1

I have been trying to find the exact term for "tracking a method's parameter" for Java programming language and I generally found "taint analysis", but still not sure if I am on the right path.

What I want is, to keep track of a method's parameter and see which part of the method (in scope) does the parameter effect. For example, if a parameter is assigned to another variable, I also want to keep of track of the assigned variable as well. By mentioning "parts", it could be lines of code, statement or branch of a control flow graph.

I also checked for tools and came across with Checker Framework and Findbugs, however it seems that they don't quite satisfy the needs that I want or I couldn't manage to make them work for my needs.

Please tell if "taint analysis" is the right term that I am looking for. Also, any other tool suggestions are welcome.

There is an edited code below from Checker Framework Live Demo. What I expect is, inside processRequest() when the variable String input is Tainted, I expect to get a warning or an error for all of the lines inside executeQuery() method. Because a tainted variable is passed to it's parameter. 

import org.checkerframework.checker.tainting.qual.*;

public class TaintingExampleWithWarnings {
    String getUserInput() {
        return "taintedStr";
    }

    void processRequest() {
        @Tainted String input = getUserInput();
        executeQuery(input); //error: pass tainted string to executeQeury()
    }

    public void executeQuery(@Untainted String input) {
        // Do some SQL Query
        String token = input + " Hello World";
        String tokens[] = token.split(" ");

        for(int i=0; i<tokens.length; i++)
        {
              System.out.println((i+1)+"String: "+tokens[i])
        }

    }


    /* To eliminate warning in line 10, replace line 10 by
     * executeQuery(validate(input)); */
    /*@Untainted*/ public String validate(String userInput) {
        // Do some validation here
        @SuppressWarnings("tainting")
        @Untainted String result = userInput;
        return result;
    }
}
Ekin
  • 407
  • 1
  • 6
  • 17
  • There are different taint checking tools out there for different languages. You didn't specify a language so i can't recommend anything but google is your best friend – Ulug Toprak Apr 12 '17 at 20:30
  • @UlugToprak thanks for the reminder, I edited the question by specifying the language as "Java". – Ekin Apr 12 '17 at 21:03
  • IntelliJ IDEA has integrated tools you can use. Checkstyle would be my choice which can also be integrated to IDE's – Ulug Toprak Apr 12 '17 at 21:18
  • Can you clarify how the existing tools "don't quite satisfy the needs that I want"? In addition, a code example they don't handle would be helpful. Without that information, it's hard to make a suggestion. – mernst Apr 13 '17 at 15:48
  • @mernst Hello Dr. Ernst :) I edited my question and tried to clarify it with an example. Please fix me if I have misunderstood the concept "taint analysis" and if you need more clarification please let me know. Thank you for your contribution. – Ekin Apr 13 '17 at 20:20
  • I tried your exact example (after adding a missing semicolon on line 20) in the [Checker Framework Live Demo](http://eisop.uwaterloo.ca/live/) and it issued the warning. Maybe you accidentally ran the Nullness Checker instead of the Tainting Checker? If you can reproduce the problem, can you send me a screenshot and the exact code that you used? – mernst Apr 14 '17 at 19:32

1 Answers1

1

The Tainting Checker of the Checker Framework issues a warning on exactly the defective line of your code:

% javac -g TaintingExampleWithWarnings.java -processor tainting
TaintingExampleWithWarnings.java:10: error: [argument.type.incompatible] incompatible types in argument.
        executeQuery(input); //error: pass tainted string to executeQeury()
                     ^
  found   : @Tainted String
  required: @Untainted String
1 error

This pinpoints the defect and indicates exactly what you need to fix in your program.

I expect to get a warning or an error for all of the lines inside executeQuery() method

The implementation of executeQuery() is correct; it's the use of executeQuery() that is problematic.

(Background: A modular analysis is one that works one method at a time. A modular analysis relies on specifications of methods.)

Type-checking is an example of a modular analysis. Its specifications are user-written annotations on formal parameters.

  • When type-checking the body of executeQuery(), the type-checker assumes that the formal parameter declarations are correct.
  • When type-checking a call to executeQuery(), the type-checker verifies that the arguments are legal.

If there is even one type-checking error somewhere in your program, then your program might behave unsafely (possibly at some other location).

If you want to know all the possible places that taint could flow to in your program, then you need to use a non-modular, whole-program analysis. Furthermore, the whole-program analysis would need to ignore every user-written annotation in the program. Such an analysis is possible to do and is a reasonable desire, but it is not addressed by the tools you mentioned in your question.

mernst
  • 7,437
  • 30
  • 45