Saved in:
Bibliographic Details
Main Authors: Karimipour, Nima, Das, Kanak, Sridharan, Manu, Hassanshahi, Behnaz
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.18529
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908344187355136
author Karimipour, Nima
Das, Kanak
Sridharan, Manu
Hassanshahi, Behnaz
author_facet Karimipour, Nima
Das, Kanak
Sridharan, Manu
Hassanshahi, Behnaz
contents Many important security properties can be formulated in terms of flows of tainted data, and improved taint analysis tools to prevent such flows are of critical need. Most existing taint analyses use whole-program static analysis, leading to scalability challenges. Type-based checking is a promising alternative, as it enables modular and incremental checking for fast performance. However, type-based approaches have not been widely adopted in practice, due to challenges with false positives and annotating existing codebases. In this paper, we present a new approach to type-based checking of taint properties that addresses these challenges, based on two key techniques. First, we present a new type-based tainting checker with significantly reduced false positives, via more practical handling of third-party libraries and other language constructs. Second, we present a novel technique to automatically infer tainting type qualifiers for existing code. Our technique supports inference of generic type argument annotations, crucial for tainting properties. We implemented our techniques in a tool TaintTyper and evaluated it on real-world benchmarks. TaintTyper exceeds the recall of a state-of-the-art whole-program taint analyzer, with comparable precision, and 2.93X-22.9X faster checking time. Further, TaintTyper infers annotations comparable to those written by hand, suitable for insertion into source code. TaintTyper is a promising new approach to efficient and practical taint checking.
format Preprint
id arxiv_https___arxiv_org_abs_2504_18529
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Practical Type-Based Taint Checking and Inference (Extended Version)
Karimipour, Nima
Das, Kanak
Sridharan, Manu
Hassanshahi, Behnaz
Programming Languages
Many important security properties can be formulated in terms of flows of tainted data, and improved taint analysis tools to prevent such flows are of critical need. Most existing taint analyses use whole-program static analysis, leading to scalability challenges. Type-based checking is a promising alternative, as it enables modular and incremental checking for fast performance. However, type-based approaches have not been widely adopted in practice, due to challenges with false positives and annotating existing codebases. In this paper, we present a new approach to type-based checking of taint properties that addresses these challenges, based on two key techniques. First, we present a new type-based tainting checker with significantly reduced false positives, via more practical handling of third-party libraries and other language constructs. Second, we present a novel technique to automatically infer tainting type qualifiers for existing code. Our technique supports inference of generic type argument annotations, crucial for tainting properties. We implemented our techniques in a tool TaintTyper and evaluated it on real-world benchmarks. TaintTyper exceeds the recall of a state-of-the-art whole-program taint analyzer, with comparable precision, and 2.93X-22.9X faster checking time. Further, TaintTyper infers annotations comparable to those written by hand, suitable for insertion into source code. TaintTyper is a promising new approach to efficient and practical taint checking.
title Practical Type-Based Taint Checking and Inference (Extended Version)
topic Programming Languages
url https://arxiv.org/abs/2504.18529