ii) a right-hand side (RHS) access path including a second variable and a second sequence of fields, determining, using an incoming access path, an outgoing access path for the instruction, determining that the incoming access path subsumes the LHS access path, generating a specialized outgoing access path by appending a field of the LHS access path to the outgoing access path, determining, using the specialized outgoing access path, that an entry access path of the function is reachable from an exit access path of the function, in response to determining that the entry access path is reachable from the exit access path, identifying a potential taint flow from the entry access path to the exit access path.