Is there an open source tainting tool?

Question

is there an open source tainting tool? I am trying to analyze a Java project and it's java source code. Therefore I can see where and which purpose are parameters used for. For instance, is it used in an if statement or is it assigned to another variable etc.

Thanks

Is there an alternative term for the thing that I am looking, if there is it will be very helpful. — Ekin, Mar 15 '12 at 07:08
It is called [Taint Checking](http://en.wikipedia.org/wiki/Taint_checking) — Rakesh, Mar 15 '12 at 07:12
@Ekin - the term is fine. I was just remarking about the context — Stephen C, Mar 15 '12 at 11:19

score 1 · Accepted Answer · edited Jan 22 '17 at 15:34

1

You could try using the Checker Framework.

edited Jan 22 '17 at 15:34

mernst

7,437
30
45

answered Mar 15 '12 at 07:12

Rakesh

4,264
4
32
58

1

Checker Framework just as I wanted. Thank you for your help. – Ekin Mar 15 '12 at 07:46
@Ekin: Eh? you wanted to see where a parameter is "used (for)". A type checker doesn't show you *where*; it only checks that the type (of something) has a certain property. Checker Framework appears to the do the latter (based on a breif look); how specifically does it do the former? – Ira Baxter Mar 17 '12 at 20:51
The link in the answer is dead. Here is the updated link: http://types.cs.washington.edu/checker-framework/ – Max Worg Jun 13 '16 at 04:06

score 0 · Answer 2 · answered Mar 15 '12 at 07:32

Modern java IDEs provide such information. IMHO, best one is IntelliJ IDEA , but comemrcial license will cost you about 130$ (there is free community edition wuth somehow reduced functionality with source code published, or 30 day free trial of full version)

Eclipse and netbean also provide similar functionality, but are not as good. ( IMHO of course )

score 0 · Answer 3 · answered Mar 17 '12 at 20:48

0

If you want a general purpose tool to track how a an arbitrary variable is used, or the source of values that feed into a variable, what you want is a program slicer. (Tainting is a special case, where one only wants to slice on certain inputs, usually from a source outside the program).

There is one called Indus. I've never used it, and I don't know its status.

answered Mar 17 '12 at 20:48

Ira Baxter

93,541
22
172
341

To be more specific, I need to check the parameters if they are validated or not, and I don't know that a program slicer will help that part. By the way Checker does give the location of where the parameter has been used (maybe not the plugin version but surely show it on command line). – Ekin Mar 21 '12 at 14:47
Don't you need to know where the Parameter(s) were used, and anything that is *indirectly* affected by the parameters? – Ira Baxter Mar 21 '12 at 23:27
Actually I do need know. However, a line number is not sufficient, it would be better if I also see what is going on (For example, an explanation,description, etc.) – Ekin Mar 24 '12 at 18:44

Is there an open source tainting tool?

3 Answers3