Java Security Vulnerabilities Detection with Static Analysis

G.L. Cheng

Security in software plays an important role in todays society as computer networking is getting more and more important. Security measures are taken to protect private information, but bad programming practices can still cause security vulnerabilities in software systems. Source code analysis tools can be used to detect such security vulnerabilities automatically. The use of these tools helps to improve the quality and security of software systems and could prevent future problems.

The class of security vulnerabilities called input validation vulnerabilities can be detected using static taint analysis. The design and implementation of such a tool are the subject of this paper. This tool detects input validation vulnerabilities in source code written in the Java programming language. This paper also describes in detail how to deal with complexities related to the object oriented nature of Java.

The tool first derives a graph structured model from the source code. This graph structured model captures data dependency relations between important program elements. This graph model is then analyzed using taint analysis to detect potential input validation vulnerabilities.

MSc project performed in the context of the ASSESS Project.